Test Dump MD100

Microsoft MD-100 Questions & Answers
Windows 10
Version: 12.0
Microsoft MD-100 Exam
Topic 1, Deploy Windows
QUESTION NO: 1 HOTSPOT
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time
as you would like to complete each case. However, there may be additional case studies and
sections on this exam. You must manage your time to ensure that you are able to complete all
questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is
provided in the case study. Case studies might contain exhibits and other resources that provide
more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your
answers and to make changes before you move to the next section of the exam. After you begin a
new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left
pane to explore the content of the case study before you answer the questions. Clicking these
buttons displays information such as business requirements, existing environment, and problem
statements. When you are ready to answer a question, click the Question button to return to the
question.
Overview
Existing Environment
Fabrikam, Inc. is a distribution company that has 500 employees and 100 contractors.
Active Directory
The network contains an Active Directory forest named fabrikam.com. The forest is synced to
Microsoft Azure Active Directory (Azure AD). All the employees are assigned Microsoft 365 E3
licenses.
The domain contains a user account for an employee named User10.
"Everything is under control" - www.pass4sure.com 2

Client Computers
All the employees have computers that run Windows 10 Enterprise. All the computers are installed
without Volume License Keys. Windows 10 license keys are never issued.
All the employees register their computer to Azure AD when they first receive the computer.
User10 has a computer named Computer10.
All the contractors have their own computer that runs Windows 10. None of the computers are
joined to Azure AD.
Operational Procedures
Fabrikam has the following operational procedures:
Updates are deployed by using Windows Update for Business.
When new contractors are hired, administrators must help the contactors configure the following
settings on their computer:
Security policies
The following security policies are enforced on all the client computers in the domain:
All the computers are encrypted by using BitLocker Drive Encryption (BitLocker). BitLocker
recovery information is stored in Active Directory and Azure AD.
The local Administrators group on each computer contains an enabled account named
LocalAdmin.
The LocalAdmin account is managed by using Local Administrator Password Solution (LAPS).
Problem Statements
Fabrikam identifies the following issues:
Employees in the finance department use an application named Application1. Application1

frequently crashes due to a memory error. When Application1 crashes, an event is written to the
application log and an administrator runs a script to delete the temporary files and restart the
application.

When employees attempt to connect to the network from their home computer, they often cannot
establish a VPN connection because of misconfigured VPN settings.
An employee has a computer named Computer11. Computer11 has a hardware failure that
prevents the computer from connecting to the network.
User10 reports that Computer10 is not activated.
Technical requirements
Fabrikam identifies the following technical requirements for managing the client computers:
Provide employees with a configuration file to configure their VPN connection.
Use the minimum amount of administrative effort to implement the technical requirements.
Identify which employees’ computers are noncompliant with the Windows Update baseline of the
company.
Ensure that the service desk uses Quick Assist to take remote control of an employee’s desktop
during support calls.
Automate the configuration of the contractors’ computers. The solution must provide a
configuration file that the contractors can open from a Microsoft SharePoint site to apply the
required configurations.
You need to implement a solution to configure the contractors’ computers.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:
Explanation:

The requirement states: Automate the configuration of the contractors’ computers. The solution
must provide a configuration file that the contractors can open from a Microsoft SharePoint site to
apply the required configurations.
The ‘configuration file’ in this case is known as a ‘provisioning package’.
A provisioning package (.ppkg) is a container for a collection of configuration settings. With

Windows 10, you can create provisioning packages that let you quickly and efficiently configure a
device without having to install a new image.
The tool for creating provisioning packages is renamed Windows Configuration Designer,
replacing the Windows Imaging and Configuration Designer (ICD) tool.
References:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-
icd
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-
packages
QUESTION NO: 2
Case Study

question.
Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.
Security policies
LocalAdmin.
Problem Statements

application.
company.
You need to ensure that User10 can activate Computer10.
What should you do?
A.
Request that a Windows 10 Enterprise license be assigned to User10, and then activate
Computer10.
B.
From the Microsoft Deployment Toolkit (MDT), add a Volume License Key to a task sequence,
and then redeploy Computer10.
C.
From System Properties on Computer10, enter a Volume License Key, and then activate
Computer10.
D.
Request that User10 perform a local AutoPilot Reset on Computer10, and then activate
Computer10.
Answer: D
Explanation:
The case study states: User10 reports that Computer10 is not activated.
The solution is to perform a local AutoPilot Reset on the computer. This will restore the computer
settings to a fully-configured or known IT-approved state. When User10 signs in to the computer
after the reset, the computer should activate.

You can use Autopilot Reset to remove personal files, apps, and settings from your devices. The
devices remain enrolled in Intune and are returned to a fully-configured or known IT-approved
state. You can Autopilot Reset a device locally or remotely from the Intune for Education portal.
QUESTION NO: 3
Case Study
question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.
Contoso has IT, human resources (HR), and finance departments.
Contoso recently opened a new branch office in San Diego. All the users in the San Diego office
work from home.

Existing environment
Contoso uses Microsoft 365.
The on-premises network contains an Active Directory domain named contoso.com. The domain
is synced to Microsoft Azure Active Directory (Azure AD).
All computers run Windows 10 Enterprise.
You have four computers named Computer1, Computer2, Computer3, and ComputerA.
ComputerA is in a workgroup on an isolated network segment and runs the Long Term Servicing
Channel version of Windows 10. ComputerA connects to a manufacturing system and is business
critical. All the other computers are joined to the domain and run the Semi-Annual Channel version
of Windows 10.
In the domain, you create four groups named Group1, Group2, Group3, and Group4.
Computer2 has the local Group Policy settings shown in the following table.
The computers are updated by using Windows Update for Business.
The domain has the users shown in the following table.
Computer1 has the local users shown in the following table.

Requirements
Planned Changes
Contoso plans to purchase computers preinstalled with Windows 10 Pro for all the San Diego
office users.
Contoso identifies the following technical requirements:
The computers in the San Diego office must be upgraded automatically to Windows 10
Enterprise and must be joined to Azure AD the first time a user starts each new computer. End
users must not be required to accept the End User License Agreement (EULA).
Helpdesk users must be able to troubleshoot Group Policy object (GPO) processing on the
Windows 10 computers. The helpdesk users must be able to identify which Group Policies are
applied to the computers.
Users in the HR department must be able to view the list of files in a folder named D:\Reports on
Computer3.
ComputerA must be configured to have an Encrypting File System (EFS) recovery agent.
Quality update installations must be deferred as long as possible on ComputerA.
Users in the IT department must use dynamic lock on their primary device.
User6 must be able to connect to Computer2 by using Remote Desktop.
The principle of least privilege must be used whenever possible.
Administrative effort must be minimized whenever possible.
Kiosk (assigned access) must be configured on Computer1.
You need to meet the technical requirements for the San Diego office computers.
Which Windows 10 deployment method should you use?

A.
wipe and load refresh
B.
in-place upgrade
C.
provisioning packages
D.
Windows Autopilot
Answer: D
Explanation:
The requirement states: The computers in the San Diego office must be upgraded automatically to
Windows 10 Enterprise and must be joined to Azure AD the first time a user starts each new
computer. End users must not be required to accept the End User License Agreement (EULA).
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices,
getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose
and recover devices.
The OEM Windows 10 installation on the new computers can be transformed into a “business-
ready” state, applying settings and policies, installing apps, and even changing the edition of
Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support
advanced features.
The only interaction required from the end user is to connect to a network and to verify their
credentials. Everything beyond that is automated.
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot
Case Study

question.
Overview
work from home.
of Windows 10.
Requirements
Planned Changes
office users.

Computer3.
You need to meet the technical requirement for Computer1.

Answer:
Explanation:
Explanation:

The requirement states: Kiosk (assigned access) must be configured on Computer1.
Kiosk (assigned access) is a feature on Windows 10 that allows you to create a lockdown
environment that lets users interact with only one app when they sign into a specified account.
With Kiosk (assigned access), users won't be able to get to the desktop, Start menu, or any other
app, including the Settings app.
Box 1: User 11
Kiosk (assigned access) must be configured by a user who is a member of the Local
Administrators group on the Computer.
Box 2: User 12.
Kiosk (assigned access) must be configured for a user account that is a member of the Users
group.
References:
https://www.windowscentral.com/how-set-assigned-access-windows-10
QUESTION NO: 5

Your company has an isolated network used for testing. The network contains 20 computers that
run Windows 10. The computers are in a workgroup. During testing, the computers must remain in
the workgroup.
You discover that none of the computers are activated.
You need to recommend a solution to activate the computers without connecting the network to
the Internet.
What should you include in the recommendation?
A.
Volume Activation Management Tool (VAMT)
B.
Key Management Service (KMS)
C.
Active Directory-based activation
D.
the Get-WindowsDeveloperLicense cmdlet
Answer: B
Explanation:
You can configure one of the computers as a Key Management Service (KMS) host and activate
the KMS host by phone. The other computers in the isolated network can then activate using the
KMS host.
Installing a KMS host key on a computer running Windows 10 allows you to activate other
computers running Windows 10 against this KMS host and earlier versions of the client operating
system, such as Windows 8.1 or Windows 7. Clients locate the KMS server by using resource
records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if
your organization uses volume activation for clients and MAK-based activation for a smaller
number of servers. To enable KMS functionality, a KMS key is installed on a KMS host; then, the
host is activated over the Internet or by phone using Microsoft’s activation services.
References:
https://docs.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-key-
management-service-vamt

QUESTION NO: 6
You plan to deploy Windows 10 to 100 secure computers.
You need to select a version of Windows 10 that meets the following requirements:
Uses Microsoft Edge as the default browser
Minimizes the attack surface on the computer
Supports joining Microsoft Azure Active Directory (Azure AD)
Only allows the installation of applications from the Microsoft Store
What is the best version to achieve the goal? More than one answer choice may achieve the goal.
Select the BEST answer.
A.
Windows 10 Pro in S mode
B.
Windows 10 Home in S mode
C.
Windows 10 Pro
D.
Windows 10 Enterprise
Answer: A
Explanation:
Windows 10 in S mode is a version of Windows 10 that's streamlined for security and

performance, while providing a familiar Windows experience. To increase security, it allows only
apps from the Microsoft Store, and requires Microsoft Edge for safe browsing.
Azure AD Domain join is available for Windows 10 Pro in S mode and Windows 10 Enterprise in S
mode. It's not available in Windows 10 Home in S mode.
References:
https://support.microsoft.com/en-gb/help/4020089/windows-10-in-s-mode-faq

QUESTION NO: 7 DRAG DROP
You have a computer named Computer1 that runs Windows 8.1. Computer1 has a local user
named User1 who has a customized profile.
On Computer1, you perform a clean installation of Windows 10 without formatting the drives.
You need to migrate the settings of User1 from Windows 8.1 to Windows 10.
Which two actions should you perform? To answer, drag the appropriate actions to the correct
targets. Each action may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
Answer:

Explanation:
The User State Migration Tool (USMT) includes two tools that migrate settings and data:
ScanState and LoadState. ScanState collects information from the source computer, and
LoadState applies that information to the destination computer. In this case the source and
destination will be the same computer.
As we have performed a clean installation of Windows 10 without formatting the drives, User1’s
customized Windows 8.1 user profile will be located in the \Windows.old folder. Therefore, we
need to run scanstate.exe on the \Windows.old folder.
User1’s Windows 10 profile will be in the C:\Users folder so we need to run loadstate.exe to apply
the changes in the C:\Users folder.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/usmt/offline-migration-reference

https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-how-it-works
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-common-migration-
scenarios#bkmk-fourpcrefresh
QUESTION NO: 8
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have a computer named Computer1 that runs Windows 10.
A service named Application1 is configured as shown in the exhibit.

You discover that a user used the Service1 account to sign in to Computer1 and deleted some
files.
You need to ensure that the identity used by Application1 cannot be used by a user to sign in to
the desktop on Computer1. The solution must use the principle of least privilege.
Solution: On Computer1, you configure Application1 to sign in as the LocalSystem account and
select the Allow service to interact with desktop check box. You delete the Service1 account.
Does this meet the goal?
A.
Yes
B.
No
Answer: B
Explanation:
Configuring Application1 to sign in as the LocalSystem account would ensure that the identity
used by Application1 cannot be used by a user to sign in to the desktop on Computer1. However,
this does not use the principle of least privilege. The LocalSystem account has full access to the
system. Therefore, this solution does not meet the goal.
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-
log-on-locally
QUESTION NO: 9
correct solution.

files.
the desktop on Computer1. The solution must use the principle of least privilege.
Solution: On Computer1, you assign Service1 the Deny log on locally user right.
A.
Yes
B.
No

Answer: A
Explanation:
By using the Service1 account as the identity used by Application1, we are applying the principle
of least privilege as required in this question.
However, the Service1 account could be used by a user to sign in to the desktop on the computer.
To sign in to the desktop on the computer, an account needs the log on locally right which all user
accounts have by default. Therefore, we can prevent this by assigning Service1 the deny log on
locally user right.
References:
log-on-locally
QUESTION NO: 10
correct solution.

files.
sign in to the desktop on Computer1. The solution must use the principle of least privilege.
Solution: On Computer1, you assign Service1 the Deny log on as a service user right.
A.
Yes
B.
No

Answer: B
Explanation:
A service account needs the log on as a service user right. When you assign an account to be
used by a service, that account is granted the log on as a service user right. Therefore, assigning
Service1 the deny log on as a service user right would mean the service would not function.
To sign in to the desktop on the computer, an account needs the log on locally right which all user
accounts have by default. To meet the requirements of this question, we need to assign Service1
the deny log on locally user right, not the deny log on as a service user right.
References:
log-on-as-a-service
QUESTION NO: 11
You have a Microsoft Azure Active Directory (Azure AD) tenant.
Some users sign in to their computer by using Windows Hello for Business.
A user named User1 purchases a new computer and joins the computer to Azure AD.
User1 is not able to use Windows Hello for Business on his computer. User1 sign-in options are
shown on the exhibit.

You open Device Manager and confirm that all the hardware works correctly.
You need to ensure that User1 can use Windows Hello for Business facial recognition to sign in to
the computer.
What should you do first?
A.
Purchase an infrared (IR) camera.

B.
Upgrade the computer to Windows 10 Enterprise.
C.
Enable UEFI Secure Boot.
D.
Install a virtual TPM driver.
Answer: A
Explanation:
Explanation
Windows Hello facial recognition requires an infrared (IR) camera. If your device does not have an
infrared camera (or any other biometric device such as a fingerprint scanner), you will see the
message shown in the exhibit. The question states that Device Manager shows all hardware is
working properly. Therefore, it is not the case that the computer has an IR camera but it isn’t
working properly. The problem must be that the computer does not have an IR camera.
QUESTION NO: 12
Your company uses Microsoft Deployment Toolkit (MDT) to deploy Windows 10 to new
computers.
The company purchases 1,000 new computers.
You need to ensure that the Hyper-V feature is enabled on the computers during the deployment.
What are two possible ways to achieve this goal? Each correct answer presents a complete
solution.
A.
Add a task sequence step that adds a provisioning package.
B.
In a Group Policy object (GPO), from Computer Configuration, configure Application Control
Policies.
C.
Add a custom command to the Unattend.xml file.

D.
Add a configuration setting to Windows Deployment Services (WDS).
E.
Add a task sequence step that runs dism.exe.
Answer: C,E
Explanation:
A common way to add a feature such as Hyper-V in MDT is to use the Install Roles and Features
task sequence action. However, that is not an option in this question.
The two valid options are to a command to the Unattend.xml file or to add a task sequence step
that runs dism.exe.
To add Hyper-V using dism.exe, you would run the following dism command:
DISM /Online /Enable-Feature /All /FeatureName:Microsoft-Hyper-V
References:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-10-
reference-image
https://mdtguy.wordpress.com/2016/09/14/mdt-fundamentals-adding-features-using-dism-from-
within-the-task-sequence/
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
QUESTION NO: 13
Your network contains an Active Directory domain that is synced to a Microsoft Azure Active
Directory (Azure AD) tenant.
Your company purchases a Microsoft 365 subscription.
You need to migrate the Documents folder of users to Microsoft OneDrive for Business.
What should you configure?

A.
OneDrive Group Policy settings
B.
roaming user profiles
C.
Enterprise State Roaming
D.
Folder Redirection Group Policy settings
Answer: A
Explanation:
You need to configure a Group Policy Object (GPO) with the OneDrive settings required to redirect
the Documents folder of each user to Microsoft 365.
Importing the OneDrive group policy template files into Group Policy adds OneDrive related
settings that you can configure in your Group Policy.
One of the group policy settings enables you to redirect “Known Folders” to OneDrive for
business. Known folders are Desktop, Documents, Pictures, Screenshots, and Camera Roll.
There are two primary advantages of moving or redirecting Windows known folders to OneDrive
for the users in your domain:
References:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders?redirectSourcePath=%252fen-
us%252farticle%252fredirect-windows-known-folders-to-onedrive-e1b3963c-7c6c-4694-9f2f-
fb8005d9ef12
QUESTION NO: 14
Your network contains an Active Directory domain. The domain contains a user named User1.
User1 creates a Microsoft account.
User1 needs to sign in to cloud resources by using the Microsoft account without being prompted
for credentials.
Which settings should User1 configure?
A.
User Accounts in Control Panel
B.
Email & app accounts in the Settings app
C.
Users in Computer Management
D.
Users in Active Directory Users and Computers
Answer: B
Explanation:
Open the Setting app, select Accounts then select Email and accounts. Here you can add
accounts for the cloud resources and configure the login credentials for the accounts. If you
configure the accounts with the login credentials of the Microsoft account, you won’t be prompted
for credentials when you open the apps.
References:
https://support.microsoft.com/en-za/help/4028195/microsoft-account-how-to-sign-in
Your network contains an Active Directory domain named adatum.com that uses Key
Management Service (KMS) for activation.
You deploy a computer that runs Windows 10 to the domain.
The computer fails to activate.
You suspect that the activation server has an issue.
You need to identify which server hosts KMS.
How should you complete the command? To answer, select the appropriate options in the answer

area.
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/office/troubleshoot/activation/discover-remove-unauthorized-
office-windows-kms-hosts

You deploy Windows 10 to a new computer named Computer1.
You sign in to Computer1 and create a user named User1.
You create a file named LayoutModification.xml in the

C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\folder. LayoutModification.xml contains
the following markup.
What is the effect of the configuration? To answer, select the appropriate options in the answer
area.

Answer:
Explanation:
Explanation:
References:
https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar
QUESTION NO: 17
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a workgroup computer named Computer1 that runs Windows 10.

You need to add Computer1 to contoso.com.
What should you use?
A.
Computer Management
B.
dsregcmd.exe
C.
the Settings app
D.
netdom.exe
Answer: C
Explanation:
You join a computer to a domain, including an Azure AD domain in the Settings panel in Windows
10, under System->About
References:
https://aadguide.azurewebsites.net/aadjoin/
QUESTION NO: 18
You have a computer that runs Windows 10.
You need to configure a picture password.
What should you do?
A.
From Control Panel, configure the User Accounts settings.
B.
From the Settings app, configure the Sign-in options.
C.

From the Local Group Policy Editor, configure the Account Policies settings.
D.
From Windows PowerShell, run the Set-LocalUser cmdlet and specify the InputObject parameter.
Answer: B
Explanation:
QUESTION NO: 19
You have a workgroup computer named Computer1 that runs Windows 10.
You need to configure Windows Hello for sign-in to Computer1 by using a physical security key.
A.
a USB 3.0 device that supports BitLocker Drive Encryption (BitLocker)
B.
a USB device that supports FIDO2
C.
a USB 3.0 device that has a certificate from a trusted certification authority (CA)
D.
a USB device that supports RSA SecurID
Answer: B
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/user-help/security-info-setup-security-key
QUESTION NO: 20
Your network contains an Active Directory domain. The domain contains a computer named

Computer1 that runs Windows 10.
The domain contains the users shown in the following table.
All users have Microsoft accounts.
Which two users can be configured to sign in by using their Microsoft account? Each correct
answer presents part of the solution.
A.
User1
B.
User2
C.
User3
D.
User4
E.
User5
Answer: D,E
Explanation:

You have the source files shown in the following table.
You mount an image from Image1.wim to a folder named C:\Mount.
You need to add the French language pack to the mounted image.
How should you complete the command? To answer, select the appropriate options in the answer
area.
Answer:
Explanation:

Note: The referenced document has the mount directory as C:\Mount\Windows. In this question,
the mount directory is C:\Mount.
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-language-packs-to-
windows
QUESTION NO: 22
correct solution.
Computer1 that runs Windows 8.1.
Computer1 has apps that are compatible with Windows 10.
You need to perform a Windows 10 in-place upgrade on Computer1.
Solution: You copy the Windows 10 installation media to a network share. From Windows 8.1 on
Computer1, you run setup.exe from the network share.
A.
Yes

B.
No
Answer: B
Explanation:
QUESTION NO: 23
correct solution.
Solution: You copy the Windows 10 installation media to a Microsoft Deployment Toolkit (MDT)
deployment share. You create a task sequence, and then you run the MDT deployment wizard on
Computer1.
A.
Yes
B.
No
Answer: A
Explanation:
References:

https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/upgrade-to-windows-
10-with-the-microsoft-deployment-toolkit
QUESTION NO: 24
correct solution.
Solution: You add Windows 10 startup and install images to a Windows Deployment Services
(WDS) server. You start Computer1 by using WDS and PXE, and then you initiate the Windows 10
installation.
A.
Yes
B.
No
Answer: B
Explanation:
Use Microsoft Deployment Toolkit (MDT) instead.

Topic 2, Manage Devices and Data
QUESTION NO: 25
Case Study
question.
Overview
Active Directory
licenses.

Client Computers
joined to Azure AD.
Security policies
LocalAdmin.
Problem Statements

application.

company.
You need to sign in as LocalAdmin on Computer11.
A.
From the LAPS UI tool, view the administrator account password for the computer object of
Computer11.
B.
From Windows Configuration Designer, create a configuration package that sets the password of
the LocalAdmin account on Computer11.
C.
Use a Group Policy object (GPO) to set the local administrator password.
D.
From Microsoft Intune, set the password of the LocalAdmin account on Computer11.
Answer: A

Explanation:
Local Administrator Password Solution (LAPS) provides a centralized storage of

secrets/passwords in Active Directory (AD).
References:
https://technet.microsoft.com/en-us/mt227395.aspx
QUESTION NO: 26
Case Study
question.
Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.
Security policies
LocalAdmin.

Problem Statements

application.
company.
An employee reports that she must perform a BitLocker recovery on her laptop. The employee
does not have her BitLocker recovery key but does have a Windows 10 desktop computer.
What should you instruct the employee to do from the desktop computer?
A.
Run the manage-bde.exe –status command
B.
From BitLocker Recovery Password Viewer, view the computer object of the laptop
C.
Go to https://account.activedirectory.windowsazure.com and view the user account profile
D.
Run the Enable-BitLockerAutoUnlock cmdlet
Answer: C
Explanation:
The BitLocker recovery key is stored in Azure Active Directory.
References:
https://celedonpartners.com/blog/storing-recovering-bitlocker-keys-azure-active-directory/
Case Study
question.

Overview
work from home.
of Windows 10.

Requirements
Planned Changes
office users.
Computer3.

You need to meet the technical requirements for the helpdesk users.
Answer:

Explanation:
References:
https://www.itprotoday.com/compute-engines/what-group-policy-creator-owners-group
Case Study
question.
Overview
work from home.
of Windows 10.

Requirements
Planned Changes
office users.
Computer3.
You need to meet the technical requirements for the HR department users.
Which permissions should you assign to the HR department users for the D:\Reports folder? To
answer, select the appropriate permissions in the answer area.
Answer:

Explanation:
References:

https://www.online-tech-tips.com/computer-tips/set-file-folder-permissions-windows/
QUESTION NO: 29
Case Study
question.
Overview
work from home.

of Windows 10.

Requirements
Planned Changes
office users.
Computer3.
You need to meet the technical requirements for EFS on ComputerA.

What should you do?
A.
Run certutil.exe, and then add a certificate to the local computer certificate store.
B.
Run cipher.exe, and then add a certificate to the local computer certificate store.
C.
Run cipher.exe, and then add a certificate to the local Group Policy.
D.
Run certutil.exe, and then add a certificate to the local Group Policy.
Answer: B
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-
protection/create-and-verify-an-efs-dra-certificate
QUESTION NO: 30
On Computer1, you create the local users shown in the following table.

Which three user profiles will persist after each user signs out? Each correct answer presents part
of the solution.
A.
User1
B.
User2
C.
User3
D.
User4
E.
User5
Answer: A,D,E
Explanation:
You have a computer that runs Windows 10. The computer is in a workgroup. The computer is
used to provide visitors with access to the Internet.
You need to configure the computer to meet the following requirements:
Always sign in automatically as User1.
Start an application named App1.exe at sign-in.
What should you use to meet each requirement? To answer, select the appropriate options in the
answer area.
Answer:

Explanation:
References:
http://www.itexpertmag.com/server/complete-manageability-at-no-extra-cost
QUESTION NO: 32
You have 20 computers that run Windows 10. The computers are in a workgroup.
You need to create a local user named User1 on all the computers. User1 must be a member of
the Remote Management Users group.
What should you do?
A.
From Windows Configuration Designer, create a provisioning package, and then run the
provisioning package on each computer.
B.
Create a script that runs the New-ADUser cmdlet and the Set-AdGroup cmdlet.
C.
Create a Group Policy object (GPO) that contains the Local User Group Policy preference.
D.
Create a script that runs the New-MsolUser cmdlet and the Add-ADComputerServiceAccount

cmdlet.
Answer: C
Explanation:
References:
https://blogs.technet.microsoft.com/askpfeplat/2017/11/06/use-group-policy-preferences-to-
manage-the-local-administrator-group/
QUESTION NO: 33
You have several computers that run Windows 10. The computers are in a workgroup and have
BitLocker Drive Encryption (BitLocker) enabled.
You join the computers to Microsoft Azure Active Directory (Azure AD).
You need to ensure that you can recover the BitLocker recovery key for the computers from Azure
AD.
A.
Disable BitLocker.
B.
Add a BitLocker key protector.
C.
Suspend BitLocker.
D.
Disable the TMP chip.
Answer: B
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-
organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors

Your network contains an Active Directory forest. The forest contains a root domain named
contoso.com and a child domain named corp.contoso.com.
You have a computer named Computer1 that runs Windows 10. Computer1 is joined to the
corp.contoso.com domain.
Computer1 contains a folder named Folder1. In the Security settings of Folder1, Everyone is
assigned the Full control permissions.
On Computer1, you share Folder1 as Share1 and assign the Read permissions for Share1 to the
Users group.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:

Explanation:
References:
https://www.techrepublic.com/article/learn-the-basic-differences-between-share-and-ntfs-
permissions/
You have a computer named Computer1 that runs Windows 10. Computer1 is in a workgroup.
Computer1 contains the folders shown in the following table.

On Computer1, you create the users shown in the following table.
User1 encrypts a file named File1.txt that is in a folder named C:\Folder1.
What is the effect of the configuration? To answer, select the appropriate options in the answer
area.
Answer:

Explanation:
References:
https://support.microsoft.com/en-za/help/310316/how-permissions-are-handled-when-you-copy-
and-move-files-and-folders
You have a computer named Computer1 that runs Windows 10 and is joined to an Active
Directory domain named adatum.com.
A user named Admin1 signs in to Computer1 and runs the whoami command as shown in the
following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.

Answer:
Explanation:
Explanation:
References:
https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control

QUESTION NO: 37
You need to configure User Account Control (UAC) to prompt administrators for their credentials.
Which settings should you modify?
A.
Administrators Properties in Local Users and Groups
B.
User Account Control Settings in Control Panel
C.
Security Options in Local Group Policy Editor
D.
User Rights Assignment in Local Group Policy Editor
Answer: C
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-
account-control-security-policy-settings
QUESTION NO: 38
You have several computers that run Windows 10. The computers are in a workgroup.
You need to prevent users from using Microsoft Store apps on their computer.
What are two possible ways to achieve the goal? Each correct answer presents a complete
solution.

A.
From Security Settings in the local Group Policy, configure Security Options.
B.
From Administrative Templates in the local Group Policy, configure the Store settings.
C.
From Security Settings in the local Group Policy, configure Software Restriction Policies.
D.
From Security Settings in the local Group Policy, configure Application Control Policies.
Answer: B,D
Explanation:
References:
https://www.techrepublic.com/article/how-to-manage-your-organizations-microsoft-store-group-
policy/
QUESTION NO: 39
You need to prevent standard users from changing the wireless network settings on Computer1.
The solution must allow administrators to modify the wireless network settings.
A.
Windows Configuration Designer
B.
MSConfig
C.
Local Group Policy Editor
D.
an MMC console that has the Group Policy Object Editor snap-in
Answer: C

Explanation:
You have three computers that run Windows 10 as shown in the following table.
All the computers have C and D volumes. The Require additional authentication at startup
Group Policy settings is disabled on all the computers.
Which volumes can you encrypt by using BitLocker Drive Encryption (BitLocker)? To answer,
select the appropriate options in the answer area.
Answer:

Explanation:
References:
https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10

QUESTION NO: 41
Your network contains an Active Directory domain named contoso.com. The domain contains a
computer named Computer1 that runs Windows 10.
On Computer1, you create an NTFS folder and assign Full control permissions to Everyone.
You share the folder as Share1 and assign the permissions shown in the following table.
When accessing Share1, which two actions can be performed by User1 but not by User2? Each
correct answer presents part of the solution.
A.
Delete a file created by another user.
B.
Set the permissions for a file.
C.
Rename a file created by another user.
D.
Take ownership of file.
E.
Copy a file created by another user to a subfolder.
Answer: B,D
Explanation:
References:
https://www.varonis.com/blog/ntfs-permissions-vs-share/

You have a computer that runs Windows 10. The computer contains a folder named C:\ISOs that
is shared in ISOs.
You run several commands on the computer as shown in the following exhibit.

Answer:

Explanation:
QUESTION NO: 43
correct solution.
A user named User1 has a computer named Computer1 that runs Windows 10. Computer1 is
joined to an Azure Active Directory (Azure AD) tenant named contoso.com. User1 joins
Computer1 to contoso.com by using user1@contoso.com.
Computer1 contains a folder named Folder1. Folder1 is in drive C and is shared as Share1.
Share1 has the permission shown in the following table.

A user named User2 has a computer named Computer2 that runs Windows 10. User2 joins
User2 attempts to access Share1 and receives the following error message: “The username or
password is incorrect.”
You need to ensure that User2 can connect to Share1.
Solution: In Azure AD, you create a group named Group1 that contains User1 and User2. You
grant Group1 Change access to Share1.
A.
Yes
B.
No
Answer: B
Explanation:
References:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/cc754178(v%3dws.10)
QUESTION NO: 44
correct solution.
Solution: You create a local user account on Computer1 and instruct User2 to use the local
account to connect to Share1.
A.
Yes
B.
No
Answer: B
Explanation:
QUESTION NO: 45
correct solution.

Solution: In Azure AD, you create a group named Group1 that contains User1 and User2. You
grant Group1 Modify access to Folder1.
A.
Yes
B.
No
Answer: A
Explanation:
References:
2008/cc754178(v%3dws.10)

QUESTION NO: 46
You have a computer named Computer1 that runs Windows 10. Computer1 contains a folder
named Folder1.
You need to log any users who take ownership of the files in Folder1.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
Modify the folder attributes of Folder1.
B.
Modify the Advanced Security Settings for Folder1.
C.
From a Group Policy object (GPO), configure the Audit Sensitive Privilege Use setting.
D.
From a Group Policy object (GPO), configure the Audit File System setting.
E.
Install the Remote Server Administration Tools (RSAT).
Answer: B,D
Explanation:
References:
https://www.netwrix.com/how_to_detect_who_changed_file_or_folder_owner.html
Your network contains an Active Directory domain. The domain contains the users shown in the
following table.

The domain contains a computer named Computer1 that runs Windows 10. Computer1 contains a
folder named Folder1 that has the following permissions:
User2: Deny Write
Group1: Allow Read
Group2: Allow Modify
Folder1 is shared as Share1$. Share1$ has the following configurations:
Everyone: Allow Full control
Access-based enumeration: Enabled
Answer:
Explanation:

References:
https://www.varonis.com/blog/ntfs-permissions-vs-share/
http://www.ntfs.com/ntfs-permissions-file-advanced.htm
https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/enable-access-based-
enumeration-on-a-namespace
QUESTION NO: 48
You are a network administrator at your company.
The company uses an application that checks for network connectivity to a server by sending a
ping request to the IPv6 address of the server. If the server replies, the application loads.
A user cannot open the application.
You manually send the ping request from the computer of the user and the server does not reply.
You send the ping request from your computer and the server replies.
You need to ensure that the ping request works from the user’s computer.
Which Windows Defender firewall rule is a possible cause of the issue?
A.
File and Printer Sharing (NB-Datagram-In)
B.
File and Printer Sharing (Echo Request ICMPv6-Out)
C.

File and Printer Sharing (NB-Datagram-Out)
D.
File and Printer Sharing (Echo Request ICMPv6-In)
Answer: D
Explanation:
References:
https://www.howtogeek.com/howto/windows-vista/allow-pings-icmp-echo-request-through-your-
windows-vista-firewall/
the information presented on the graphic.


Answer:
Explanation:
You have a computer named Computer5 that runs Windows 10 that is used to share documents in
a workgroup.
You create three users named User-a, User-b, User-c by using Computer Management. The users
plan to access Computer5 from the network only.
You have a folder named Data. The Advanced Security Settings for the Data folder are shown in
the Security exhibit. (Click the Security tab).

You share the Data folder. The permissions for User-a are shown in the User-a exhibit (Click the
User-a tab.)

The permissions for user-b are shown in the User-b exhibit. (Click the User-b tab.)

The permissions for user-c are shown in the User-c exhibit. (Click the User-c tab.)

Answer:

Explanation:
Explanation:
Box 1: No
User-a only has Read share permission so he cannot modify files in the Data share.
Box 2: No
User-b only has Read share permission so he cannot delete files in the Data share.
Box 3: Yes
User-c has Read and Change share permission so he can read files in the Data share. User-c
does not have an entry in the Advanced Security Settings for the Data folder. However, User-c
would be a member of the Users group by default and that group has Full Control permission to
the folder.
You have a computer that runs Windows 10 and contains the folders shown in the following table.

You create the groups shown in the following table.
On FolderA, you disable permission inheritance and select the option to remove all inherited
permissions. To each folder, you assign the NTFS permissions shown in the following table.
Answer:

Explanation:
Explanation:
Inheritance was turned off for FolderA but not FolderB or FolderC. Therefore, by default, the
permissions applied to FolderA will be inherited by FolderB and FolderC and the permissions
applied to FolderB will be inherited by FolderC.
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/access-
control
QUESTION NO: 52
You need to view the settings to Computer1 by Group Policy objects (GPOs) in the domain and
local Group Policies.
Which command should you run?

A.
gpresult
B.
secedit
C.
gpupdate
D.
gpfixup
Answer: A
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
QUESTION NO: 53
Your network contains an Active Directory domain. The domain contains computers that run
Windows 10.
You need to provide a user with the ability to remotely create and modify shares on the computers.
The solution must use the principle of least privilege.
To which group should you add the user?
A.
Power Users
B.
Remote Management Users
C.
Administrators
D.
Network Configuration Operators
Answer: C

Explanation:
QUESTION NO: 54
You have a computer named Computer1 that runs Windows 10. Computer1 belongs to a
workgroup.
You run the following commands on Computer1.
New-LocalUser –Name User1 –NoPassword
Add-LocalGroupMember Users –Member User1
What is the effect of the configurations?
A.
User1 is prevented from signing in until the user is assigned additional user rights.
B.
User1 appears on the sign-in screen and can sign in without a password.
C.
User1 is prevented from signing in until an administrator manually sets a password for the user.
D.
User1 appears on the sign-in screen and must set a new password on the first sign-in attempt.
Answer: B
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-
localuser?view=powershell-5.1
QUESTION NO: 55
You have a computer that runs Windows 10 and is joined to Azure Active Directory (Azure AD).

You attempt to open Control Panel and receive the error message shown on the following exhibit.
You need to be able to access Control Panel.
What should you modify?
A.
the PowerShell execution policy
B.
the local Group Policy
C.
the Settings app
D.
a Group policy preference
Answer: B
Explanation:
References:
https://windows10skill.com/this-operation-has-been-cancelled-due-to-restrictions-in-effect-on-this-
pc/
Your domain contains a computer named Computer1 that runs Windows 10. Computer1 does not
have a TPM.
You need to be able to encrypt the C drive by using Bitlocker Drive Encryption (BitLocker). The
solution must ensure that the recovery key is stored in Active Directory.
Which two Group Policy settings should you configure? To answer, select the appropriate settings
in the answer area.
Answer:

Explanation:

References:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-
policy-settings#bkmk-rec1
QUESTION NO: 57
You have a public computer named Computer1 that runs Windows 10/ Computer1 contains a
folder named Folder1.
You need to provide a user named User1 with the ability to modify the permissions of Folder1. The
solution must use the principle of least privilege.

Which NTFS permission should you assign to User1?
A.
Full control
B.
Modify
C.
Write
D.
Read & execute
Answer: B
Explanation:
References:
2008/cc754344%28v%3dws.10%29
QUESTION NO: 58
You have 10 computers that run Windows 10 and have BitLocker Drive Encryption (BitLocker)
enabled.
You plan to update the firmware of the computers.
You need to ensure that you are not prompted for the BitLocker recovery key on the next restart.
The drive must be protected by BitLocker on subsequent restarts.
Which cmdlet should you run?
A.
Unlock-BitLocker
B.
Disable-BitLocker
C.
Add-BitLockerKeyProtector
D.
Suspend-BitLocker
Answer: D
Explanation:
References:
https://support.microsoft.com/en-us/help/4057282/bitlocker-recovery-key-prompt-after-surface-
uefi-tpm-firmware-update
You are troubleshooting Group Policy objects (GPOs) on Computer1.
You run gpresult /user user1 /v and receive the output shown in the following exhibit.


Answer:
Explanation:

References:
https://www.windowscentral.com/how-apply-local-group-policy-settings-specific-users-windows-10
Computer1 contains the local users shown in the following table.
You create a folder named Folder1 that has the permissions shown in the following table.
You create a file named File1.txt in Folder1 and allow Group2 Full control permissions to File1.txt.

Answer:
Explanation:

References:
https://www.dell.com/support/article/za/en/zadhs1/sln156352/understanding-file-and-folder-
permissions-in-windows?lang=en
You have a workgroup computer named Computer1 that runs Windows 10. Computer1 has the
users accounts shown in the following table:
Computer1 has the local Group Policy shown in the following table.
You create the Local Computer\Administrators policy shown in the following table.
You create the Local Computer\Non-Administrators policy shown in the following table.
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
vista/cc766291(v=ws.10)

QUESTION NO: 62
correct solution.
Solution: You create a local group on Computer1 and add the Guest account to the group. You
grant the group Modify access to Share1.
A.
Yes
B.
No

Answer: B
Explanation:
QUESTION NO: 63
Your network contains an Active Directory domain. The domain contains 1,000 computers that run
Windows 10.
You need to prevent the computers of the research department from appearing in Network in File
Explorer.
What should you do?
A.
Configure DNS to use an external provider
B.
Modify the %systemroot%\system32\drivers\etc\Networks file.
C.
Turn off network discovery.
D.
Disable the Network List Service.
Answer: C
Explanation:
You have two computers named Computer1 and Computer2 that run Windows 10. The computers
are in a workgroup.
You perform the following configurations on Computer1:
Create a user named User1.
Add User1 to the Remote Desktop Users group.

You perform the following configurations on Computer2:
Create a user named User1 and specify the same user password as the one set on Computer1.
Create a share named Share2 and grant User1 Full control access to Share2.
Enable Remote Desktop.
What are the effects of the configurations? To answer, select the appropriate options in the
answer area.
Answer:
Explanation:
Explanation:

Your network contains an Active Directory domain. The domain contains a group named Group1.
All the computers in the domain run Windows 10. Each computer contains a folder named
C:\Documents that has the default NTFS permissions set.
You add a folder named C:\Documents\Templates to each computer.
You need to configure the NTFS permissions to meet the following requirements:
All domain users must be able to open the files in the Templates folder.
Only the members of Group1 must be allowed to edit the files in the Templates folder.
How should you configure the NTFS settings on the Templates folder? To answer, select the
appropriate options in the answer area.

Answer:
Explanation:
Explanation:

QUESTION NO: 66
You deploy Windows 10 to 20 new laptops.
The laptops will be used by users who work at customer sites. Each user will be assigned one
laptop and one Android device.
You need to recommend a solution to lock the laptop when the users leave their laptop for an
extended period.
Which two actions should you include in the recommendation? Each correct answer presents part
of the solution.
A.
Enable Bluetooth discovery.
B.
From the Settings app, configure the Dynamic lock settings.
C.
From Sign-in options, configure the Windows Hello settings.
D.
From the Settings app, configure the Lock screen settings.
E.
Pair the Android device and the laptop.
F.
From the Settings app, configure the Screen timeout settings.
Answer: D,F
Explanation:
QUESTION NO: 67
user accounts shown in the following table.
User3, User4, and Administrator sign in and sign out on Computer1. User1 and User2 have never
signed in to Computer1.
You are troubleshooting policy issues on Computer1. You sign in to Computer1 as Administrator.
You add the Resultant Set of Policy (RsoP) snap-in to an MMC console.
Which users will be able to sign in on Computer1?
A.
User1, User3, and User4 only
B.
Administrator only

C.
User1, User2, User3, User4, and Administrator
D.
User3, User4, and Administrator only
Answer: D
Explanation:
The Interactive logon: Number of previous logons to cache (in case domain controller is not
available) policy setting determines whether a user can log on to a Windows domain by using
cached account information. Logon information for domain accounts can be cached locally so that,
if a domain controller cannot be contacted on subsequent logons, a user can still log on.
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-
settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-
available
Computer1 contains the local users shown in the following table.
The Users group has Full control permissions to Folder1, Folder2, and Folder3.
User1 encrypts two files named File1.docx and File2.docx in Folder1 by using EFS.
Which users can move each file? To answer, select the appropriate options in the answer area.
Answer:
Explanation:
Explanation:

EFS works by encrypting a file with a bulk symmetric key. The symmetric key that is used to
encrypt the file is then encrypted with a public key that is associated with the user who encrypted
the file. Because the encryption & decryption operations are performed at a layer below NTFS, it is
transparent to the user and all their applications.
Box 1: User1, User2, and Administrator
Box 2: User1, User2, and Administrator
All three are members of the Users group that has Full control permissions to Folder1, Folder2,
and Folder3.
QUESTION NO: 69
Computer1 that runs Windows 10. Computer1 contains a folder named Folder1.
You plan to share Folder1. Everyone will have Read share permissions, and administrators will
have Full control share permission.
You need to prevent the share from appearing when users browse the network.
What should you do?
A.
Enable access-based enumeration.
B.
Deny the List NTFS permissions on Folder1.
C.
Add Folder1 to a domain-based DFS namespace.
D.
Name the share Folder1$.
Answer: D
Explanation:
Appending a dollar sign to share name prevents a share from appearing when users browse the
network.
QUESTION NO: 70
correct solution.
You have a computer that runs Windows 10. The computer contains a folder. The folder contains
sensitive data.
You need to log which user reads the contents of the folder and modifies and deletes files in the
folder.
Solution: From the properties of the folder, you configure the Auditing settings and from Audit
Policy in the local Group Policy, you configure Audit object access.
A.
Yes
B.
No
Answer: A
Explanation:
Files and folders are objects and are audited through object access.
References:
QUESTION NO: 71
On Computer1, you turn on File History.
You need to protect a folder named D:\Folder1 by using File History.
What should you do?
A.
From File Explorer, modify the Security settings of D:\Folder1
B.
From Backup and Restore (Windows 7), modify the backup settings
C.
From the Settings app, configure the Backup settings
D.
From File History in Control Panel, configure the Advanced settings
Answer: C
Explanation:
To configure File History, click More options on the Backup screen. The Backup options screen
allows you to set how often File History backs up your files and how long versions are saved.
Reference:

https://www.groovypost.com/howto/configure-windows-10-file-history/
QUESTION NO: 72
correct solution.
sensitive data.
folder.
Solution: From the properties of the folder, you configure the Auditing settings and from the Audit
Policy in the local Group Policy, you configure Audit system events.
A.
Yes
B.
No
Answer: B
Explanation:
Files and folders are objects and are audited through object access, not though system events.
References:

QUESTION NO: 73 CORRECT TEXT
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section.
This may take a few minutes, and the wait time will not be deducted from your overall test time.
When the Next button is available, click it to access the lab section. In this section, you will
perform a set of tasks in a live environment. While most functionality will be available to you as it
would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to
external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it
doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for
that task.
Labs are not timed separately, and this exam may more than one lab that you must complete. You
can use as much time as you would like to complete each lab. But, you should manage your time
appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam
in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT
be able to return to the lab.
Username and password

Use the following login credentials as needed:
To enter your password, place your cursor in the Enter password box and click on the password
below.
Username: Contoso/Administrator
Password: Passw0rd!
The following information is for technical support purposes only:
Lab Instance: 10921597

You need to create a file named File1.txt in a folder named Folder1 on the C drive of Client2. You
need to ensure that a user named User1 can read the contents of File1.txt. The solution must
prevent User1 from modifying the file.
To complete this task, sign in to Client2 and perform the required action.
Answer:
See explanation below.
Explanation:

that task.

below.
Password: Passw0rd!


Users in the Finance group report that they cannot copy files to Client1\Finance.
You need to resolve the issue.
To complete this task, sign in to the required computer or computers.
Answer:

Explanation:
It's important to note that if you're taking ownership of a folder, you can check the Replace
ownership on subcontainers and object option in the Advanced Security Settings page to take
control of the subfolders inside of the folder.
Now you'll need to grant full access control to your account, to do this use the following steps:
You can now assign the necessary permissions to the Finance group.
If you right-click on a file or folder, choose Properties and click on the Security tab, we can now
try to edit some permissions. Go ahead and click the Edit button to get started.
At this point, there are a couple of things you can do. Firstly, you’ll notice that the Allow column is
probably greyed out and can’t be edited. This is because of the inheritance I was talking about
earlier. However, you can check items on the Deny column.
When you click the Add button, you have to type in the user name or group name into the box and
then click on Check Names to make sure it’s correct. If you don’t remember the user or group
name, click on the Advanced button and then just click Find Now. It will show you all the users
and groups.
Click OK and the user or group will be added to the access control list. Now you can check the
Allow column or Deny column.
Reference:
https://www.windowscentral.com/how-take-ownership-files-and-folders-windows-10
https://www.online-tech-tips.com/computer-tips/set-file-folder-permissions-windows/
that task.

below.
Password: Passw0rd!
You need to enable the Prohibit User from manually redirecting Profile Folders Group Policy
setting only for the administrative users of Client3.
Answer:
Explanation:
References:
https://www.vistax64.com/threads/user-profile-folders-prevent-or-allow-location-change.180719/
that task.

below.
Password: Passw0rd!

You need to create a file named Private.txt in a folder named Folder1 on the C drive of Client2.
You need to encrypt Private.txt and ensure that a user named User1 can view the contents of
Private.txt.
Answer:
Explanation:

Reference:
https://www.top-password.com/blog/password-protect-notepad-text-files-in-windows-10/
https://sourcedaddy.com/windows-7/how-to-grant-users-access-to-an-encrypted-file.html
that task.

below.
Password: Passw0rd!

You need to identify the total number of events that have Event ID 63 in the Application event log.
You must type the number of identified events into C:\Folder1\FileA.txt.
To complete this task, sign in to the required computer or computers and perform the
required action.
Answer:
Explanation:

Reference:
https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-search-the-
event-viewer.html
that task.

below.
Password: Passw0rd!


You need to create an HTML report that shows which policies and policy settings are applied to
CONTOSO\User1 on Client1. You must save the output to a file named Report.html in a folder
named Folder1 on the C drive of Client1.
Answer:

Explanation:
On Client1, log in as administrator.
Open command prompt and type:
gpresult /h CONTOSO\User1\C:\Folder1\Report.html
Reference:
https://www.google.co.za/search?biw=1366&bih=614&sxsrf=ALeKk01XD_luAn4X-
bIMllUjpYBm0i7btQ%3A1592996005097&ei=pTDzXqLCBaif1fAP1NODqAY&q=gpresult+%2Fh+re
port.html+location&oq=gpresult+html+report+&gs_lcp=CgZwc3ktYWIQARgEMgIIADICCAAyBggA
EBYQHjIGCAAQFhAeMgYIABAWEB4yBggAEBYQHjIGCAAQFhAeMgYIABAWEB4yCAgAEBYQ
ChAeMgYIABAWEB46BAgAEEdQyOUnWMjlJ2CRhihoAHACeACAAZIDiAGSA5IBAzQtMZgBAK
ABAaoBB2d3cy13aXo&sclient=psy-ab
that task.

below.
Password: Passw0rd!


You need to ensure that the File History of Contoso\Administrator on Client1 is backed up
automatically to \\DC1\Backups.
Answer:
Explanation:

How to set up and enable File History
Now click “More options.” Here you can start a backup, change when your files are backed up,
select how long to keep backed up files, add or exclude a folder, or switch File History to a
different drive.
Click the “Back up now” button to start your first File History backup.
Reference:
https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473

that task.
below.

Password: Passw0rd!


You need to ensure that C:\Scripts\Configure.ps1 runs every time a user sign in to Client2.
Answer:
Explanation:

Go to the Start menu, type “Task Scheduler” and select it from the search results.
Task Scheduler can also be accessed in the Control Panel under Administrative Tools.
In the right side of the Task Scheduler menu, under Actions, select “Create Task.”

On the General tab, enter a name and description for the task you’re creating. Check the box “Run
with highest privileges.”
Once you have filled out a name and description, click the “Triggers” tab, and then click “New.”
In this menu, under “Begin the task:” select “At log on.” Choose which user you would like the task
to run for at log on. For our purposes, Any user.
Configure any of the applicable advanced settings you would like.
After you are finished configuring the new trigger, click OK and then select the “Actions” tab. Click
“New” to make a new action.

Choose “Start a program” under the Action menu and then click “Browse” to point to
C:\Scripts\Configure.ps1.
Click OK to exit out of the Actions menu. The “Conditions” and “Settings” tabs can be left alone.
Click OK on the Create Task menu, and you are finished.
Reference:
https://www.howtogeek.com/138159/how-to-enable-programs-and-custom-scripts-to-run-at-boot/
QUESTION NO: 81

correct solution.
You have a computer that runs Windows 10. The computer contains a folder named D:\Scripts.
D:\Scripts contains several PowerShell scripts.
You need to ensure that you can run the PowerShell scripts without specifying the full path to the
scripts. The solution must persist between PowerShell sessions.
Solution: At a command prompt, you run set.exe path=d:\scripts.
A.
Yes
B.
No
Answer: B
Explanation:
QUESTION NO: 82
correct solution.

Solution: From a command prompt, you run set.exe PATHEXT=d:\scripts.
A.
Yes
B.
No
Answer: B
Explanation:
QUESTION NO: 83
correct solution.
Solution: From PowerShell, you run $env:Path += ";d:\scripts\".
A.
Yes

B.
No
Answer: A
Explanation:
References:
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=power
shell-7
QUESTION NO: 84
correct solution.
You have a workgroup computer that runs Windows 10. The computer contains the local user
accounts shown in the following table.
You need to configure the desktop background for User1 and User2 only.
Solution: From the local computer policy, you configure the Filter Options settings for the computer
policy.

A.
Yes
B.
No
Answer: B
Explanation:
QUESTION NO: 85
correct solution.
Solution: You create a new local group to which you add User1 and User2. You create a local
Group Policy Object (GPO) and configure the Desktop Wallpaper setting in the GPO. At a
command prompt, you run the gpupdate.exe/Force command.
A.
Yes

B.
No
Answer: A
Explanation:
References:
QUESTION NO: 86
correct solution.
Solution: From the local computer policy, you configure the Filter Options settings for the user
policy. At a command prompt, you run the gpupdate.exe/Target:user command.
A.
Yes

B.
No
Answer: B
Explanation:
QUESTION NO: 87
Your network contains an Active Directory domain. The domain contains two computers named
Computer1 and Computer2 that run Windows 10.
You need to modify the registry of Computer1 by using Registry Editor from Computer2.
Which two registry hives can you modify? Each correct answer presents part of the solution.
A.
HKEY_CURRENT_USER
B.
HKEY_LOCAL_MACHINE
C.
HKEY_USERS
D.
HKEY_CLASSES_ROOT
E.
HKEY_CURRENT_CONFIG
Answer: B,C
Explanation:
QUESTION NO: 88

correct solution.
sensitive data.
folder.
Solution: From the properties of the folder, you configure the Auditing settings and from the Audit
Policy in the local Group Policy, you configure Audit directory service access.
A.
Yes
B.
No
Answer: B
Explanation:
Files and folders are objects and are audited through object access, not though directory service
access.
References:
You have 100 computers that run Windows 10 and are members of an Active Directory domain.
Two support technicians named Tech1 and Tech2 will be responsible for monitoring the

performance of the computers.
You need to configure the computers to meet the following requirements:
Ensure that Tech1 can create and manage Data Collector Sets (DCSs).
Ensure that Tech2 can start and stop the DCSs.
Use the principle of least privilege.
To which group should you add each technician? To answer, select the appropriate options in the
answer area.
Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-
directory-security-groups
You have a workgroup computer named Computer1 that runs Windows 10 and has the users
shown in the following table.

You plan to add a key named Key1 to the following three registry branches:
HKEY_CURRENT_CONFIG\Software
HKEY_LOCAL_MACHINES\Software
HKEY_CURRENT_USER\Software
You need to identify which users can add Key1.
What user or users should you identify for each branch? To answer, select the appropriate options
in the answer area.

Answer:

Explanation:

Box 1 and Box 2.
These are system-wide registry keys so only Administrators can modify them.
Box 3.
This key affects only the logged in user. Therefore, any user can modify this key.

You have a file named File1.reg that contains the following content.
You need to identify what occurs when User1 and User2 double-click File1.reg.
What should you identify? To answer, select the appropriate options in the answer area.
Answer:

Explanation:
Box 1:
User1 is a member of the Administrators group so has permission to add keys to both registry
hives.
Box 2:
User2 is a standard user so does not have permission to add a key to the
HKEY_LOCAL_MACHINE registry hive so Key2 will not be imported.

QUESTION NO: 92
You have a computer named Computer1 that runs Windows10. Computer1 is in a workgroup.
Computer1 contains the users shown in the following table.
You need to apply the same Group Policy settings to only User1, User2 and User3. The solution
must use a minimum number of local Group Policy objects (GPOs).
How many local GPOs should you create?
A.
1
B.
2
C.
3
Answer: A
Explanation:
You can use security filtering to restrict the GPO to the required users. Only users with the Read
and Apply Group Policy permissions will have the GPO applied to them.
QUESTION NO: 93
You have a workgroup computer that runs Windows 10.

You need to set the minimum password length to 12 characters.
A.
Local Group Policy Editor
B.
User Accounts in Control Panel
C.
System Protection in System Properties
D.
Sign-in options in the Settings app
Answer: A
Explanation:
Your network contains an Active Directory domain named adatum.com. The domain contains the
users shown in the following table.
The domain contains a computer named Computer1 that runs Windows10. Computer1 has a file
named File1.txt that has the permissions shown in the exhibit. (Click the Exhibit tab.)

Answer:

Explanation:
Box 1: No
User1 only has Read access to the file.
Box 2: Yes
User2 is in Group2 which has full control. The condition states that if the user is also a member of
Group3, the permission would not apply. However, User2 is not in Group3 so the full control
permission does apply.

Box 3: No
User3 is in Group3 which does have Read access. However, the condition states that if the user is
also in Group1 or Group2 then the permission does not apply. User3 is in Group2 so the Read
permission granted to Group3 does not apply to User3.
Your network contains an Active Directory domain that contains the objects shown in the following
table.
Computer1 contains the shared folders shown in the following table.
The computers have the network configurations shown in the following table.

Answer:
Explanation:
Box 1: Yes
User1 is in Group1 which has permission to access the share so the share will be visible.
Box 2: No
User2 is in Group2 which does not have permission to access Share1. Access-based enumeration
is enabled so Share1 will not be listed as User2 does not have permission to access it.
Box 3: No
Share2$ is a hidden share (dollar sign appended) so the share will never be listed.
The domain contains the users shown in the following table.
Computer1 contains the shared folders shown in the following table.
The shared folders have the permissions shown in the following table.

Answer:
Explanation:
Box 1: No
Share1$ is a hidden share (dollar sign appended) so the share will never be visible.
Box 2: Yes
User2 is in Group1 and Group2. Both groups have access to Share1$. Therefore, the contents of
the shared folder will be visible.
Box 3: No
User1 is in Group1. Group1 does not have the necessary security permission to access Share2.
You need both security permissions (NTFS permissions) AND share permissions to view the
contents of a shared folder. User1 has the necessary share permissions (Everyone: Read), but not
the security permission.
QUESTION NO: 97
You customize the Start menu on a computer that runs Windows 10 as shown in the following
exhibit.

You need to add Remote Desktop Connection to Group1 and remove Group3 from the Start
menu.
Which two actions should you perform from the Start menu customizations? Each correct answer
presents part of the solution.
A.
Unlock Group1.
B.
Remove Command Prompt from Group1.
C.
Delete Group3.
D.
Add Remote Desktop Connection to Group1.
E.
Rename Group3 as Group1.
Answer: A,D
Explanation:
A: You have to unlock Group1 before you can make any changes to it.
D: If you drag the Remote Desktop Connection from Group3 to Group1, Group3 will disappear.
QUESTION NO: 98
On Computer1, you turn on File History.
You need to protect a folder named D:\Folder1 by using File History.
What should you do?
A.
From File Explorer, add D:\Folder1 to the Documents library
B.
From the Settings app, configure the Recovery settings
C.
From Backup and Restore (Windows 7), modify the backup settings
D.
From File History in Control Panel, configure the Advanced settings
Answer: A
Explanation:
You have a computer named Computer 1 that runs Windows 10.
You turn on System Protection and create a restore point named Point1.
You perform the following changes:
Add four files named File1.txt, File2.dll, File3.sys, and File4.exe to the desktop.
Run a configuration script that adds the following four registry keys:
You restore Point1.
Which files and registry keys are removed? To answer, select the appropriate options in the
answer area.

Answer:
Explanation:

References:
https://www.maketecheasier.com/what-system-restore-can-and-cannot-do-to-your-windows-
system/
https://superuser.com/questions/343112/what-does-windows-system-restore-exactly-back-up-and-
restore
You have 10 computers that run Windows 10.
You have a Windows Server Update Services (WSUS) server.
You need to configure the computers to install updates from WSUS.
Which two settings should you configure? To answer, select the appropriate options in the answer
area.

Answer:

Explanation:

References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-
wsus#configure-automatic-updates-and-update-service-location
QUESTION NO: 101
You have a Microsoft 365 Enterprise E3 license.
You need to ensure that you can access the files on Computer1 by using a web browser on
another computer.
A.
Sync your settings in the Settings app
B.
the File Explorer desktop app
C.
the Microsoft OneDrive desktop app
D.
Default apps in the Settings app
Answer: C
Explanation:
QUESTION NO: 102
You have computers that run Windows 10 and are configured as shown in the following table.
You have a removable USB drive named USBDrive1 that is encrypted by using BitLocker to Go.
You plan to use USBDrive1 on Computer1, Computer2, and Computer3.
You need to identify on which computers you can enable automatic unlocking of BitLocker on
USBDrive1.
Which computers should you identify?
A.
Computer2 and Computer3 only
B.
Computer3 only
C.
Computer1 and Computer3 only
D.
Computer1, Computer2, and Computer3
Answer: C
Explanation:
The BitLocker key is stored in the registry when you enable auto-unlock but only if the operating
system drive is encrypted with BitLocker. A TPM is not required.
You have a computer named Computer1 that runs Windows 10 and has the users shown in the
following table.
You move Folder1 into Folder2.

Answer:
Explanation:
Box 1: No
If you move a shared folder, the share will no longer work.
Box 2: No
Folder1 will inherit the permissions of Folder2. User1 does not have permission to access Folder2.
Box 3: Yes
User2 is a member of the Administrators group so he can access the administrative share
\\Computer1\E$.
User2 has Full Control permission to Folder2 so he can access \\Computer1\E$\Folder2.

Folder1 will inherit the permissions of Folder2 so User2 can access
\\Computer1\E$\Folder2\Folder1.
Your network contains the segments shown in the following table.
You have computers that run Windows 10 and are configured as shown in the following table.
Windows Defender Firewall has the File and Printer Sharing allowed apps rule shown in the
following table.

Answer:
Explanation:

You have a workgroup computer named Computer1 that runs Windows 10. From File Explorer,
you open OneDrive as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on the
information presented on the graphic.
Answer:

Explanation:
QUESTION NO: 106
correct solution.

Solution: You create two new local Group Policy Objects (GPOs) and apply one GPO to User1
and the other GPO to User2. You configure the Desktop Wallpaper setting in each GPO.
A.
Yes
B.
No
Answer: A
Explanation:
Reference:
QUESTION NO: 107
Your network contains an Active Directory domain. The domain contains 1,000 computers that run
Windows 10.
You discover that when users are on their lock screen, they see a different background image
every day, along with tips for using different features in Windows 10.
You need to disable the tips and the daily background image for all the Windows 10 computers.

Which Group Policy settings should you modify?
A.
Turn off the Windows Welcome Experience
B.
Turn off Windows Spotlight on Settings
C.
Do not suggest third-party content in Windows spotlight
D.
Turn off all Windows spotlight features
Answer: D
Explanation:
References:
https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight
You have a computer named Computer1 that runs Windows 10. Computer1 contains a folder
named Data on drive C. The Advanced Security Settings for the Data folder are shown in the
exhibit. (Click the Exhibit tab.)

You share C:\Data as shown in the following table.
User1 is a member of the Users group.
Administrators are assigned Full control NTFS permissions to C:\Data.

Answer:
Explanation:
Explanation:

User1 cannot write files when connected to \\Computer1\Data because the Users group only has
Read & Execute NTFS permission to the C:\Data folder and there are no explicit NTFS
permissions for User1.
User1 cannot write files locally because the Users group only has Read & Execute NTFS
permission to the C:\Data folder and there are no explicit NTFS permissions for User1.
Administrators cannot change the NTFS permissions of files and folders when connected to
\\Computer1\Data because they only have Change share permission. The would need Full Control
share permission. They could do it locally because they have Full Control NTFS permission.
QUESTION NO: 109
You have a file named Reg1.reg that contains the following content.
What is the effect of importing the file?

A.
A key named command will be renamed as notepad.exe.
B.
In a key named Notepad, the command value will be set to @="notepad.exe".
C.
In a key named command, the default value will be set to notepad.exe.
Answer: B
Explanation:
Topic 3, Configure Connectivity
QUESTION NO: 110
Case Study
question.
Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.
Security policies
LocalAdmin.
Problem Statements

application.
company.
You need to recommend a solution to configure the employee VPN connections.
A.

Remote Access Management Console
B.
Group Policy Management Console (GPMC)
C.
Connection Manager Administration Kit (CMAK)
D.
Microsoft Intune
Answer: D
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-
vpn/deploy/vpn-deploy-client-vpn-connections#bkmk_ProfileXML
QUESTION NO: 111
Case Study

question.
Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.
Security policies

LocalAdmin.
Problem Statements

application.
company.

You need to take remote control of an employee’s computer to troubleshoot an issue.
What should you send to the employee to initiate a remote session?
A.
a numeric security code
B.
a connection file
C.
an Easy Connect request
D.
a password
Answer: A
Explanation:
References:
https://support.microsoft.com/en-us/help/4027243/windows-10-solve-pc-problems-with-quick-
assist
QUESTION NO: 112
Case Study

question.
Overview
work from home.
of Windows 10.

Requirements
Planned Changes
office users.

Computer3.
You need to meet the technical requirement for User6.
What should you do?
A.
Add User6 to the Remote Desktop Users group in the domain.
B.
Remove User6 from Group2 in the domain.
C.
Add User6 to the Remote Desktop Users group on Computer2.
D.
Add User6 to the Administrators group on Computer2.
Answer: B
Explanation:
QUESTION NO: 113
Case Study

question.
Overview
work from home.
of Windows 10.
Requirements
Planned Changes
office users.

Computer3.
You need to meet the technical requirement for the IT department users.
A.
Issue computer certificates
B.
Distribute USB keys to the IT department users.
C.
Enable screen saver and configure a timeout.
D.
Turn on Bluetooth.
Answer: D

Explanation:
References:
https://support.microsoft.com/en-za/help/4028111/windows-lock-your-windows-10-pc-
automatically-when-you-step-away-from
that task.

below.
Password: Passw0rd!

You need to ensure that you can successfully ping DC1 from Client3 by using the IP4 address of
DC1.
Answer:
Explanation:

Reference:
http://www.turn-n-burn.com/DestinyNetworks/Downloads/WebHelp3-1-
1/Ping_the_Domain_Controller.htm
that task.

below.
Password: Passw0rd!

You need to ensure that a local user named User1 can establish a Remote Desktop connection to
Client2.
Answer:
Explanation:
Add User to Remote Desktop Users Group via Settings App

Reference:
https://www.top-password.com/blog/add-user-to-remote-desktop-users-group-in-windows-10/
that task.

below.
Password: Passw0rd!


You need to prevent user names and passwords from being filled in on forms automatically when
a user browses to websites from Client2.
Answer:
Explanation:

Reference:
https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies
https://www.tenforums.com/tutorials/115069-enable-disable-autofill-microsoft-edge-windows-10-
a.html
that task.

below.
Password: Passw0rd!


You need to ensure that all the current and future users in the Active Directory domain can
establish Remote Desktop connections to Client1. The solution must use the principle of least
privilege.
Answer:

Explanation:
Step 1. Add Remote Desktop Users to the Remote Desktop Users Group.
Step 2. Allow the log on through remote desktop Services.
Reference:
https://www.wintips.org/fix-to-sign-in-remotely-you-need-the-right-to-sign-in-through-remote-
desktop-services-server-2016/
that task.

below.
Password: Passw0rd!


A web service installed on Client1 is used for testing.
You discover that users cannot connect to the web service by using HTTP.
You need to allow inbound HTTP connections to Client1.

Answer:
Explanation:
To create an inbound port rule
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-
inbound-port-rule
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
that task.

below.
Password: Passw0rd!


Administrators report that they cannot use Event Viewer to remotely view the event logs on
Client3.
You need to ensure that the administrators can access the event logs remotely on Client3. The
solution must ensure that Windows Firewall remains enabled.

Answer:
Explanation:
Reference:
https://www.zubairalexander.com/blog/unable-to-access-event-viewer-on-a-remote-computer/

that task.
below.

Password: Passw0rd!


You have already prepared Client1 for remote management.
You need to forward all events from the Application event log on Client1 to DC1.
Answer:

Explanation:
Configuring the event source computer
Configuring the event collector computer
Reference:
https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-
subscription#forwarding-the-security-log
QUESTION NO: 121
Your company has a wireless access point that uses WPA2-Enterprise.
You need to configure a computer to connect to the wireless access point.
A.
Create a provisioning package in Windows Configuration Designer.
B.
Request a passphrase.
C.
Request and install a certificate.
D.
Create a Connection Manager Administration Kit (CMAK) package.
Answer: B
Explanation:
References:
https://support.microsoft.com/en-za/help/17137/windows-setting-up-wireless-network

QUESTION NO: 122
A user named User1 has a computer named Computer1 that runs Windows 10.
User1 connects to a Microsoft Azure virtual machine named VM1 by using Remote Desktop.
User1 creates a VPN connection named VPN1 to connect to a partner organization.
When VPN1 connection is established, User1 cannot connect to VM1. When User1 disconnects
from VPN1, the user can connect to VM1.
You need to ensure that User1 can connect to VM1 while connected to VPN1.
What should you do?
A.
From the proxy settings, add the IP address of VM1 to the bypass list to bypass the proxy.
B.
From the properties of VPN1, clear the Use default gateway on remote network check box.
C.
From the properties of the Remote Desktop connection to VM1, specify a Remote Desktop
Gateway (RD Gateway).
D.
From the properties of VPN1, configure a static default gateway address.
Answer: B
Explanation:
References:
https://www.stevejenkins.com/blog/2010/01/using-the-local-default-gateway-with-a-windows-vpn-
connection/
QUESTION NO: 123
Your network contains an Active Directory domain. The domain contains a user named Admin1.
All computers run Windows 10.

You enable Windows PowerShell remoting on the computers.
You need to ensure that Admin1 can establish remote PowerShell connections to the computers.
The solution must use the principle of least privilege.
To which group should you add Admin1?
A.
Access Control Assistance Operators
B.
Power Users
C.
Remote Desktop Users
D.
Remote Management Users
Answer: D
Explanation:
References:
https://4sysops.com/wiki/enable-powershell-remoting/
QUESTION NO: 124
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group
Policy.
Which three actions should you perform? Each correct answer presents part of the solution.
A.
Set the Startup Type of the Windows Remote Management (WS-Management) service to
Automatic.

B.
Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
C.
Enable the Allow remote server management through WinRM setting.
D.
Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
E.
Enable the Allow Remote Shell access setting.
F.
Set the Startup Type of the Remote Registry service to Automatic.
Answer: A,C,D
Explanation:
References:
http://www.mustbegeek.com/how-to-enable-winrm-via-group-policy/
QUESTION NO: 125
A user has a computer that runs Windows 10.
When the user connects the computer to the corporate network, the user cannot access the
internal corporate servers. The user can access servers on the Internet.
You run the ipconfig command and receive the following output.

You send a ping request and successfully ping the default gateway, the DNS servers, and the
DHCP server.
Which configuration on the computer causes the issue?
A.
the DNS servers
B.
the IPv4 address
C.
the subnet mask
D.
the default gateway address
Answer: A
Explanation:
From the Settings app, you view the connection properties shown in the following exhibit.

Answer:
Explanation:
QUESTION NO: 127
You have 15 computers that run Windows 10. Each computer has two network interfaces named
Interface1 and Interface2.
You need to ensure that network traffic uses Interface1, unless Interface1 is unavailable.
What should you do?
A.
Run the Set-NetIPInterface –InterfaceAlias Interface1
–InterfaceMetric 1 command.
B.

Run the Set-NetAdapterBinding –Name Interface2 –Enabled $true
–ComponentID ms_tcpip –ThrottleLimit 0 command.
C.
Set a static IP address on Interface 1.
D.
From Network Connections in Control Panel, modify the Provider Order.
Answer: A
Explanation:
References:
https://tradingtechnologies.atlassian.net/wiki/spaces/KB/pages/27439127/How+to+Change+Netwo
rk+Adapter+Priorities+in+Windows+10
https://docs.microsoft.com/en-us/powershell/module/nettcpip/set-netipinterface?view=win10-ps
QUESTION NO: 128
Your network contains an Active Directory domain. The domain contains 10 computers that run
Windows 10. Users in the finance department use the computers.
From Computer1, you plan to run a script that executes Windows PowerShell commands on the
finance department computers.
You need to ensure that you can run the PowerShell commands on the finance department from
Computer1.
What should you do on the finance department computers?
A.
From the local Group Policy, enable the Allow Remote Shell Access setting.
B.
From the local Group Policy, enable the Turn on Script Execution setting.

C.
From the Windows PowerShell, run the Enable-MMAgent cmdlet.
D.
From the Windows PowerShell, run the Enable-PSRemoting cmdlet.
Answer: D
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-
psremoting?view=powershell-6
QUESTION NO: 129
You have an Azure Active Directory (Azure AD) tenant that contains a user named
user1@contoso.com.
You join Computer1 to Azure AD. You enable Remote Desktop on Computer1.
User1@contoso.com attempts to connect to Computer1 by using Remote Desktop and receives

the following error message: “The logon attempt failed.”
You need to ensure that the user can connect to Computer1 by using Remote Desktop.
A.
In Azure AD, assign user1@contoso.com the Cloud device administrator role.
B.
From the local Group Policy, modify the Allow log on through Remote Desktop Services user right.
C.
In Azure AD, assign user1@contoso.com the Security administrator role.
D.
On Computer1, create a local user and add the new user to the Remote Desktop Users group.

Answer: B
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-
log-on-through-remote-desktop-services
QUESTION NO: 130 DRAG DROP
You enable Windows PowerShell remoting on a computer that runs Windows 10.
You need to limit which PowerShell cmdlets can be used in a remote session.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:

Explanation:
References:
https://www.petri.com/powershell-remoting-restricting-user-commands
QUESTION NO: 131
You have a VPN server that accepts PPTP and L2TP connections and is configured as shown in
the following exhibit.
A user named User1 has a computer that runs Windows 10 and has a VPN connection configured
as shown in the following exhibit.
User1 fails to establish a VPN connection when connected to a home network.
You need to identify which VPN client setting must be modified.

What should you identify?
A.
ServerAddress
B.
TunnelType
C.
AuthenticationMethod
D.
L2tpIPsecAuth
E.
EncryptionLevel
Answer: A
Explanation:
The server address is a private IP address. This needs to be the public IP address of the VPN
server.
On Computer1, you create a VPN connection as shown in the following exhibit.

The corporate network contains a single IP subnet.
Answer:

Explanation:
QUESTION NO: 133
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user
named UserA.
You have two computers named Computer1 and Computer2 that run Windows 10 and are joined
to contoso.com.
You need to ensure that UserA can connect to Computer2 from Computer1 by using Remote
Desktop.
Which three actions should you perform? Each correct answer presents part of the solution.
A.
On Computer1, modify the registry.
B.
On Computer2, modify the registry.
C.
On Computer1, modify the properties of UserA.
D.
On Computer1, enable Remote Desktop.
E.
On Computer2, modify the properties of UserA.
F.
On Computer 2, enable Remote Desktop.
G.
On Computer2, add the Everyone group to the Remote Desktop Users group.
H.
On Computer1, add the Everyone group to the Remote Desktop Users group.
Answer: E,F,G
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc
You need to ensure that Computer1 will respond to ping requests.
How should you configure Windows Defender Firewall on Computer1? To answer, select the
appropriate options in the answer area.

Answer:
Explanation:

You have a computer named Computer1 that runs Windows 10. Computer1 has an IP address of
10.10.1.200 and a subnet mask of 255.255.255.0.
You configure the proxy settings on Computer1 as shown in the following exhibit.


Answer:
Explanation:

References:
https://www.howtogeek.com/tips/how-to-set-your-proxy-settings-in-windows-8.1/
QUESTION NO: 136
You have a computer that is configured as shown in the following exhibit.

What can the computer connect to?
A.
all the local computers and the remote computers within your corporate network only
B.
all the local computers and the remote computers, including Internet hosts
C.
only other computers on the same network segment that have automatic private IP addressing
(APIPA)
D.
only other computers on the same network segment that have an address from a class A network
ID
Answer: B

Explanation:
QUESTION NO: 137
Your network contains an Active Directory domain named contoso.com.
A user named User1 has a personal computer named Computer1 that runs Windows 10 Pro.
User1 has a VPN connection to the corporate network.
You need to ensure that when User1 connects to the VPN, network traffic uses a proxy server
located in the corporate network. The solution must ensure that User1 can access the Internet
when disconnected from the VPN.
What should you do?
A.
From Control Panel, modify the Windows Defender Firewall settings
B.
From the Settings app, modify the Proxy settings for the local computer
C.
From Control Panel, modify the properties of the VPN connection
D.
From the Settings app, modify the properties of the VPN connection
Answer: B
Explanation:
QUESTION NO: 138
You deploy 100 computers that run Windows 10. Each computer has a cellular connection and a
Wi-Fi connection.
You need to prevent the computers from using the cellular connection unless a user manually
connects to the cellular network.

What should you do?
A.
Set the Use cellular instead of Wi-Fi setting for the cellular connection to Never
B.
Run the netsh wlan set hostednetwork mode=disallow command
C.
Clear the Let Windows manage this connection check box for the cellular connection
D.
Select the Let Windows manage this connection check box for the Wi-Fi connection
Answer: C
Explanation:
References:
https://support.microsoft.com/en-za/help/10739/windows-10-cellular-settings
QUESTION NO: 139
correct solution.
You have a laptop named Computer1 that runs Windows 10.
When in range, Computer1 connects automatically to a Wi-Fi network named Wireless1.
You need to prevent Computer1 from automatically connecting to Wireless1.
Solution: From a command prompt, you run netsh wlan delete profile name="Wireless1".

A.
Yes
B.
No
Answer: A
Explanation:
Reference:
https://lifehacker.com/remove-wi-fi-profiles-from-windows-8-1-from-the-command-1449954864
QUESTION NO: 140
correct solution.
Solution: From the Services console, you disable the Link-Layer Topology Discovery Mapper
service.
A.
Yes
B.
No

Answer: B
Explanation:
Link-Layer Topology Discovery is used by their Network Map feature to display a graphical
representation of the local area network (LAN) or wireless LAN (WLAN), to which the computer is
connected.
References:
https://en.wikipedia.org/wiki/Link_Layer_Topology_Discovery
QUESTION NO: 141
correct solution.
Solution: From the properties of the Wi-Fi adapter, you disable Link-Layer Topology Discovery
Responder.
A.
Yes
B.
No
Answer: B

Explanation:
Link-Layer Topology Discovery is used by their Network Map feature to display a graphical
representation of the local area network (LAN) or wireless LAN (WLAN), to which the computer is
connected.
References:
https://en.wikipedia.org/wiki/Link_Layer_Topology_Discovery
QUESTION NO: 142
Your network contains an Active Directory domain named contoso.com. The domain contains two
computers named Computer1 and Computer2 that run Windows 10.
On Computer1, you need to run the Invoke-Command cmdlet to execute several PowerShell
commands on Computer2.
A.
On Computer2, run the Enable-PSRemoting cmdlet
B.
From Active Directory, configure the Trusted for Delegation setting for the computer account of
Computer2
C.
On Computer1, run the New-PSSession cmdlet
D.
On Computer2, add Computer1 to the Remote Management Users group
Answer: A
Explanation:
Reference:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-
psremoting?view=powershell-6

QUESTION NO: 143
You are troubleshooting connectivity issues on Computer1.
You need to view the remote addresses to which Computer1 has active TCP connections.
Which tool should you use?
A.
Performance Monitor
B.
Task Manager
C.
Resource Monitor
D.
Windows Defender Firewall with Advanced Security
Answer: C
Explanation:
Your office has a dedicated wireless network for guests.
You plan to provide access cards that will have a QR code for guests. The QR code will link to a
network configuration file stored on a publicly accessible website and provide the wireless network
settings for Windows 10 devices.
Which tool should you use to create the configuration file and which file type should you use for
the configuration file? To answer, select the appropriate options in the answer area.

Answer:
Explanation:

Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-
packages
Your network contains the segments shown in the following table.

The network interface of the computer is configured as shown in the exhibit. (Click the Exhibit
tab.)
You need to identify which IP address the computer will have on the network when the computer
connects to the segments.
Which IP address should you identify for each segment? To answer, select the appropriate options
in the answer area.

Answer:
Explanation:

Your network contains an Active Directory domain named adatum.com, a workgroup, and
computers that run Windows 10. The computers are configured as shown in the following table.
The local Administrator accounts on Computer1, Computer2, and Computer3 have the same user
name and password.
On Computer1, Windows Defender Firewall is configured as shown in the following exhibit.

The services on Computer1 have the following states.

Answer:
Explanation:
Box 1: No
Because the firewall is blocking Remote Volume Management.

Box 2: No
Because the Remote Registry Service is stopped.
Box 3: No
Because the Remote Registry Service is stopped. Perfmon needs both the RPC service and the
Remote Registry service to be running.
QUESTION NO: 147
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS)
through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
A.
Connection settings
B.
Server authentication
C.
Local devices and resources
D.
Connect from anywhere
Answer: D
Explanation:
QUESTION NO: 148

correct solution.
Solution: From the Settings app, you modify the properties of the Wireless1 known Wi-Fi network.
A.
Yes
B.
No
Answer: A
Explanation:
Removing Wireless1 as a known Wi-Fi network on Computer1 will prevent it from automatically
connecting.
Note: You can also type netsh wlan show profiles in the Command Prompt to manage and delete
wireless network profiles.
References:
https://kb.netgear.com/29889/How-to-delete-a-wireless-network-profile-in-Windows-10

that task.

below.
Password: Passw0rd!

You need to connect to your company’s network and create a VPN connection on Client2 named
VPN1 that meets the following requirements:
VPN1 must connect to a server named vpn.contoso.com.
Only traffic to your company’s network must be routed through VPN1.
Answer:

Explanation:
Reference:
https://www.themillergroup.com/vpn-windows-10/
Topic 4, Maintain Windows
QUESTION NO: 150
Case Study
question.
Overview

Active Directory
licenses.
Client Computers
joined to Azure AD.
Security policies
LocalAdmin.

Problem Statements

application.
company.
You need to recommend a solution to monitor update deployments.
A.
Windows Server Update (WSUS)

B.
the Update Management solution in Azure Automation
C.
the Update Compliance solution in Azure Log Analytics
D.
the Azure Security Center
Answer: C
Explanation:
References:
https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-monitor
Case Study
question.

Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.
Security policies
LocalAdmin.
Problem Statements

application.
company.
You need to reduce the amount of time it takes to restart Application1 when the application
crashes.

What should you include in the solution? To answer, select the appropriate options in the answer
area.
Answer:

Explanation:
Reference:
https://www.howto-connect.com/how-to-attach-a-task-to-this-event-in-event-viewer-in-windows-10/
QUESTION NO: 152
Case Study
question.
Overview
work from home.
of Windows 10.

Requirements
Planned Changes
office users.

Computer3.
You need to meet the quality update requirement for ComputerA.
For how long should you defer the updates?
A.
14 days
B.
10 years
C.
5 years
D.
180 days
E.
30 days
Answer: B
Explanation:
References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview

QUESTION NO: 153
correct solution.
You deploy Windows 10 to a computer named Computer1.
Computer1 contains a folder named C:\Folder1. Folder1 contains multiple documents.
You need to ensure that you can recover the files in Folder1 by using the Previous Versions tab.
Solution: You set up Backup and Restore (Windows 7) and include Folder1 in the backup.
A.
Yes
B.
No
Answer: A
Explanation:
Reference:
https://www.tenforums.com/tutorials/79490-restore-previous-versions-files-folders-drives-windows-
10-a.html
https://support.microsoft.com/en-za/help/17128/windows-8-file-history
QUESTION NO: 154

You have a computer that runs Windows 10. You use the computer to test new Windows features.
You need to configure the computer to receive preview builds of Windows 10 as soon as possible.
What should you configure from Update & Security in the Settings app?
A.
Windows Insider Program
B.
Windows Update
C.
Delivery Optimization
D.
For developers
Answer: A
Explanation:
Reference:
https://insider.windows.com/en-us/getting-started/
QUESTION NO: 155
You have a computer named Computer1 that runs Windows 10. Computer1 connects to multiple
wireless networks.
You need to view the wireless networks to which Computer1 connects.
A.
the System log in Event Viewer
B.
Wi-Fi in the Settings app
C.

the properties of the wireless adapter in Network Connections in Control Panel
D.
the Details tab for the wireless adapter in Device Manager
Answer: B
Explanation:
Reference:
https://www.windowscentral.com/how-connect-wi-fi-network-windows-10
You include Folder1, Folder2, and Folder3 in the Documents library.
You configure File History to run every 15 minutes, and then turn on File History.

Answer:
Explanation:

QUESTION NO: 157
A user has a computer that runs Windows 10. The user has access to the following storage
locations:
A USB flash drive
Microsoft OneDrive
OneDrive for Business
A drive mapped to a network share
A secondary partition on the system drive
You need to configure Back up using File History from the Settings app.
Which two storage locations can you select for storing File History data? Each correct answer
presents a complete solution.
A.
OneDrive for Business
B.
OneDrive
C.
the USB flash drive
D.
the secondary partition on the system drive
E.
the drive mapped to a network share
Answer: C,D
Explanation:
Your network contains an Active Directory domain named contoso.com. The domain contains two
computers named Computer1 and Computer2 that run Windows 10 and are joined to the domain.
On Computer1, you create an event subscription named Subscription1 for Computer2 as shown in
the Subscription1 exhibit. (Click the Subcription1 tab.)

Subscription1 is configured to use forwarded events as the destination log.
On Computer1, you create a custom view named View1 as shown in the View1 exhibit. (Click the
View1 tab.)


Answer:
Explanation:

QUESTION NO: 159
correct solution.
Solution: You select Folder is ready for archiving from the properties of Folder1.
A.
Yes
B.
No

Answer: B
Explanation:
The previous versions feature in Windows 10 allows you to restore a previous version of files,
folders, and drives that were saved or backed up as part of a restore point, File History, and/or
Windows Backup.
References:
10-a.html
QUESTION NO: 160
correct solution.
Your network contains an Active Directory domain named contoso.com. The domain contains the
You have a computer named Computer1 that runs Windows 10 and is in a workgroup.
A local standard user on Computer1 named User1 joins the computer to the domain and uses the
credentials of User2 when prompted.
You need to ensure that you can rename Computer1 as Computer33.
Solution: You use the credentials of User3 on Computer1.

A.
Yes
B.
No
Answer: A
Explanation:
Renaming a domain-joined computer will also rename the computer account in the domain. To do
this, you need domain administrator privileges.
User3 is a domain administrator.
References:
directory-security-groups#bkmk-domainadmins
QUESTION NO: 161
correct solution.

A.
Yes
B.
No
Answer: B
Explanation:
User2 is a domain user, not an administrator. Use User3's credentials instead.
References:
directory-security-groups
QUESTION NO: 162
correct solution.

A.
Yes
B.
No
Answer: B
Explanation:
User4 is a server operator, not an administrator. Members of the Server Operators group can sign
in to a server interactively, create and delete network shared resources, start and stop services,
back up and restore files, format the hard disk drive of the computer, and shut down the computer.
Use User3's credentials instead.
References:

QUESTION NO: 163
From Event Viewer on Computer1, you have a task named Action1 that is attached to the
following event:
Log: System
Source: Kernel-General
Event ID: 16
You need to modify the settings of Action1.
A.
the Settings app
B.
Task Scheduler
C.
Event Viewer
D.
System Configuration
Answer: C
Explanation:
An Event Viewer task is created and modified in Event Viewer.
References:
https://www.techrepublic.com/article/how-to-use-custom-views-in-windows-10s-event-viewer/
QUESTION NO: 164

correct solution.
You manage devices that run Windows 10.
Ten sales users will travel to a location that has limited bandwidth that is expensive. The sales
users will be at the location for three weeks.
You need to prevent all Windows updates from downloading for the duration of the trip. The
solution must not prevent access to email and the Internet.
Solution: From Accounts in the Settings app, you turn off Sync settings.
A.
Yes
B.
No
Answer: B
Explanation:
You have a computer that runs Windows 10. You view the domain services status as shown in the
following exhibit.


Answer:
Explanation:
Device is Azure AD joined; not domain joined.
The MDM URLs in the exhibit indicate the device is enrolled in Endpoint Manager.
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd
https://github.com/MicrosoftLearning/MD-101T00-
ManagingModernDesktops/blob/master/Instructions/Labs/0403-
Enrolling%20devices%20in%20Intune.md
QUESTION NO: 166
The computer fails to start, and you receive the following error message: “BOOTMGR image is
corrupt. The system cannot boot”.
You need to repair the system partition.
Which command should you run from Windows Recovery Environment (WinRE)?
A.
fdisk.exe
B.
chkdsk.exe
C.
diskpart.exe
D.
bcdboot.exe
Answer: C
Explanation:
DiskPart, which has replaced fdisk, is a command-line utility that provides the ability to manage
disks, partitions or volumes in your computer running all versions of operating system since
Windows 2000.
References:

https://www.diskpart.com/windows-10/diskpart-windows-10-1203.html
You have a computer named Computer1 that runs Windows 10. Computer1 contains a registry
key named Key1 that has the values shown in the exhibit. (Click the Exhibit tab.).
You have a Registration Entries (.reg) file named File1.reg that contains the following text.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Key1]
"String1"=-
@="2"
You need to identify the effect of importing File1.reg to Computer1.
Answer:

Explanation:
Box 1: String1 will be deleted.
To delete a value, append equals and then minus to the value. For example:
"String1"=-
Box 2: Value1 will have a value of 1
@="2" sets the default value to 1 but Value1 already has a DWORD value.
A DWORD (32-bit) value is a hexadecimal value. Value1 is 0x00000001 which is 1.
References:
https://www.computerhope.com/issues/ch000848.htm
https://www.computerperformance.co.uk/vista/reg-create/
User Account Control (UAC) on Computer1 is configured as shown in the following exhibit.

Answer:
Explanation:

Box 1: Yes
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval
Mode is set to Prompt for consent When an operation requires elevation of privilege, the user is
prompted to select either Permit or Deny. If the user selects Permit, the operation continues with
the user's highest available privilege.
Box 2: Yes
User1 is a member of Administrators group.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval
Mode is set to Prompt for consent When an operation requires elevation of privilege, the user is
prompted to select either Permit or Deny. If the user selects Permit, the operation continues with
the user's highest available privilege.
Box 3: Yes
User Account Control: Behavior of the elevation prompt for standard users is set to Prompt for
credentials (Default) When an operation requires elevation of privilege, the user is prompted to
enter an administrative user name and password. If the user enters valid credentials, the operation
continues with the applicable privilege.
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-
account-control-security-policy-settings
QUESTION NO: 169
correct solution.
A.
Yes
B.
No
Answer: B
Explanation:
User1 is a standard user.
References:

QUESTION NO: 170
correct solution.
You have two computers named Computer1 and Computer2 that run Windows 10.
You have an Azure Active Directory (Azure AD) user account named admin@contoso.com that is
in the local Administrators group on each computer.
You sign in to Computer1 by using admin@contoso.com.
You need to ensure that you can use Event Viewer on Computer1 to connect to the event logs on
Computer2.
Solution: On Computer2, you run the winrm quickconfig command.
A.
Yes
B.
No
Answer: B
Explanation:
Windows Remote Management is a component of the Windows Hardware Management features

that manage server hardware locally and remotely.

References:
https://docs.microsoft.com/en-us/windows/win32/winrm/about-windows-remote-management
QUESTION NO: 171
You deploy Windows 10 to several computers. The computers will be used by users who
frequently present their desktop to other users.
You need to prevent applications from generating toast notifications in the notification area.
Which settings should you configure from the Settings app?
A.
Shared experiences
B.
Privacy
C.
Focus assist
D.
Tablet mode
Answer: C
Explanation:
Focus Assist will automatically hide incoming notifications, so they don’t pop up and distract you
while you’re playing a game, giving a presentation, or using a full-screen application.
Your network contains an Active Directory domain named adatum.com. The domain contains two
computers named Computer1 and Computer2 that run Windows 10.
The domain contains the user accounts shown in the following table.

Computer2 contains the local groups shown in the following table.
The relevant user rights assignments for Computer2 are shown in the following table.

Answer:
Explanation:
Explanation:
Box 1: Yes
User1 is an administrator and has the Allow log on through Remote Desktop Services.
Box 2: No
User2 is a member of Group2 which has the Deny log on through Remote Desktop Services.
Box 3: Yes
User3 is a member of the administrators group and has the Allow log on through Remote Desktop
Services.

Note: Deny permissions take precedence over Allow permissions. If a user belongs to two groups,
and one of them has a specific permission set to Deny, that user is not able to perform tasks that
require that permission even if they belong to a group that has that permission set to Allow.
References:
https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-
permissions?view=azure-devops&tabs=preview-page%2Ccurrent-page
that task.

below.
Password: Passw0rd!

You need to ensure that Client3 starts in safe mode automatically the next time the computer
restarts. After completing the task, you must NOT restart Client3.
Answer:
Explanation:
Reference:
https://www.howtogeek.com/howto/windows-vista/force-windows-to-boot-into-safe-mode-without-
using-the-f8-key/
that task.

below.
Password: Passw0rd!

You need to create a user account named User5 on Client2. The solution must meet the following
requirements:
Prevent User5 from changing the password of the account.
Ensure that User5 can perform backups.
Use the principle of least privilege.

Answer:
Explanation:
Reference:
https://www.digitalcitizen.life/geeks-way-creating-user-accounts-and-groups
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-
rights-assignment
that task.

below.
Password: Passw0rd!

You need to create a group named Group2 on Client2. The members of Group2 must be able to
change the system time. The solution must use the principle of least privilege.
Answer:
Explanation:

Reference:
https://www.windows-active-directory.com/local-user-management.html
https://www.tenforums.com/tutorials/92910-allow-prevent-users-groups-change-time-windows-10-
a.html#option1
that task.

below.
Password: Passw0rd!


Users who attempt to sign in to the domain from Client3 report that the sign-ins fail.
Answer:

Explanation:
Reference:
https://support.microsoft.com/en-us/help/2771040/the-trust-relationship-between-this-workstation-
and-the-primary-domain
that task.

below.
Password: Passw0rd!


You need to ensure that Windows feature updates on Client1 are deferred for 15 days when the
updates become generally available.
Answer:
Explanation:

Reference:
https://support.microsoft.com/en-us/help/4026834/windows-10-defer-feature-updates
QUESTION NO: 178
correct solution.
Computer2.
Solution: On Computer2, you enable the Remote Event Log Management inbound rule from
Windows Defender Firewall.
A.
Yes
B.
No
Answer: A
Explanation:
Reference:

2008/cc766438(v=ws.11)?redirectedfrom=MSDN
QUESTION NO: 179
correct solution.
Computer2.
Solution: On Computer2, you create a Windows Defender Firewall rule that allows eventwr.exe.
A.
Yes
B.
No
Answer: B
Explanation:
Reference:

2008/cc766438(v=ws.11)?redirectedfrom=MSDN
QUESTION NO: 180
correct solution.
You test Windows updates on Computer1 before you make the updates available to other
computers.
You install a quality update that conflicts with a custom device driver.
You need to remove the update from Computer1.
Solution: From an elevated command prompt, you run the wusa.exe command and specify the
/uninstall parameter.
A.
Yes
B.
No
Answer: A
Explanation:
References:
https://support.microsoft.com/en-us/help/934307/description-of-the-windows-update-standalone-
installer-in-windows

QUESTION NO: 181
correct solution.
computers.
Solution: From System Restore, you revert the system state to a restore point that was created
before the update was installed.
A.
Yes
B.
No
Answer: A
Explanation:
QUESTION NO: 182
You have 100 computers that run Windows 10. The computers are in a workgroup.

The computers have a low-bandwidth metered Internet connection.
You need to reduce the amount of Internet bandwidth consumed to download updates.
A.
BranchCache in hosted mode
B.
BranchCache in distributed cache mode
C.
Delivery Optimization
D.
Background intelligent Transfer Service (BITS)
Answer: C
Explanation:
References:
https://support.microsoft.com/en-us/help/4468254/windows-update-delivery-optimization-faq
QUESTION NO: 183
You have 20 computers that run Windows 10.
You configure all the computers to forward all the events from all the logs to a computer named
When you sign in to Computer1, you cannot see any security events from other computers. You
can see all the other forwarded events from the other computers.
You need to ensure that the security events are forwarded to Computer1.
What should you do?
A.
On each computer, run wecutil qc /q.
B.
On each computer, add the NETWORK SERVICE account to the Event Log Readers group.
C.
On each computer, run winrm qc –q.
D.
On Computer1, add the account of Computer1 to the Event Log Readers group.
Answer: D
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-
forwarding-to-assist-in-intrusion-detection
You have a computer named Computer1 that runs Windows 10 and contains the following files:
C:\Folder1\File1.bat
C:\Folder1\File1.exe
C:\Folder1\File1.cmd
A user named User1 is assigned Read & execute to all the files.
Computer1 is configured as shown in the exhibit.

Answer:

Explanation:
References:
https://stackoverflow.com/questions/148968/windows-batch-files-bat-vs-cmd
QUESTION NO: 185
You discover that Windows updates are failing to install on the computer.
You need to generate a log file that contains detailed information about the failures.

Which cmdlet should you run?
A.
Get–LogProperties
B.
Get–WindowsErrorReporting
C.
Get–WindowsUpdateLog
D.
Get–WinEvent
Answer: C
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/windowsupdate/get-
windowsupdatelog?view=win10-ps
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2016 and a computer named Computer1 that
runs Windows 10.
Server1 contains a share named Backup. All users can read and write data in Backup.
On Monday at 13:00, you configure Backup and Restore (Windows 7) on Computer1 to use the
following settings:
Backup Destination:\\Server1\Backup
What do you want to back up?:Local Disk (D:), Include a system image of drives: System
Reserved, (C:)
Schedule: Daily at 23:00
You need to identify how many backups will be available on Thursday at 17:00.

Answer:
Explanation:

References:
https://www.windowscentral.com/how-make-full-backup-windows-
10#create_system_image_windows10
https://www.bleepingcomputer.com/tutorials/create-system-image-in-windows-7-8/
You are planning a recovery strategy for computers that run Windows 10.
You need to create recovery procedures to roll back feature updates and quality updates within
five days after an installation.
What should you include in the procedures? To answer, select the appropriate options in the
answer area.

Answer:
Explanation:

Reference:
https://www.thewindowsclub.com/rollback-uninstall-windows-10-creators-update
https://www.dummies.com/computers/pcs/undo-windows-update/
QUESTION NO: 188
You can start the computer but cannot sign in.
You need to start the computer into the Windows Recovery Environment (WinRE).
What should you do?
A.
Turn off the computer. Turn on the computer, and then press F8.
B.
Turn off the computer. Turn on the computer, and then press F10.
C.
From the sign-in screen, hold the Shift key, and then click Restart.
D.
Hold Alt+Ctrl+Delete for 10 seconds.
Answer: C
Explanation:
References:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-
environment--windows-re--technical-reference

You are a network administrator at your company.
A user attempts to start a computer and receives the following error message: “Bootmgr is
missing.”
You start the computer in recovery mode.
Which command should you run next? To answer, select the appropriate options in the answer
area.
Answer:
Explanation:

References:
https://neosmart.net/wiki/bootmgr-is-missing/
QUESTION NO: 190
Your company purchases 20 laptops that use a new hardware platform.
In a test environment, you deploy Windows 10 to the new laptops.
Some laptops frequently generate stop errors.
You need to identify the cause of the issue.
A.
Reliability Monitor
B.
Task Manager
C.
System Configuration
D.
Performance Monitor

Answer: A
Explanation:
References:
https://lifehacker.com/how-to-troubleshoot-windows-10-with-reliability-monitor-1745624446
You have 100 computers that run Windows 10. You have no servers. All the computers are joined
to Microsoft Azure Active Directory (Azure AD).
The computers have different update settings, and some computers are configured for manual
updates.
You need to configure Windows Update. The solution must meet the following requirements:
The configuration must be managed from a central location.
Internet traffic must be minimized.
Costs must be minimized.
How should you configure Windows Update? To answer, select the appropriate options in the
answer area.

Answer:
Explanation:

References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization
QUESTION NO: 192
You have a computer named LON-CL1.Adatum.com that runs Windows 10.
From Event Viewer, you create a custom view named View1 that has the following filter:
User: User1
Logged: Any time
Event logs: System
Computer: LON-CL1
Event IDs: 10000 – 11000
Event level: Error, Verbose

You open Event Viewer and discover the event shown in the exhibit. (Click the Exhibit tab.)
The event does not appear in View1.
You need to ensure that the event appears in View1.
What should you do?
A.
Add a Task Category setting to the filter.
B.
Add the computer account to the Event Log Readers group.
C.
Create an event subscription.
D.
Modify the Computer setting in the filter.
Answer: A

Explanation:
References:
https://www.techrepublic.com/article/how-to-use-custom-views-in-windows-10s-event-viewer/
QUESTION NO: 193
You have a computer named Computer1 that runs Windows 10 and has an application named
App1.
You need to use Performance Monitor to collect data about the processor utilization of App1.
Which performance object should you monitor?
A.
Process
B.
Processor Performance
C.
Processor Information
D.
Processor
Answer: A
Explanation:
References:
https://www.cse.wustl.edu/~jain/cse567-06/ftp/os_monitors/index.html
QUESTION NO: 194
You have a computer that runs Windows 10 and has File History enabled. File History is
configured to save copies of files every 15 minutes.

At 07:55, you create a file named D:\Folder1\File1.docx.
You add D:\Folder1 to File History and manually run File History at 08:00.
You modify File1.docx at the following times:
08:05
08:12
08:20
08:24
08:50
At 08:55, you attempt to restore File1.docx.
How many previous versions of File1.docx will be available to restore?
A.
2
B.
3
C.
4
D.
5
Answer: C
Explanation:
QUESTION NO: 195

What should you do?
A.
From Network & Internet in the Settings app, set a data limit.
B.
From Accounts in the Settings app, turn off Sync settings.
C.
From Network & Internet in the Settings app, set the network connections as metered connections.
D.
From Update & Security in the Settings app, pause updates.
Answer: C
Explanation:
QUESTION NO: 196
What are three possible ways to achieve the goal? Each correct answer presents a complete the
solution.
A.
Set up Backup and Restore (Windows 7) and include Folder1 in the backup.
B.
Enable File History and add Folder1 to File History.
C.
Enable File History and include Folder1 in the Documents library.

D.
Select Allow files in this folder to have contents indexed in addition to file properties from
the properties of Folder1.
E.
Select Folder is ready for archiving from the properties of Folder1.
Answer: A,B,C
Explanation:
Reference:
10-a.html
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that contain
the users shown in the following table.
You have a computer named Computer1 that runs Windows 10. Computer1 is in a workgroup and
has the local users shown in the following table.
User1 joins Computer1 to Azure AD by using user1@contoso.com.

Answer:
Explanation:

Which users can analyze the event logs on Computer1? To answer, select the appropriate options
in the answer area.
Answer:

Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-
accounts#sec-localsystem
QUESTION NO: 199
Your company has a main office and a branch office. The offices connect to each other by using a
WAN link. Access to the Internet is provided through the main office.
The branch office contains 25 computers that run Windows 10. The computers contain small hard
drives that have very little free disk space.
You need to prevent the computers in the branch office from downloading updates from peers on
the network.
What should you do?
A.
From the Settings app, modify the Delivery Optimizations settings.
B.
Configure the network connections as metered connections.
C.
Configure the computers to use BranchCache in hosted cache mode.
D.
Configure the updates to use the Semi-Annual Channel (Targeted) channel.
Answer: C
Explanation:
References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-branchcache
QUESTION NO: 200
correct solution.
Solution: From Update & Security in the Settings app, you turn on Pause Updates.
A.
Yes
B.
No
Answer: B
Explanation:
References:
https://www.makeuseof.com/tag/5-ways-temporarily-turn-off-windows-update-windows-10/
QUESTION NO: 201
correct solution.

Solution: From Network & Internet in the Settings app, you set the network connections as
metered connections.
A.
Yes
B.
No
Answer: A
Explanation:
References:
https://www.makeuseof.com/tag/5-ways-temporarily-turn-off-windows-update-windows-10/
QUESTION NO: 202
correct solution.

Solution: From Network & Internet in the Settings app, you set a data limit.
A.
Yes
B.
No
Answer: B
Explanation:
QUESTION NO: 203
correct solution.
computers.
Solution: From an elevated command prompt, you run the wmic qfe delete command.
A.
Yes
B.
No
Answer: B
Explanation:
QUESTION NO: 204
You have a computer that runs Windows 10 and has BitLocker Drive Encryption (BitLocker)
enabled on all volumes.
You start the computer from Windows Recovery Environment (WinRE).
You need to read the data on the system drive.
What should you do?
A.
Run cipher.exe and specify the /rekey parameter
B.
Run cipher.exe and specify the /adduser parameter
C.
Run manage-bde.exe and specify the -off parameter
D.
Run manage-bde.exe and specify the -unlock parameter
Answer: D
Explanation:
References:
https://www.repairwin.com/how-to-disable-bitlocker-in-windows-recovery-environment-winre/

QUESTION NO: 205
You complete a full back up of Computer1 to an external USB drive. You store the USB drive
offsite.
You delete several files from your personal Microsoft OneDrive account by using File Explorer,
and then you empty the Recycle Bin on Computer1.
You need to recover the files 60 days after you deleted them in the least amount of time possible.
A.
the OneDrive recycle bin
B.
the full backup on the external USB drive
C.
Recovery in the Settings app
Answer: B
Explanation:
References:
https://support.office.com/en-us/article/restore-deleted-files-or-folders-in-onedrive-949ada80-0026-
4db3-a953-c99083e6a84f
QUESTION NO: 206
computers.

What are three possible ways to achieve the goal? Each correct answer presents a complete
solution.
A.
From Programs and Features, uninstall an update.
B.
From Windows PowerShell, run the Remove-WindowsPackage cmdlet.
C.
From an elevated command prompt, run the wusa.exe command and specify the /uninstall
parameter.
D.
From an elevated command prompt, run the wmic qfe delete command.
E.
From System Restore, revert the system state to a restore point that was created before the
update was installed.
Answer: A,C,E
Explanation:
QUESTION NO: 207
Computer1 has a Trusted Platform Module (TPM) version 1.2.
The domain contains a domain controller named DC1 that has all the Remote Server
Administration Tools (RSAT) installed.
BitLocker Drive Encryption (BitLocker) recovery passwords are stored in Active Directory.

You enable BitLocker on the operating system drive of Computer1.
A software update on Computer1 disables the TPM, and BitLocker enters recovery mode.
You need to recover your BitLocker password for Computer1.
What should you use to retrieve the recovery password?
A.
Disk Management
B.
manage –bde with the –unlock parameter
C.
Active Directory Users and Computers
D.
repair-bde with the –f parameter
Answer: C
Explanation:
user accounts shown in the following table.
In Event Viewer, you create two custom views named View1 and View2. All users have access to
the views. View1 shows errors and warnings from the Security event log. View2 shows errors and
warnings from the System event log.
Which users can use the views? To answer, select the appropriate options in the answer area.

Answer:
Explanation:

QUESTION NO: 209
You have a computer that runs Windows 8.1.
When you attempt to perform an in-place upgrade to Windows 10, the computer fails to start after
the first restart.
You need to view the setup logs on the computer.
Which folder contains the logs?
A.
\$Windows.~BT\Sources\Panther\
B.
\Windows\Logs

C.
\Windows\Temp
D.
\$Windows.~BT\Inf
Answer: A
Explanation:
References:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-
files-and-event-logs
QUESTION NO: 210
Your network contains an Active Directory domain. The domain contains 10 computers that run
Windows 10.
On a different computer named Computer1, you plan to create a collector-initiated subscription to

gather the event logs from the Windows 10 computers.
You need to configure the environment to support the event log collection.
A.
Add Computer1 to the Event Log Readers group on the Windows 10 computers
B.
Add Computer1 to the Event Log Readers group on Computer1
C.
On the Windows 10 computers, change the Startup Type of Windows Event Collector to
Automatic
D.
Enable Windows Remote Management (WinRM) on the Windows 10 computers
E.
Enable Windows Remote Management (WinRM) on Computer1
Answer: A,D
Explanation:
Reference:
2008/cc748890(v=ws.11)
QUESTION NO: 211
You have several computers that run Windows 10.
All users have Microsoft OneDrive for Business installed.
Users frequently save files to their desktop.
You need to ensure that all the users can recover the files on their desktop from OneDrive for
Business.
A.
Copy ADMX and ADML files to C:\Users\PublicDesktop\
B.
From Backup in the Settings app, add a drive
C.
Configure the Silently move Windows known folders to OneDrive settings
D.
Copy ADMX and ADML files to C:\Windows\PolicyDefinitions
E.
Configure the Save documents to OneDrive by default setting

Answer: C,D
Explanation:
References:
https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise
https://docs.microsoft.com/en-us/onedrive/use-group-policy#KFMOptInNoWizard
QUESTION NO: 212
correct solution.
Solution: You enable File History and add Folder1 to File History.
A.
Yes
B.
No
Answer: A
Explanation:
Reference:

QUESTION NO: 213
correct solution.
Solution: You enable File History and add Folder1 in the Documents library.
A.
Yes
B.
No
Answer: A
Explanation:
Reference:

Test Dump MD100

Uploaded by

Copyright:

Available Formats

Test Dump MD100

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Test Dump MD100

Uploaded by

Copyright:

Available Formats

Microsoft MD-100 Questions & Answers

QUESTION NO: 1 HOTSPOT

To start the case study

The domain contains a user account for an employee named User10.

"Everything is under control" - www.pass4sure.com 2

User10 has a computer named Computer10.

Fabrikam has the following operational procedures:

Updates are deployed by using Windows Update for Business.

Fabrikam identifies the following issues:

Employees in the finance department use an application named Application1. Application1

"Everything is under control" - www.pass4sure.com 3

User10 reports that Computer10 is not activated.

Provide employees with a configuration file to configure their VPN connection.

You need to implement a solution to configure the contractors’ computers.

NOTE: Each correct selection is worth one point.

"Everything is under control" - www.pass4sure.com 4

"Everything is under control" - www.pass4sure.com 5

The ‘configuration file’ in this case is known as a ‘provisioning package’.

A provisioning package (.ppkg) is a container for a collection of configuration settings. With

"Everything is under control" - www.pass4sure.com 6

To start the case study

The domain contains a user account for an employee named User10.

Fabrikam has the following operational procedures:

Updates are deployed by using Windows Update for Business.

Fabrikam identifies the following issues:

Employees in the finance department use an application named Application1. Application1

User10 reports that Computer10 is not activated.

Provide employees with a configuration file to configure their VPN connection.

You need to ensure that User10 can activate Computer10.

What should you do?

"Everything is under control" - www.pass4sure.com 9

To start the case study

Contoso has IT, human resources (HR), and finance departments.

"Everything is under control" - www.pass4sure.com 10

Contoso uses Microsoft 365.

All computers run Windows 10 Enterprise.

The computers are updated by using Windows Update for Business.

The domain has the users shown in the following table.

Computer1 has the local users shown in the following table.

"Everything is under control" - www.pass4sure.com 11

Contoso identifies the following technical requirements:

Quality update installations must be deferred as long as possible on ComputerA.

User6 must be able to connect to Computer2 by using Remote Desktop.

The principle of least privilege must be used whenever possible.

Administrative effort must be minimized whenever possible.

Kiosk (assigned access) must be configured on Computer1.

Which Windows 10 deployment method should you use?

"Everything is under control" - www.pass4sure.com 12

QUESTION NO: 4 HOTSPOT

"Everything is under control" - www.pass4sure.com 13

To start the case study

Contoso has IT, human resources (HR), and finance departments.

Contoso uses Microsoft 365.

All computers run Windows 10 Enterprise.

The computers are updated by using Windows Update for Business.

The domain has the users shown in the following table.

Computer1 has the local users shown in the following table.

"Everything is under control" - www.pass4sure.com 15

Contoso identifies the following technical requirements: