Microsoft - 11 07 21 MD 100

Reference Solution for
md-100.vce
MD-100
MD-100
Windows 10
Version 16.0
Score: 800/1000
Version: n/A
Time 0 Minutes
Limit:
Licensed to Vagner Santos vagner23ti@gmail.com

Deploy Windows (37 questions)
Case Study (2 questions)
2 Licensed to Vagner Santos vagner23ti@gmail.com

Case Study
This is a case study. Case studies are not timed separately. You can use as much
exam times as you would like to complete each case. However, there may be additional
studies and sections on this exam. You must manage your time to ensure that you are able to
complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that
is provided in the case study. Case studies might contain exhibits and other resources that
provide more information about the scenario that is described in the case study. Each
question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review
your answers and to make changes before you move to the next section of the exam. After
you begin a new section, you cannot return to this section.
To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the
left pane to explore the content of the case study before you answer the questions. Clicking
these buttons displays information such as business requirements, existing environment, and
problem statements. When you are ready to answer a question, click the Question button to
return to the question.
Overview
Fabrikam, Inc. is a distribution company that has 500 employees and 100 contractors.
Existing Environment
Active Directory
The network contains an Active Directory forest named fabrikam.com. The forest is synced to
Microsoft Azure Active Directory (Azure AD). All the employees are assigned Microsoft 365 E3
licenses.
The domain contains a user account for an employee named User10.
Client Computers
All the employees have computers that run Windows 10 Enterprise. All the computers are
installed without Volume License Keys. Windows 10 license keys are never issued.
All the employees register their computer to Azure AD when they first receive the computer.
User10 has a computer named Computer10.
All the contractors have their own computer that runs Windows 10. None of the computers are
joined to Azure AD.
Operational Procedures
Fabrikam has the following operational procedures:

 Updates are deployed by using Windows Update for Business.
 When new contractors are hired, administrators must help the contactors configure the
following settings on their computer:
- User certificates
- Browser security and proxy settings
- Wireless network connection settings
Security Policies
The following security policies are enforced on all the client computers in the domain:
 All the computers are encrypted by using BitLocker Drive Encryption (BitLocker).
BitLocker recovery information is stored in Active Directory and Azure AD.
 The local Administrators group on each computer contains an enabled account named
LocalAdmin.
 The LocalAdmin account is managed by using Local Administrator Password Solution
(LAPS).
Problem Statements
Fabrikam identifies the following issues:
 Employees in the finance department use an application named Application1.

Application1 frequently crashes due to a memory error. When Application1 crashes, an
event is written to the application log and an administrator runs a script to delete the
temporary files and restart the application.
 When employees attempt to connect to the network from their home computer, they
often cannot establish a VPN connection because of misconfigured VPN settings.
 An employee has a computer named Computer11. Computer11 has a hardware failure
that prevents the computer from connecting to the network.
 User10 reports that Computer10 is not activated.
Technical Requirements
Fabrikam identifies the following technical requirements for managing the client computers:
 Provide employees with a configuration file to configure their VPN connection.

 Use the minimum amount of administrative effort to implement the technical
requirements.
 Identify which employees’ computers are noncompliant with the Windows Update
baseline of the company.
 Ensure that the service desk uses Quick Assist to take remote control of an employee’s
desktop during support calls.
 Automate the configuration of the contractors’ computers. The solution must provide a
configuration file that the contractors can open from a Microsoft SharePoint site to
apply the required configurations.

Question 1
HOTSPOT
You need to implement a solution to configure the contractors’ computers.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Solution:
Explanation/Reference
Explanation:
The requirement states: Automate the configuration of the contractors’ computers. The
solution must provide a configuration file that the contractors can open from a Microsoft
SharePoint site to apply the required configurations.
The ‘configuration file’ in this case is known as a ‘provisioning package’.
A provisioning package (.ppkg) is a container for a collection of configuration settings. With

Windows 10, you can create provisioning packages that let you quickly and efficiently
configure a device without having to install a new image.
The tool for creating provisioning packages is renamed Windows Configuration Designer,
replacing the Windows Imaging and Configuration Designer (ICD) tool.
References:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-
install-icd
packages
Question 2
You need to ensure that User10 can activate Computer10.
What should you do?
○ Request that a Windows 10 Enterprise license be assigned to User10, and then

activate Computer10.
○ From the Microsoft Deployment Toolkit (MDT), add a Volume License Key to a
task sequence, and then redeploy Computer10.
○ From System Properties on Computer10, enter a Volume License Key, and then
● Request that User10 perform a local AutoPilot Reset on Computer10, and then
Explanation:
The case study states: User10 reports that Computer10 is not activated.
The solution is to perform a local AutoPilot Reset on the computer. This will restore the
computer settings to a fully-configured or known IT-approved state. When User10 signs in to
the computer after the reset, the computer should activate.
You can use Autopilot Reset to remove personal files, apps, and settings from your devices.
The devices remain enrolled in Intune and are returned to a fully-configured or known IT-
approved state. You can Autopilot Reset a device locally or remotely from the Intune for
Education portal.
Incorrect Answers:
A: All users have Microsoft 365 E3 licenses. This license includes Windows 10 Enterprise so we
don’t need to assign a Windows 10 Enterprise license to User10.
B: Volume License Keys aren’t required.
C: Volume License Keys aren’t required.
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-
requirements-licensing
https://docs.microsoft.com/en-us/intune-education/autopilot-reset


Case Study
exam time as you would like to complete each case. However, there may be additional
case studies and sections on this exam. You must manage your time to ensure that you are
able to complete all questions included on this exam in the time provided.

Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch
offices in Seattle and New York.
Contoso has IT, human resources (HR), and finance departments.
Contoso recently opened a new branch office in San Diego. All the users in the San Diego
office work from home.
Existing environment
Contoso uses Microsoft 365.
The on-premises network contains an Active Directory domain named contoso.com. The
domain is synced to Microsoft Azure Active Directory (Azure AD).
All computers run Windows 10 Enterprise.
You have four computers named Computer1, Computer2, Computer3, and ComputerA.
ComputerA is in a workgroup on an isolated network segment and runs the Long Term
Servicing Channel version of Windows 10. ComputerA connects to a manufacturing system
and is business critical. All the other computers are joined to the domain and run the Semi-
Annual Channel version of Windows 10.
In the domain, you create four groups named Group1, Group2, Group3, and Group4.
Computer2 has the local Group Policy settings shown in the following table.

The computers are updated by using Windows Update for Business.
The domain has the users shown in the following table.
Computer1 has the local users shown in the following table.
Requirements
Planned Changes
Contoso plans to purchase computers preinstalled with Windows 10 Pro for all the San Diego
office users.
Technical requirements
Contoso identifies the following technical requirements:
 The computers in the San Diego office must be upgraded automatically to Windows 10
Enterprise and must be joined to Azure AD the first time a user starts each new
computer. End users must not be required to accept the End User License Agreement
(EULA).
 Helpdesk users must be able to troubleshoot Group Policy object (GPO) processing on
the Windows 10 computers. The helpdesk users must be able to identify which Group
Policies are applied to the computers.
 Users in the HR department must be able to view the list of files in a folder named
D:\Reports on Computer3.
 ComputerA must be configured to have an Encrypting File System (EFS) recovery agent.
 Quality update installations must be deferred as long as possible on ComputerA.
 Users in the IT department must use dynamic lock on their primary device.
 User6 must be able to connect to Computer2 by using Remote Desktop.
 The principle of least privilege must be used whenever possible.
 Administrative effort must be minimized whenever possible.
 Kiosk (assigned access) must be configured on Computer1.
Question 3
You need to meet the technical requirements for the San Diego office computers.
Which Windows 10 deployment method should you use?
○ wipe and load refresh

○ in-place upgrade
○ provisioning packages
● Windows Autopilot
Explanation:
The requirement states: The computers in the San Diego office must be upgraded
automatically to Windows 10 Enterprise and must be joined to Azure AD the first time a user
starts each new computer. End users must not be required to accept the End User License
Agreement (EULA).
Windows Autopilot is a collection of technologies used to set up and pre-configure new

devices, getting them ready for productive use. You can also use Windows Autopilot to reset,
repurpose and recover devices.
The OEM Windows 10 installation on the new computers can be transformed into a “business-
ready” state, applying settings and policies, installing apps, and even changing the edition of
Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support
advanced features.
The only interaction required from the end user is to connect to a network and to verify their
credentials. Everything beyond that is automated.
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

Question 4
HOTSPOT
You need to meet the technical requirement for Computer1.
Solution:
Explanation:

The requirement states: Kiosk (assigned access) must be configured on Computer1.
Kiosk (assigned access) is a feature on Windows 10 that allows you to create a lockdown
environment that lets users interact with only one app when they sign into a specified
account. With Kiosk (assigned access), users won't be able to get to the desktop, Start menu,
or any other app, including the Settings app.
Box 1: User 11
Kiosk (assigned access) must be configured by a user who is a member of the Local
Administrators group on the Computer.
Box 2: User 12.

Kiosk (assigned access) must be configured for a user account that is a member of the Users
group.
References:
https://www.windowscentral.com/how-set-assigned-access-windows-10
Question 5
Your company has an isolated network used for testing. The network contains 20 computers
that run Windows 10. The computers are in a workgroup. During testing, the computers must
remain in the workgroup.
You discover that none of the computers are activated.
You need to recommend a solution to activate the computers without connecting the network
to the Internet.
What should you include in the recommendation?
○ Volume Activation Management Tool (VAMT)

● Key Management Service (KMS)
○ Active Directory-based activation
○ the Get-WindowsDeveloperLicense cmdlet
Explanation:
You can configure one of the computers as a Key Management Service (KMS) host and
activate the KMS host by phone. The other computers in the isolated network can then
activate using the KMS host.
Installing a KMS host key on a computer running Windows 10 allows you to activate other
computers running Windows 10 against this KMS host and earlier versions of the client
operating system, such as Windows 8.1 or Windows 7. Clients locate the KMS server by using
resource records in DNS, so some configuration of DNS may be required. This scenario can be
beneficial if your organization uses volume activation for clients and MAK-based activation for
a smaller number of servers. To enable KMS functionality, a KMS key is installed on a KMS
host; then, the host is activated over the Internet or by phone using Microsoft’s activation
services.
References:

https://docs.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-key-
management-service-vamt
Question 6
You plan to deploy Windows 10 to 100 secure computers.
You need to select a version of Windows 10 that meets the following requirements:
 Uses Microsoft Edge as the default browser

 Minimizes the attack surface of the computer
 Supports joining Microsoft Azure Active Directory (Azure AD)
 Only allows the installation of applications from the Microsoft Store
What is the best version to achieve the goal? More than one answer choice may achieve the
goal. Select the BEST answer.
● Windows 10 Pro in S mode
○ Windows 10 Home in S mode
○ Windows 10 Pro
○ Windows 10 Enterprise
Explanation:
Windows 10 in S mode is a version of Windows 10 that's streamlined for security and
performance, while providing a familiar Windows experience. To increase security, it allows
only apps from the Microsoft Store, and requires Microsoft Edge for safe browsing.
Azure AD Domain join is available for Windows 10 Pro in S mode and Windows 10 Enterprise in
S mode. It's not available in Windows 10 Home in S mode.
References:
https://support.microsoft.com/en-gb/help/4020089/windows-10-in-s-mode-faq

Question 7
DRAG DROP
You have a computer named Computer1 that runs Windows 8.1. Computer1 has a local user
named User1 who has a customized profile.
On Computer1, you perform a clean installation of Windows 10 without formatting the drives.
You need to migrate the settings of User1 from Windows 8.1 to Windows 10.
Which two actions should you perform? To answer, drag the appropriate actions to the correct
targets. Each action may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.
Solution:
Explanation:
The User State Migration Tool (USMT) includes two tools that migrate settings and data:
ScanState and LoadState. ScanState collects information from the source computer, and
LoadState applies that information to the destination computer. In this case the source and
destination will be the same computer.
As we have performed a clean installation of Windows 10 without formatting the drives,

User1’s customized Windows 8.1 user profile will be located in the \Windows.old folder.
Therefore, we need to run scanstate.exe on the \Windows.old folder.
User1’s Windows 10 profile will be in the C:\Users folder so we need to run loadstate.exe to
apply the changes in the C:\Users folder.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/usmt/offline-migration-reference
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-how-it-works
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-common-migration-
scenarios#bkmk-fourpcrefresh

Question 8
Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated
goals. Some question sets might have more than one correct solution, while others
might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As
a result, these questions will not appear in the review screen.
You have a computer named Computer1 that runs Windows10.
A service named Application1 is configured as shown in the exhibit.
You discover that a user used the Service1 account to sign in to Computer1 and deleted some
files.
You need to ensure that the identity used by Application1 cannot be used by a user to sign in
to sign in to the desktop on Computer1. The solution must use the principle of least privilege.
Solution: On Computer1, you configure Application1 to sign in as the LocalSystem account and
select the Allow service to interact with desktop check box. You delete the Service1 account.
Does this meet the goal?
○ Yes
● No
Explanation:
Configuring Application1 to sign in as the LocalSystem account would ensure that the identity
used by Application1 cannot be used by a user to sign in to the desktop on Computer1.
However, this does not use the principle of least privilege. The LocalSystem account has full
access to the system. Therefore, this solution does not meet the goal.
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-
settings/deny-log-on-locally

Question 9
You have a computer named Computer1 that runs Windows 10.
files.
Solution: On Computer1, you assign Service1 the Deny log on locally user right.
● Yes
○ No

Explanation:
By using the Service1 account as the identity used by Application1, we are applying the
principle of least privilege as required in this question.
However, the Service1 account could be used by a user to sign in to the desktop on the
computer. To sign in to the desktop on the computer, an account needs the log on locally right
which all user accounts have by default. Therefore, we can prevent this by assigning Service1
the deny log on locally user right.
References:
settings/deny-log-on-locally

Question 10
files.
Solution: On Computer1, you assign Service1 the Deny log on as a service user right.
○ Yes
● No

Explanation:
A service account needs the log on as a service user right. When you assign an account to be
used by a service, that account is granted the log on as a service user right. Therefore,
assigning Service1 the deny log on as a service user right would mean the service would not
function.
To sign in to the desktop on the computer, an account needs the log on locally right which all
user accounts have by default. To meet the requirements of this question, we need to assign
Service1 the deny log on locally user right, not the deny log on as a service user right.
References:
settings/deny-log-on-as-a-service

Question 11
You have a Microsoft Azure Active Directory (Azure AD) tenant.
Some users sign in to their computer by using Windows Hello for Business.
A user named User1 purchases a new computer and joins the computer to Azure AD.
User1 is not able to use Windows Hello for Business on his computer. User1 sign-in options are
shown on the exhibit. (Click the Exhibit tab.)
You open Device Manager and confirm that all the hardware works correctly.
You need to ensure that User1 can use Windows Hello for Business facial recognition to sign in
to the computer.
What should you do first?
● Purchase an infrared (IR) camera.

○ Upgrade the computer to Windows 10 Enterprise.
○ Enable UEFI Secure Boot.
○ Install a virtual TPM driver.
Explanation:
Windows Hello facial recognition requires an infrared (IR) camera. If your device does not have
an infrared camera (or any other biometric device such as a fingerprint scanner), you will see
the message shown in the exhibit. The question states that Device Manager shows all
hardware is working properly. Therefore, it is not the case that the computer has an IR camera
but it isn’t working properly. The problem must be that the computer does not have an IR
camera.
Incorrect Answers:
B: Windows 10 Enterprise is not required for Windows Hello. Windows Hello also works on
Windows 10 Pro.
C: UEFI Secure Boot is not required for Windows Hello.
D: A virtual TPM driver is not required for Windows Hello.
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-
planning-guide
Question 12
Your company uses Microsoft Deployment Toolkit (MDT) to deploy Windows 10 to new
computers.
The company purchases 1,000 new computers.
You need to ensure that the Hyper-V feature is enabled on the computers during the
deployment.
What are two possible ways to achieve this goal? Each correct answer presents a complete
solution.
○ Add a task sequence step that adds a provisioning package.

○ In a Group Policy object (GPO), from Computer Configuration, configure
Application Control Policies.
● Add a custom command to the Unattend.xml file.
○ Add a configuration setting to Windows Deployment Services (WDS).
● Add a task sequence step that runs dism.exe.
Explanation:
A common way to add a feature such as Hyper-V in MDT is to use the Install Roles and
Features task sequence action. However, that is not an option in this question.
The two valid options are to a command to the Unattend.xml file or to add a task sequence
step that runs dism.exe.
To add Hyper-V using dism.exe, you would run the following dism command:
DISM /Online /Enable-Feature /All /FeatureName:Microsoft-Hyper-V
References:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-
10-reference-image
https://mdtguy.wordpress.com/2016/09/14/mdt-fundamentals-adding-features-using-dism-
from-within-the-task-sequence/

https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
Question 13
Your network contains an Active Directory domain that is synced to a Microsoft Azure Active
Directory (Azure AD) tenant.
Your company purchases a Microsoft 365 subscription.
You need to migrate the Documents folder of users to Microsoft OneDrive for Business.
What should you configure?
● One Drive Group Policy settings

○ roaming user profiles
○ Enterprise State Roaming
○ Folder Redirection Group Policy settings
Explanation:
You need to configure a Group Policy Object (GPO) with the OneDrive settings required to
redirect the Documents folder of each user to Microsoft 365.
Importing the OneDrive group policy template files into Group Policy adds OneDrive related
settings that you can configure in your Group Policy.
One of the group policy settings enables you to redirect “Known Folders” to OneDrive for
business. Known folders are Desktop, Documents, Pictures, Screenshots, and Camera Roll.
There are two primary advantages of moving or redirecting Windows known folders to
OneDrive for the users in your domain:
 Your users can continue using the folders they're familiar with. They don't have to
change their daily work habits to save files to OneDrive.
 Saving files to OneDrive backs up your users' data in the cloud and gives them access
to their files from any device.
References:
https://docs.microsoft.com/en-us/onedrive/redirect-known-
folders?redirectSourcePath=%252fen-us%252farticle%252fredirect-windows-known-folders-to-
onedrive-e1b3963c-7c6c-4694-9f2f-fb8005d9ef12

Question 14
Your network contains an Active Directory domain. The domain contains a user named User1.
User1 creates a Microsoft account.
User1 needs to sign in to cloud resources by using the Microsoft account without being
prompted for credentials.
Which settings should User1 configure?
○ User Accounts in Control Panel

● Email & app accounts in the Settings app
○ Users in Computer Management
○ Users in Active Directory Users and Computers
Explanation:
Open the Setting app, select Accounts then select Email and accounts. Here you can add
accounts for the cloud resources and configure the login credentials for the accounts. If you
configure the accounts with the login credentials of the Microsoft account, you won’t be
prompted for credentials when you open the apps.
References:
https://support.microsoft.com/en-za/help/4028195/microsoft-account-how-to-sign-in

Question 15
HOTSPOT
Your network contains an Active Directory domain named adatum.com that uses Key
Management Service (KMS) for activation.
You deploy a computer that runs Windows 10 to the domain.
The computer fails to activate.
You suspect that the activation server has an issue.
You need to identify which server hosts KMS.
How should you complete the command? To answer, select the appropriate options in the
answer area.
Solution:
Reference:
https://docs.microsoft.com/en-us/office/troubleshoot/activation/discover-remove-unauthorized-
office-windows-kms-hosts

Question 16
HOTSPOT
You deploy Windows 10 to a new computer named Computer1.
You sign in to Computer1 and create a user named User1.
You create a file named LayoutModification.xml in the

C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\folder. LayoutModification.xml
contains the following markup.
What is the effect of the configuration? To answer, select the appropriate options in the
answer area.

Solution:
References:
https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar
Question 17
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a workgroup computer named Computer1 that runs Windows 10.
You need to add Computer1 to contoso.com.
What should you use?
○ Computer Management
○ dsregcmd.exe
● the Settings app
○ netdom.exe
Explanation:
You join a computer to a domain, including an Azure AD domain in the Settings panel in
Windows 10, under System->About
References:
https://aadguide.azurewebsites.net/aadjoin/

Question 18
You have a computer that runs Windows 10.
You need to configure a picture password.
What should you do?
○ FromControl Panel, configure the User Accounts settings.

● Fromthe Settings app, configure the Sign-in options.
○ Fromthe Local Group Policy Editor, configure the Account Policies settings.
○ FromWindows PowerShell, run the Set-LocalUser cmdlet and specify the
InputObject parameter.
Question 19
You have a workgroup computer named Computer1 that runs Windows 10.
You need to configure Windows Hello for sign-in to Computer1 by using a physical security
key.
○ a USB 3.0 device that supports BitLocker Drive Encryption (BitLocker)

● a USB device that supports FIDO2
○ a USB 3.0 device that has a certificate from a trusted certification authority (CA)
○ a USB device that supports RSA SecurID
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/user-help/security-info-setup-security-
key

Question 20
Your network contains an Active Directory domain. The domain contains a computer named
Computer1 that runs Windows 10.
The domain contains the users shown in the following table.
All users have Microsoft accounts.
Which two users can be configured to sign in by using their Microsoft account? Each correct
answer presents part of the solution.
○ User1
○ User2
○ User3
● User4
● User5

Question 21
HOTSPOT
You have the source files shown in the following table.
You mount an image from Image1.wim to a folder named C:\Mount.
You need to add the French language pack to the mounted image.
How should you complete the command? To answer, select the appropriate options in the
answer area.
Solution:
Explanation:
Note: The referenced document has the mount directory as C:\Mount\Windows. In this
question, the mount directory is C:\Mount.
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-language-
packs-to-windows

Question 22
Computer1 that runs Windows 8.1.
Computer1 has apps that are compatible with Windows 10.
You need to perform a Windows 10 in-place upgrade on Computer1.
Solution: You copy the Windows 10 installation media to a network share. From Windows 8.1
on Computer1, you run setup.exe from the network share.
● Yes
○ No
Yes it will accomplish the upgrade while preserving the existing settings and applications. I
quote from MD-100 Course manual, module 1, Installing Windows 10, under Installation
Methods for Windows 10, the text states:
“Perform an upgrade, which also is known as an in-place upgrade, when you want to replace
an existing version of Windows 7 or Windows 8.1 with Windows 10, and you wish to retain all
user applications, files, and settings. For the home or small business user, you can run
Setup.exe from a product media or from a network share. During an in-place upgrade, the
Windows 10 installation program automatically retains all user settings, data, hardware device
settings, apps, and other configuration information. We recommend this method for existing
Windows 7 and 8.1 devices.”
Setup.exe presents you with two options: upgrade or custom. To upgrade, you run setup from
within the existing Windows 7 or Windows 8.1 environment, select the Upgrade option, and
have it copy the Windows 10 files to the system drive from which it them updates the
computer to Windows 10 while preserving all the existing setting and applications.
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/upgrade-to-
windows-10-with-the-microsoft-deployment-toolkit

Question 23
Solution: You copy the Windows 10 installation media to a Microsoft Deployment Toolkit (MDT)
deployment share. You create a task sequence, and then you run the MDT deployment wizard
on Computer1.
● Yes
○ No
Reference:

Question 24
Solution: You add Windows 10 startup and install images to a Windows Deployment Services
(WDS) server. You start Computer1 by using WDS and PXE, and then you initiate the Windows
10 installation.
○ Yes
● No
<div>Explanation:<br>Use Microsoft Deployment Toolkit (MDT)
instead.<br><br><br>I think WDS is only for OS deployment from scratch. You need to use a
disk or MDT or SCCM to do in-plane upgrade.<br>I don't see any info about saving user
settings and documents.<br>https://docs.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)</div>

Question 25
Your company deploys Windows 10 Enterprise to all computers. All the computers are joined
to Microsoft Azure Active Directory (Azure AD).
The company purchases a new computer for a new user and creates an Azure AD account for
the user.
The user signs in to the computer by using the Azure AD account. The user discovers the
activation error shown in the following exhibit.
You need to activate Windows 10 Enterprise on the computer.
What should you do?
● In Azure AD, assign a Windows 10 Enterprise license to the user.

○ At the command prompt, run slmgr /ltc.
○ Reinstall Windows as Windows 10 Enterprise.
○ At the command prompt, run slmgr /ato.
<div>Reference:<br><a href="https://docs.microsoft.com/en-
us/windows/deployment/windows-10-subscription-activation">https://docs.microsoft.com/en-
us/windows/deployment/windows-10-subscription-activation</a><br><br><br>A. In Azure
AD, assign a Windows 10 Enterprise license to the user. ( YES,Correct anwser. Need to
upgrade from Win 10 Pro to Ent)<br>B. At the command prompt, run slmgr /ltc. ( NO. List
valid token-based activation certificates that can activate installed software.)<br>C. Reinstall
Windows as Windows 10 Enterprise. ( NO. Reinstall wont assign any licesne)<br>D. At the
command prompt, run slmgr /ato. ( NO. ato will activate the same license and it won't upgrade
to Ent)</div>
Question 26
Several users have signed in to Computer1 and have a profile.
You create a taskbar modification file named LayoutModification.xml.
You need to ensure that LayoutModification.xml will apply to all users who sign in to
Computer1.
To which folder should you copy LayoutModification.xml?
○ C:\Users\Public\Public Desktop
○ C:\Windows\ShellExperiences
● C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\
○ C:\Windows\System32\Configuration
Reference:
https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop

Question 27
HOTSPOT
Your company uses a Key Management Service (KMS) to activate computers that run Windows
10.
A user works remotely and establishes a VPN connection once a month.
The computer of the user fails to be activated.
Which command should you run on the computer to initiate activation? To answer, select the
appropriate options in the answer area.
Solution:
Explanation:
To activate online, type slmgr.vbs /ato.
Reference:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-
and-2012/dn502540(v=ws.11)

Question 28
HOTSPOT
You have a server named Server1 and computers that run Windows 8.1. Server1 has the
Microsoft Deployment Toolkit (MDT) installed.
You plan to upgrade the Windows 8.1 computers to Windows 10 by using the MDT deployment
wizard.
You need to create a deployment share on Server1.
What should you do on Server1, and what are the minimum components you should add to
the MDT deployment share? To answer, select the appropriate options in the answer area.
Solution:
Explanation:
Box 1: Install the Windows ADK
Box 2: Add Windows 10 image and create a task sequence to upgrade to Windows 10.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/prepare-for-
windows-deployment-with-mdt
Question 29
You are preparing to deploy Windows 10.
You download and install the Windows Assessment and Deployment Kit (Windows ADK).
You need to create a bootable WinPE USB drive.
○ Run the MakeWinPEMedia command.

○ Download and install Windows Configuration Designer.
○ Run the WPEUtil command.
● Download and install the WinPE add-on.
Explanation:
WinPE used to be included in the Windows ADK. However, it is now provided as an add-on so
the first step is to download and install the add-on.
References:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-
bootable-drive
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install
Question 30
HOTSPOT
You have the computers shown in the following table.
You need to identify which computers support the features.
 BitLocker Drive Encryption (BitLocker)

 Microsoft Application Virtualization (App-V)
Which computers support the features? To answer, select the appropriate options in the
answer area.
Solution:
References:
https://www.microsoft.com/en-us/windowsforbusiness/compare

Question 31
Your network contains an Active Directory domain. The domain contains the computers shown
in the following table.
On which computers can you perform an in-place upgrade to Windows 10 Enterprise?
○ Computer3 only
○ Computer2 and Computer3 only
○ Computer2 only
● Computer1, Computer2, and Computer3
References:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-upgrade-paths
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-edition-upgrades
Question 32
You have a workgroup computer named Computer1 that runs Windows 10. Computer1
contains five local user accounts.
You need to ensure that all users who sign in to Computer1 see a picture named Image1.jpg
as the desktop background.
What should you do?
○ From the Settings app, modify the Background settings.

● From the Local Group Policy Editor, modify the Desktop settings.
○ Rename Image1.jpg as Desktop.jpg and copy the picture to the
C:\Windows\system32\ folder.
○ Rename Image1.jpg as Desktop.jpg and copy the picture to the
C:\Users\Default\Desktop folder.
References:
https://www.top-password.com/blog/set-a-default-background-wallpaper-for-windows-10-
desktop/

Question 33
You install Windows 10 Enterprise on a new computer.
You need to force activation on the computer.
Which command should you run?
○ slmgr /upk
○ Set-RDLicenseConfiguration -Force
○ Set-MsolLicense -AddLicense
● slmgr /ato
References:
Question 34
You install Windows 10 Pro on a computer named CLIENT1.
You need to ensure that all per-user services are disabled on CLIENT1. The solution must
minimize administrative effort.
○ a Group Policy administrative template

○ Device Manager
○ Task Manager
● Group Policy preferences
References:
https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-
windows

Question 35
You plan to install Windows 10 Pro by using an answer file.
You open Windows System Image Manager.
You need to create an answer file.
○ Open the Install.wim file from the Windows 10 installation media.

○ Open the Boot.wim file from the Windows 10 installation media.
● Install the WinPE add-on for the Windows Assessment and Deployment Kit
(Windows ADK).
○ Install the Windows Assessment and Deployment Kit (Windows ADK).
https://www.windowscentral.com/how-create-unattended-media-do-automated-installation-
windows-10
Question 36
DRAG DROP
Your network contains an Active Directory domain. The domain contains 100 computers that
run Windows 10.
You need to create a Start menu layout file. The solution must meet the following
requirements:
 Contain an app group named Contoso Apps that has several pinned items. Contoso
Apps must be locked from user modification.
 Ensure that users can customize other parts of the Start screen.
 Minimize administrative effort.
Which four actions should you perform in sequence? To answer, move the appropriate
commands from the list of commands to the answer area and arrange them in the correct
order.

Solution:
References:
https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout
Question 37
You have a computer named Computer1 that runs Windows 10 and has Windows Assessment
and Deployment Kit (Windows ADK) installed.
Computer1 has the drives shown in the following table.
You need to create Windows 10 unattended answer file.
● From File Explorer, copy Install.wim from drive E to drive D.

○ From Windows System Image Manager, select Select Windows Image, and
then select Install.wim from drive E.
○ From Windows System Image Manager, select Select Windows Image, and
then select Boot.wim from drive E.
○ From File Explorer, copy Boot.wim from drive E to drive D.
References:
https://www.windowscentral.com/how-create-unattended-media-do-automated-installation-
windows-10

Question 38
HOTSPOT
You have computers that run Windows 10 Enterprise as shown in the following table.
Both computers have applications installed and contain user data.
You plan to configure both computers to run Windows 10 Enterprise LTSC 2019 and to retain
all the existing applications and data.
You need to recommend a method to deploy Windows 10 Enterprise LTSC 2019 to the
computers. The solution must minimize effort to install and configure the applications.
What should you include in the recommendation for each computer? To answer, select the

Solution:
References:
Question 39
You have a computer that runs Windows 10 Home.
You need to upgrade the computer to Windows 10 Enterprise as quickly as possible. The
solution must retain the user settings.
○ Run the scanstate command.

● Perform an in-place upgrade to Windows Pro.
○ Install the latest feature updates.
○ Run the sysprep command.
References:

Question 40
HOTSPOT
You plan to deploy Windows 10 Enterprise to company-owned devices.
You capture a Windows 10 image file from a reference device.
You need to generate catalog files and answer files for the deployment.
What should you use for each file? To answer, select the appropriate options in the answer
area.
Solution:
References:
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/open-a-
windows-image-or-catalog-file

Question 41
The relevant services on Computer1 are shown in the following table.
Which service will start after you restart Computer1?
○ Service3 and Service5 only

○ Service1, Service2, and Service5
● Service2, Service5, and Service6
○ Service5 only
Explanation:
Service1 cannot start because it is dependent on Service3 which is disabled.
Service2 will start because it is set to Automatic. Service2 starting will cause Service6 to start.
Service3 will not start because it is disabled.
Service4 will not start because it is disabled.
Service5 will start because it is set to Automatic and is not dependent on any other services.
Service6 will start because Service2 is dependent on Service6.

Manage Devices and Data (96 questions)

Case Study

Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.

- User certificates
Security Policies
LocalAdmin.
(LAPS).
Problem Statements


requirements.

Question 42
You need to sign in as LocalAdmin on Computer11.
● From the LAPS UI tool, view the administrator account password for the computer
object of Computer11.
○ From Windows Configuration Designer, create a configuration package that sets
the password of the LocalAdmin account on Computer11.
○ Use a Group Policy object (GPO) to set the local administrator password.
○ From Microsoft Intune, set the password of the LocalAdmin account on
Computer11.
References:
https://technet.microsoft.com/en-us/mt227395.aspx
Question 43
An employee reports that she must perform a BitLocker recovery on her laptop. The employee
does not have her BitLocker recovery key but does have a Windows 10 desktop computer.
What should you instruct the employee to do from the desktop computer?
○ Run the manage-bde.exe –status command

○ From BitLocker Recovery Password Viewer, view the computer object of the
laptop
● Go to https://aad.portal.azure.com and view the object of the laptop
○ Run the Enable-BitLockerAutoUnlock cmdlet
Explanation:
The BitLocker recovery key is stored in Azure Active Directory.
Reference:
https://celedonpartners.com/blog/storing-recovering-bitlocker-keys-azure-active-directory/


Case Study

Overview

Requirements
Planned Changes
office users.
(EULA).

Question 44
HOTSPOT
You need to meet the technical requirements for the helpdesk users.
Solution:

References:
https://www.itprotoday.com/compute-engines/what-group-policy-creator-owners-group
Question 45
HOTSPOT
You need to meet the technical requirements for the HR department users.
Which permissions should you assign to the HR department users for the D:\Reports folder? To
answer, select the appropriate permissions in the answer area.

Solution:
References:
https://www.online-tech-tips.com/computer-tips/set-file-folder-permissions-windows/
Question 46
You need to meet the technical requirements for EFS on ComputerA.
What should you do?
○ Run certutil.exe, and then add a certificate to the local computer certificate
store.
● Run cipher.exe, and then add a certificate to the local computer certificate
store.
○ Run cipher.exe, and then add a certificate to the local Group Policy.
○ Run certutil.exe, and then add a certificate to the local Group Policy.
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-
information-protection/create-and-verify-an-efs-dra-certificate

Question 47
HOTSPOT
Your network contains an Active Directory forest. The forest contains a root domain named
contoso.com and a child domain named corp.contoso.com.
You have a computer named Computer1 that runs Windows 10. Computer1 is joined to the
corp.contoso.com domain.
Computer1 contains a folder named Folder1. In the Security settings of Folder1, Everyone is
assigned the Full control permission.
On Computer1, you share Folder1 as Share1 and assign the Read permissions for Share1 to
the local Users group.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Solution:
References:
https://www.techrepublic.com/article/learn-the-basic-differences-between-share-and-ntfs-
permissions/

Question 48
HOTSPOT
You have a computer named Computer1 that runs Windows 10. Computer1 is in a workgroup.
Computer1 contains the folders shown in the following table.
On Computer1, you create the users shown in the following table.
User1 encrypts a file named File1.txt that is in a folder named C:\Folder1.
What is the effect of the configuration? To answer, select the appropriate options in the
answer area.

Solution:
References:
https://support.microsoft.com/en-za/help/310316/how-permissions-are-handled-when-you-
copy-and-move-files-and-folders

Question 49
HOTSPOT
You have a computer named Computer1 that runs Windows 10 and is joined to an Active
Directory domain named adatum.com.
A user named Admin1 signs in to Computer1 and runs the whoami command as shown in the
following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based
on the information presented in the graphic.

Solution:
Question 50
You need to configure User Account Control (UAC) to prompt administrators for their
credentials.
Which settings should you modify?
○ Administrators Properties in Local Users and Groups

○ User Account Control Settings in Control Panel
● Security Options in Local Group Policy Editor
○ User Rights Assignment in Local Group Policy Editor
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-
control/user-account-control-security-policy-settings

Question 51
You have several computers that run Windows 10. The computers are in a workgroup.
You need to prevent users from using Microsoft Store apps on their computer.
What are two possible ways to achieve the goal? Each correct answer presents a complete
solution.
○ From Security Settings in the local Group Policy, configure Security Options.
● From Administrative Templates in the local Group Policy, configure the Store
settings.
○ From Security Settings in the local Group Policy, configure Software Restriction
Policies.
● From Security Settings in the local Group Policy, configure Application Control
Policies.
References:
https://www.techrepublic.com/article/how-to-manage-your-organizations-microsoft-store-
group-policy/
Question 52
You need to prevent standard users from changing the wireless network settings on
Computer1. The solution must allow administrators to modify the wireless network settings.
○ Windows Configuration Designer

○ MSConfig
● Local Group Policy Editor
○ an MMC console that has the Group Policy Object Editor snap-in

Question 53
HOTSPOT
You have three computers that run Windows 10 as shown in the following table.
All the computers have C and D volumes. The Require additional authentication at
startup Group Policy settings is disabled on all the computers.
Which volumes can you encrypt by using BitLocker Drive Encryption (BitLocker)? To answer,
select the appropriate options in the answer area.

Solution:
References:
https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10
Question 54
Your network contains an Active Directory domain named contoso.com. The domain contains a
computer named Computer1 that runs Windows 10.
On Computer1, you create a folder and assign Full control permissions to Everyone.
You share the folder as Share1 and assign the permissions shown in the following table.
When accessing Share1, which two actions can be performed by User1 but not by User2? Each
correct answer presents part of the solution.
○ Delete a file created by another user.

● Set the permissions for a file.
○ Rename a file created by another user.
● Take ownership of file.
○ Copy a file created by another user to a subfolder.
References:
https://www.varonis.com/blog/ntfs-permissions-vs-share/

Question 55
HOTSPOT
You have a computer that runs Windows 10. The computer contains a folder named C:\ISOs
that is shared as ISOs.
You run several commands on the computer as shown in the following exhibit.

Solution:
When you are using share and NTFS permissions together, the most restrictive permission is
applied.
Reference:

Question 56
A user named User1 has a computer named Computer1 that runs Windows 10. Computer1 is
joined to an Azure Active Directory (Azure AD) tenant named contoso.com. User1 joins
Computer1 to contoso.com by using user1@contoso.com.
Computer1 contains a folder named Folder1. Folder1 is in drive C and is shared as Share1.
Share1 has the permission shown in the following table.
A user named User2 has a computer named Computer2 that runs Windows 10. User2 joins
User2 attempts to access Share1 and receives the following error message: “The username or
password is incorrect.”
You need to ensure that User2 can connect to Share1.
Solution: In Azure AD, you create a group named Group1 that contains User1 and User2. You
grant Group1 Change access to Share1.
○ Yes
● No
Explanation:
Azure AD cannot be used to control Share permissions on on-premisses computer folders.
Reference:
and-2008/cc754178(v%3dws.10)

Question 57
Solution: You create a local user account on Computer1 and instruct User2 to use the local
account to connect to Share1.
○ Yes
● No

Question 58
Solution: In Azure AD, you create a group named Group1 that contains User1 and User2. You
grant Group1 Modify access to Folder1.
● Yes
○ No
References:
and-2008/cc754178(v%3dws.10)

Question 59
You have a computer named Computer1 that runs Windows 10. Computer1 contains a folder
named Folder1.
You need to log any users who take ownership of the files in Folder1.
Which two actions should you perform? Each correct answer presents part of the solution.
○ Modify the folder attributes of Folder1.

● Modify the Advanced Security Settings for Folder1.
○ From a Group Policy object (GPO), configure the Audit Sensitive Privilege Use
setting.
● From a Group Policy object (GPO), configure the Audit File System setting.
○ Install the Remote Server Administration Tools (RSAT).
References:
https://www.netwrix.com/how_to_detect_who_changed_file_or_folder_owner.html
Question 60
HOTSPOT
Your network contains an Active Directory domain. The domain contains the users shown in
the following table.
The domain contains a computer named Computer1 that runs Windows 10. Computer1
contains a folder named Folder1 that has the following permissions:
 User2: Deny Write

 Group1: Allow Read
 Group2: Allow Modify
Folder1 is shared as Share1$. Share1$ has the following configurations:
 Everyone: Allow Full control

 Access-based enumeration: Enabled

Solution:
References:
http://www.ntfs.com/ntfs-permissions-file-advanced.htm
https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/enable-access-
based-enumeration-on-a-namespace
Question 61
You are a network administrator at your company.
The company uses an application that checks for network connectivity to a server by sending
a ping request to the IPv6 address of the server. If the server replies, the application loads.
A user cannot open the application.
You manually send the ping request from the computer of the user and the server does not
reply. You send the ping request from your computer and the server replies.
You need to ensure that the ping request works from the user’s computer.
Which Windows Defender firewall rule is a possible cause of the issue?
○ File and Printer Sharing (NB-Datagram-In)

○ File and Printer Sharing (Echo Request ICMPv6-Out)
○ File and Printer Sharing (NB-Datagram-Out)
● File and Printer Sharing (Echo Request ICMPv6-In)
References:
https://www.howtogeek.com/howto/windows-vista/allow-pings-icmp-echo-request-through-
your-windows-vista-firewall/
Question 62
You have a workgroup computer that runs Windows 10.
You create a local user named User1.
User1 needs to be able to share and manage folders located in a folder named C:\Share by
using the Shared Folders snap-in. The solution must use the principle of least privilege.
To which group should you add User1?
● Administrators
○ Device Owners
○ Users
○ Power Users

Question 63

HOTSPOT
You have a computer named Computer5 that runs Windows 10 that is used to share
documents in a workgroup.
You create three users named User-a, User-b, and User-c by using Computer Management.
The users plan to access Computer5 from the network only.
You have a folder named Data. The Advanced Security Settings for the Data folder are shown
in the Security exhibit. (Click the Security tab).
You share the Data folder. The permissions for User-a are shown in the User-a exhibit (Click
the User-a tab.)

The permissions for User-b are shown in the User-b exhibit. (Click the User-b tab.)

The permissions for User-c are shown in the User-c exhibit. (Click the User-c tab.)

For each of the following statements, select Yes if the statements is true. Otherwise, select No.
NOTE: Reach correct selection is worth one point.

Solution:
Explanation:
Box 1: No
User-a only has Read share permission so he cannot modify files in the Data share.
Box 2: No
User-b only has Read share permission so he cannot delete files in the Data share.
Box 3: Yes
User-c has Read and Change share permission so he can read files in the Data share. User-c
does not have an entry in the Advanced Security Settings for the Data folder. However, User-c
would be a member of the Users group by default and that group has Full Control permission
to the folder.

Question 64
HOTSPOT
You have a computer that runs Windows 10 and contains the folders shown in the following
table.
You create the groups shown in the following table.
On FolderA, you disable permission inheritance and select the option to remove all inherited
permissions. To each folder, you assign the NTFS permissions shown in the following table.
Solution:

Explanation:
Inheritance was turned off for FolderA and to all inherited permissions have been removed.
Therefore, permissions on FolderA do not filter down to FolderB and FolderC.
Box 1: Yes
Box 2: Yes
Box 3: No
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/access-
control
Question 65
You need to view the settings to Computer1 by Group Policy objects (GPOs) in the domain and
local Group Policies.
● gpresult
○ secedit
○ gpupdate
○ gpfixup
References:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
Question 66
Your network contains an Active Directory domain. The domain contains computers that run
Windows 10.
You need to provide a user with the ability to remotely create and modify shares on the
computers. The solution must use the principle of least privilege.
To which group should you add the user?
○ Power Users
○ Remote Management Users
● Administrators
○ Network Configuration Operators

Question 67
You have a computer named Computer1 that runs Windows 10 Current branch. Computer1
belongs to a workgroup.
You run the following commands on Computer1.
New-LocalUser –Name User1 –NoPassword

Add-LocalGroupMember Users –Member User1
What is the effect of the configurations?
○ User1 is prevented from signing in until the user is assigned additional user
rights.
○ User1 appears on the sign-in screen and can sign in without a password.
○ User1 is prevented from signing in until an administrator manually sets a
password for the user.
● User1 appears on the sign-in screen and must set a new password on the first
sign-in attempt.
Explanation:
User1 will be prompted to change the password at first login. The message will say, “You
must change your password”. You do have to set a password, even if it is a blank password
before you can log in.
Reference:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-
localuser?view=powershell-5.1

Question 68
You have a computer that runs Windows 10 and is joined to Azure Active Directory (Azure AD).
You attempt to open Control Panel and receive the error message shown on the following
exhibit.
You need to be able to access Control Panel.
What should you modify?
○ the PowerShell execution policy

● the local Group Policy
○ the Settings app
○ a Group Policy preference
References:
https://windows10skill.com/this-operation-has-been-cancelled-due-to-restrictions-in-effect-on-
this-pc/

Question 69
HOTSPOT
Your domain contains a Computer named Computer1 that runs Windows 10. Computer1 does
not have a TPM.
You need to be able to encrypt the C drive by using BitLocker Drive Encryption (BitLocker).
The solution must ensure that the recovery key is stored in Active Directory.
Which two Group Policy settings should you configure? To answer, select the appropriate
settings in the answer area.

Solution:
References:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-
group-policy-settings#bkmk-rec1
Question 70
You have a public computer named Computer1 that runs Windows 10. Computer1 contains a
folder named Folder1.
You need to provide a user named User1 with the ability to modify the permissions of Folder1.
The solution must use the principle of least privilege.
Which NTFS permission should you assign to User1?
● Full control
○ Modify
○ Write
○ Read & execute
Explanation:
The NTFS Full control permission is required to change permissions.
Reference:
https://www.ntfs.com/ntfs-permissions-file-folder.htm
Question 71
You have 10 computers that run Windows 10 and have BitLocker Drive Encryption (BitLocker)
enabled.
You plan to update the firmware of the computers.
You need to ensure that you are not prompted for the BitLocker recovery key on the next
restart. The drive must be protected by BitLocker on subsequent restarts.
Which cmdlet should you run?
○ Unlock-BitLocker
○ Disable-BitLocker
○ Add-BitLockerKeyProtector
● Suspend-BitLocker
References:
https://support.microsoft.com/en-us/help/4057282/bitlocker-recovery-key-prompt-after-
surface-uefi-tpm-firmware-update

Question 72
HOTSPOT
You are troubleshooting Group Policy objects (GPOs) on Computer1.
You run gpresult /user user1 /v and receive the output shown in the following exhibit.

Solution:
References:
https://www.windowscentral.com/how-apply-local-group-policy-settings-specific-users-
windows-10

Question 73
HOTSPOT
Computer1 contains the local users shown in the following table.
You create a folder named Folder1 that has the permissions shown in the following table.
You create a file named File1.txt in Folder1 and allow Group2 Full control permissions to
File1.txt.

Solution:
References:
https://www.dell.com/support/article/za/en/zadhs1/sln156352/understanding-file-and-folder-
permissions-in-windows?lang=en

Question 74
HOTSPOT
You have a workgroup computer named Computer1 that runs Windows 10. Computer1 has the
users accounts shown in the following table:
Computer1 has the local Group Policy shown in the following table.
You create the Local Computer\Administrators policy shown in the following table.
You create the Local Computer\Non-Administrators policy shown in the following table.

Solution:
Reference:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
vista/cc766291(v=ws.10)

Question 75
Solution: You create a local group on Computer1 and add the Guest account to the group. You
grant the group Modify access to Share1.
○ Yes
● No
Question 76
Your network contains an Active Directory domain. The domain contains 1,000 computers that
run Windows 10.
You need to prevent the computers of the research department from appearing in Network in
File Explorer.
What should you do?
○ Configure DNS to use an external provider

○ Modify the %systemroot%\system32\drivers\etc\Networks file.
● Turn off network discovery.
○ Disable the Network List Service.

Question 77
HOTSPOT
You have two computers named Computer1 and Computer2 that run Windows 10. The
computers are in a workgroup.
You perform the following configurations on Computer1:
 Create a user named User1.

 Add User1 to the Remote Desktop Users group.
You perform the following configurations on Computer2:
 Create a user named User1 and specify the same user password as the one set on
Computer1.
 Create a share named Share2 and grant User1 Full control access to Share2.
 Enable Remote Desktop.
What are the effects of the configurations? To answer, select the appropriate options in the
answer area.

Solution:
Question 78
HOTSPOT
Your network contains an Active Directory domain. The domain contains a group named
Group1.
All the computers in the domain run Windows 10. Each computer contains a folder named
C:\Documents that has the default NTFS permissions set.
You add a folder named C:\Documents\Templates to each computer.
You need to configure the NTFS permissions to meet the following requirements:
 All domain users must be able to open the files in the Templates folder.
 Only the members of Group1 must be allowed to edit the files in the Templates folder.
How should you configure the NTFS settings on the Templates folder? To answer, select the

Solution:
Question 79
You deploy Windows 10 to 20 new laptops.
The laptops will be used by users who work at customer sites. Each user will be assigned one
laptop and one Android device.
You need to recommend a solution to lock the laptop when the users leave their laptop for an
extended period.
Which two actions should you include in the recommendation? Each correct answer presents
part of the solution.
○ Enable Bluetooth discovery.

○ From the Settings app, configure the Dynamic lock settings.
○ From Sign-in options, configure the Windows Hello settings.
● From the Settings app, configure the Lock screen settings.
○ Pair the Android device and the laptop.
● From the Settings app, configure the Screen timeout settings.
Question 80
user accounts shown in the following table.
User3, User4, and Administrator sign in and sign out on Computer1. User1 and User2 have
never signed in to Computer1.
You are troubleshooting policy issues on Computer1. You sign in to Computer1 as

Administrator.
You add the Resultant Set of Policy (RSoP) snap-in to an MMC console.
Which users can you select in the RSoP wizard?
○ User1, User3, and User4 only

○ Administrator only
○ User1, User2, User3, User4, and Administrator
● User3, User4, and Administrator only

Explanation:
When selecting users in RSoP, you can only select users who have previously logged on to the
system.
Question 81
HOTSPOT
The Users group has Full control permissions to Folder1, Folder2, and Folder3.
User1 encrypts two files named File1.docx and File2.docx in Folder1 by using EFS.
Which users can move each file? To answer, select the appropriate options in the answer area.

Solution:
Explanation:
EFS works by encrypting a file with a bulk symmetric key. The symmetric key that is used to
encrypt the file is then encrypted with a public key that is associated with the user who
encrypted the file. Because the encryption & decryption operations are performed at a layer
below NTFS, it is transparent to the user and all their applications.
Box 1: User1, User2, and Administrator
Box 2: User1, User2, and Administrator
All three are members of the Users group that has Full control permissions to Folder1, Folder2,
and Folder3.
Question 82
Computer1 that runs Windows 10. Computer1 contains a folder named Folder1.
You plan to share Folder1. Everyone will have Read share permissions, and administrators will
have Full control share permission.
You need to prevent the share from appearing when users browse the network.
What should you do?
○ Enable access-based enumeration.

○ Deny the List NTFS permissions on Folder1.
○ Add Folder1 to a domain-based DFS namespace.
● Name the share Folder1$.

Explanation:
Appending a dollar sign to share name prevents a share from appearing when users browse
the network.
Incorrect Answers:
Access-based enumeration will hide the share from anyone who doesn’t have permission to
access the share. However, as ‘Everyone’ has Read access to the share, the share would
appear for everyone when they browse the network.
Question 83
You have a computer that runs Windows 10. The computer contains a folder. The folder
contains sensitive data.
You need to log which user reads the contents of the folder and modifies and deletes files in
the folder.
Solution: From the properties of the folder, you configure the Auditing settings and from
Audit Policy in the local Group Policy, you configure Audit object access.
● Yes
○ No
Explanation:
Files and folders are objects and are audited through object access.
References:

Question 84
On Computer1, you turn on File History.
You need to protect a folder named D:\Folder1 by using File History.
What should you do?
○ From File Explorer, modify the Security settings of D:\Folder1

○ From Backup and Restore (Windows 7), modify the backup settings
● From the Settings app, configure the Backup settings
○ From File History in Control Panel, configure the Advanced settings
Explanation:
To configure File History, click More options on the Backup screen. The Backup options screen
allows you to set how often File History backs up your files and how long versions are saved.
Reference:
https://www.groovypost.com/howto/configure-windows-10-file-history/
Question 85
the folder.
Solution: From the properties of the folder, you configure the Auditing settings and from the
Audit Policy in the local Group Policy, you configure Audit system events.
○ Yes
● No
Explanation:
Files and folders are objects and are audited through object access, not though system
events.
References:


Question 86

SIMULATION
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section.
This may take a few minutes, and the wait time will not be deducted from your overall test
time.
When the Next button is available, click it to access the lab section. In this section, you will
perform a set of tasks in a live environment. While most functionality will be available to you
as it would be in a live environment, some functionality (e.g., copy and paste, ability to
navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it
doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit
for that task.
Labs are not timed separately, and this exam may more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage
your time appropriately to ensure that you are able to complete the lab(s) and all other
sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will
NOT be able to return to the lab.
Username and password

Use the following login credentials as needed:
To enter your password, place your cursor in the Enter password box and click on the
password below.
Username: Contoso/Administrator
Password: Passw0rd!
The following information is for technical support purposes only:
Lab Instance: 10921597
You need to create a file named File1.txt in a folder named Folder1 on the C drive of Client2.
You need to ensure that a user named User1 can read the contents of File1.txt. The solution
must prevent User1 from modifying the file.
To complete this task, sign in to Client2 and perform the required action.
Explanation:
1. After creating File1.txt in Folder1, right-click the file and select Properties.
2. Access the Security tab, click Disable inheritance

3. Click on Remove all inherited permissions from this object, click Apply, and select Yes in
the dialog box that appears.
4. Click OK
5. Back on the Security tab select Edit to change permissions.
6. Click Add, then enter User1 in the Enter the object names to select section.
7. Click Check Names, and then click OK.
8. Check only the Read box in the Allow column.
9. Click apply, Ok, and OK

Question 87

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


Users in the Finance group report that they cannot copy files to Client1\Finance.
You need to resolve the issue.
To complete this task, sign in to the required computer or computers.
Explanation:
1. Open File Explorer.

2. Browse and find the file or folder you want to have full access.
3. Right-click it, and select Properties.
4. Click the Security tab to access the NTFS permissions.
5. Click the Advanced button.
6. On the "Advanced Security Settings" page, you need to click the Change link, in the
Owner's field.
8. On the "Select User or Group" page, click the Find Now button.
9. From the search result, select your user account, and click OK.
10.On the "Select User or Group" page, click OK.
11.Click Apply.
12.Click OK.
13.Click OK again.
14.Click OK one more time to complete this task.
It's important to note that if you're taking ownership of a folder, you can check the Replace
ownership on subcontainers and object option in the Advanced Security Settings page to
take control of the subfolders inside of the folder.
Now you'll need to grant full access control to your account, to do this use the following steps:
1. Right-click the file or folder and select Properties.

2. Click the Security tab to access the NTFS permissions.
4. Under the Permissions tab, click Add.
5. Click Select a principal to add your user account.
6. On the "Select User or Group" page, click the Find Now button.
7. From the search result, select your user account, and click OK.
8. On the "Select User or Group" page, click OK.
9. On "Permission Entry", check the Full control option.
10.Click OK.
11.Click OK.
12.Click Apply.
13.Click OK.
14.Click OK to close the file or folder properties to complete the task.
You can now assign the necessary permissions to the Finance group.
If you right-click on a file or folder, choose Properties and click on the Security tab, we can
now try to edit some permissions. Go ahead and click the Edit button to get started.
At this point, there are a couple of things you can do. Firstly, you’ll notice that the Allow
column is probably greyed out and can’t be edited. This is because of the inheritance I was
talking about earlier. However, you can check items on the Deny column.
When you click the Add button, you have to type in the user name or group name into the box
and then click on Check Names to make sure it’s correct. If you don’t remember the user or
group name, click on the Advanced button and then just click Find Now. It will show you all
the users and groups.
Click OK and the user or group will be added to the access control list. Now you can check the
Allow column or Deny column.
Reference:
https://www.windowscentral.com/how-take-ownership-files-and-folders-windows-10
https://www.online-tech-tips.com/computer-tips/set-file-folder-permissions-windows/

Question 88

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to enable the Prohibit User from manually redirecting Profile Folders Group Policy
setting only for the administrative users of Client3.
Explanation:
1. Open the Administrator Group Local Group Policy Editor.

2. In the left pane, click on User Configuration, Administrative Templates, and Desktop.

3. In the right pane, right click on Prohibit User from Manually redirecting Profile Folders and
click on Properties.
4. To Prevent User Profile Folders Location Change
Select (dot) Enabled and click on OK.

5. Close the Local Group Policy Editor window.
References:
https://www.vistax64.com/threads/user-profile-folders-prevent-or-allow-location-
change.180719/

Question 89

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to create a file named Private.txt in a folder named Folder1 on the C drive of Client2.
You need to encrypt Private.txt and ensure that a user named User1 can view the contents of
Private.txt.
Explanation:

1. After creating Private.txt and saving it Folder1, right-click on the Private.txt, and select
Properties from the context menu.
2. On the General tab, click Advanced. Next, check the box “Encrypt contents to
secure data” and click OK.
3. A window will pop up asking you whether or not you want to encrypt the file and its
parent folder. Select the “Encrypt the file only” and click OK.
4. Private.txt will now show its file name in green color.
1. Right-click Private.txt and then select Properties.

2. Click Advanced on the General tab.
3. Click Details on the Advanced Attributes tab to open the User Access dialog box.
4. Click Add to open the Encrypting File System dialog box and then select User1.
5. Click OK to add User1 to the list of users who have access to the file.
6. Click OK until you've exited out of the dialog boxes.
Reference:
https://www.top-password.com/blog/password-protect-notepad-text-files-in-windows-10/
https://sourcedaddy.com/windows-7/how-to-grant-users-access-to-an-encrypted-file.html

Question 90

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to identify the total number of events that have Event ID 63 in the Application event
log. You must type the number of identified events into C:\Folder1\FileA.txt.
To complete this task, sign in to the required computer or computers and perform
the required action.
Explanation:
1. Open Event Viewer.

2. Click the log that you want to filter, then click Filter Current Log from the Action pane or
right-click menu. This will open the Filter Current Log dialog box.
3. You can specify a time period if you know approximately when the relevant events
occurred. You can specify the event level, choosing between Critical, Warning, Verbose,
Error and Information. If you select none of these, all event levels will be returned. You
can’t modify which event log is being checked as filters apply only to a single log.
4. You can choose the event sources which have generated the log entries, and search for
key words, users, or computers. You can also search using specific event IDs.
Reference:
https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-search-the-
event-viewer.html

Question 91

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


You need to create an HTML report that shows which policies and policy settings are applied to
CONTOSO\User1 on Client1. You must save the output to a file named Report.html in a folder
named Folder1 on the C drive of Client1.
Explanation:
On Client1, log in as administrator.

Open command prompt and type:
gpresult /h CONTOSO\User1\C:\Folder1\Report.html
Reference:
https://www.google.co.za/search?biw=1366&bih=614&sxsrf=ALeKk01XD_luAn4X-
bIMllUjpYBm0i7btQ%3A1592996005097&ei=pTDzXqLCBaif1fAP1NODqAY&q=gpresult+%2Fh+
report.html+location&oq=gpresult+html+report+&gs_lcp=CgZwc3ktYWIQARgEMgIIADICCAAy
BggAEBYQHjIGCAAQFhAeMgYIABAWEB4yBggAEBYQHjIGCAAQFhAeMgYIABAWEB4yCAgAEBYQC
hAeMgYIABAWEB46BAgAEEdQyOUnWMjlJ2CRhihoAHACeACAAZIDiAGSA5IBAzQtMZgBAKABAao
BB2d3cy13aXo&sclient=psy-ab

Question 92

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


You need to ensure that the File History of Contoso\Administrator on Client1 is backed up
automatically to \\DC1\Backups.
Explanation:
How to set up and enable File History

1. On Client1, go to Start > Settings > Update & Security.
2. Select Backup and click “Add a drive.”
3. Select the drive or network location (\\DC1\Backups) you want to use for File History’s
backups.
Now click “More options.” Here you can start a backup, change when your files are backed up,
select how long to keep backed up files, add or exclude a folder, or switch File History to a
different drive.

Click the “Back up now” button to start your first File History backup.
Reference:
https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-
1762867473

Question 93

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


You need to ensure that C:\Scripts\Configure.ps1 runs every time a user sign in to Client2.
Explanation:
Go to the Start menu, type “Task Scheduler” and select it from the search results.

Task Scheduler can also be accessed in the Control Panel under Administrative Tools.
In the right side of the Task Scheduler menu, under Actions, select “Create Task.”

On the General tab, enter a name and description for the task you’re creating. Check the box
“Run with highest privileges.”
Once you have filled out a name and description, click the “Triggers” tab, and then click
“New.”
In this menu, under “Begin the task:” select “At log on.” Choose which user you would like the
task to run for at log on. For our purposes, Any user.
Configure any of the applicable advanced settings you would like.
After you are finished configuring the new trigger, click OK and then select the “Actions” tab.
Click “New” to make a new action.

Choose “Start a program” under the Action menu and then click “Browse” to point to
C:\Scripts\Configure.ps1.
Click OK to exit out of the Actions menu. The “Conditions” and “Settings” tabs can be left
alone.
Click OK on the Create Task menu, and you are finished.
Reference:
https://www.howtogeek.com/138159/how-to-enable-programs-and-custom-scripts-to-run-at-
boot/

Question 94
You have a computer that runs Windows 10. The computer contains a folder named D:\Scripts.
D:\Scripts contains several PowerShell scripts.
You need to ensure that you can run the PowerShell scripts without specifying the full path to
the scripts. The solution must persist between PowerShell sessions.
Solution: At a command prompt, you run set.exe path=d:\scripts.
○ Yes
● No
Question 95
Solution: From a command prompt, you run set.exe PATHEXT=d:\scripts.
○ Yes
● No

Question 96
Solution: From PowerShell, you run $env:Path += ";d:\scripts\".
● Yes
○ No
References:
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=po
wershell-7

Question 97
You have a workgroup computer that runs Windows 10. The computer contains the local user
accounts shown in the following table.
You need to configure the desktop background for User1 and User2 only.
Solution: From the local computer policy, you configure the Filter Options settings for the
computer policy.
○ Yes
● No

Question 98
Solution: You create a new local group to which you add User1 and User2. You create a local
Group Policy Object (GPO) and configure the Desktop Wallpaper setting in the GPO. At a
command prompt, you run the gpupdate.exe /Force command.
● Yes
○ No
References:
windows-10

Question 99
Solution: From the local computer policy, you configure the Filter Options settings for the user
policy. At a command prompt, you run the gpupdate.exe/Target:user command.
○ Yes
● No
Question 100
Your network contains an Active Directory domain. The domain contains two computers
named Computer1 and Computer2 that run Windows 10.
You need to modify the registry of Computer1 by using Registry Editor from Computer2.
Which two registry hives can you modify? Each correct answer presents part of the solution.
○ HKEY_CURRENT_USER
● HKEY_LOCAL_MACHINE
● HKEY_USERS
○ HKEY_CLASSES_ROOT
○ HKEY_CURRENT_CONFIG

Question 101
the folder.
Solution: From the properties of the folder, you configure the Auditing settings and from the
Audit Policy in the local Group Policy, you configure Audit directory service access.
○ Yes
● No
Explanation:
Files and folders are objects and are audited through object access, not though directory
service access.
References:
Question 102
HOTSPOT
You have 100 computers that run Windows 10 and are members of an Active Directory
domain.
Two support technicians named Tech1 and Tech2 will be responsible for monitoring the
performance of the computers.
You need to configure the computers to meet the following requirements:
 Ensure that Tech1 can create and manage Data Collector Sets (DCSs).
 Ensure that Tech2 can start and stop the DCSs.
 Use the principle of least privilege.
To which group should you add each technician? To answer, select the appropriate options in
the answer area.

Solution:
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-
directory-security-groups

Question 103
HOTSPOT
You have a workgroup computer named Computer1 that runs Windows 10 and has the users
shown in the following table.
You plan to add a key named Key1 to the following three registry branches:
 HKEY_CURRENT_CONFIG\Software
 HKEY_LOCAL_MACHINE\Software
 HKEY_CURRENT_USER\Software
You need to identify which users can add Key1.
What user or users should you identify for each branch? To answer, select the appropriate
options in the answer area.

Solution:
Explanation:
Box 1 and Box 2.

These are system-wide registry keys so only Administrators can modify them.
Box 3.
This key affects only the logged in user. Therefore, any user can modify this key.

Question 104
HOTSPOT
You have a file named File1.reg that contains the following content.
You need to identify what occurs when User1 and User2 double-click File1.reg.
What should you identify? To answer, select the appropriate options in the answer area.

Solution:
Explanation:
Box 1:
User1 is a member of the Administrators group so has permission to add keys to both registry
hives.
Box 2:
User2 is a standard user so does not have permission to add a key to the
HKEY_LOCAL_MACHINE registry hive so Key2 will not be imported.
Question 105
You have a computer named Computer1 that runs Windows10. Computer1 is in a workgroup.
Computer1 contains the users shown in the following table.
You need to apply the same Group Policy settings to only User1, User2 and User3. The solution
must use a minimum number of local Group Policy objects (GPOs).
How many local GPOs should you create?
● 1
○ 2
○ 3

Explanation:
You can use security filtering to restrict the GPO to the required users. Only users with the
Read and Apply Group Policy permissions will have the GPO applied to them.
Question 106
You need to set the minimum password length to 12 characters.
● Local Group Policy Editor

○ System Protection in System Properties
○ Sign-in options in the Settings app
Explanation:
You can set the password length on computers that are not domain joined by using the Local
Security Policy or the Local Group Policy Editor.
Note:
There are several versions of this question in the exam. The question has two possible correct
answers:
1. Local Group Policy Editor

2. Local Security Policy
Other incorrect answer options you may see on the exam include the following:
1. Credential Manager in Control Panel

2. Email & accounts in the Settings app
3. Local Users and Groups in Computer Management
Reference:
settings/how-to-configure-security-policy-settings

Question 107
HOTSPOT
Your network contains an Active Directory domain named adatum.com. The domain contains
the users shown in the following table.
The domain contains a computer named Computer1 that runs Windows10. Computer1 has a
file named File1.txt that has the permissions shown in the exhibit. (Click the Exhibit tab.)

Solution:
Explanation:
Box 1: No
User1 only has Read access to the file.
Box 2: Yes
User2 is in Group2 which has full control. The condition states that if the user is also a
member of Group3, the permission would not apply. However, User2 is not in Group3 so the
full control permission does apply.
Box 3: No
User3 is in Group3 which does have Read access. However, the condition states that if the
user is also in Group1 or Group2 then the permission does not apply. User3 is in Group2 so the
Read permission granted to Group3 does not apply to User3.

Question 108
HOTSPOT
Your network contains an Active Directory domain that contains the objects shown in the
following table.
Computer1 contains the shared folders shown in the following table.
The computers have the network configurations shown in the following table.

Solution:
Explanation:
Box 1: Yes
User1 is in Group1 which has permission to access the share so the share will be visible.
Box 2: No
User2 is in Group2 which does not have permission to access Share1. Access-based
enumeration is enabled so Share1 will not be listed as User2 does not have permission to
access it.
Box 3: No
Share2$ is a hidden share (dollar sign appended) so the share will never be listed.

Question 109
HOTSPOT
Computer1 contains the shared folders shown in the following table.
The shared folders have the permissions shown in the following table.

Solution:
Explanation:
Box 1: No
Share1$ is a hidden share (dollar sign appended) so the share will never be visible.
Box 2: Yes
User2 is in Group1 and Group2. Both groups have access to Share1$. Therefore, the contents
of the shared folder will be visible.
Box 3: No
User1 is in Group1. Group1 does not have the necessary security permission to access Share2.
You need both security permissions (NTFS permissions) AND share permissions to view the
contents of a shared folder. User1 has the necessary share permissions (Everyone: Read), but
not the security permission.

Question 110
You customize the Start menu on a computer that runs Windows 10 as shown in the following
exhibit.
You need to add Remote Desktop Connection to Group1 and remove Group3 from the Start
menu.
Which two actions should you perform from the Start menu customizations? Each correct
answer presents part of the solution.
● Unlock Group1.
○ Remove Command Prompt from Group1.
○ Delete Group3.
● Add Remote Desktop Connection to Group1.
○ Rename Group3 as Group1.
Explanation:
A: You have to unlock Group1 before you can make any changes to it.
D: If you drag the Remote Desktop Connection from Group3 to Group1, Group3 will disappear.
Question 111
On Computer1, you turn on File History.
You need to protect a folder named D:\Folder1 by using File History.
What should you do?
● From File Explorer, add D:\Folder1 to the Documents library

○ From the Settings app, configure the Recovery settings
○ From Backup and Restore (Windows 7), modify the backup settings
○ From File History in Control Panel, configure the Advanced settings
Question 112
HOTSPOT
You have a computer named Computer 1 that runs Windows 10.
You turn on System Protection and create a restore point named Point1.
You perform the following changes:
 Add four files named File1.txt, File2.dll, File3.sys, and File4.exe to the desktop.
 Run a configuration script that adds the following four registry keys:
- Key1 to HKEY_CURRENT_USER
- Key2 to HKEY_CLASSES_ROOT
- Key3 to HKEY_LOCAL_MACHINE\SYSTEM
- Key4 to HKEY_CURRENT_CONFIG
You restore Point1.
Which files and registry keys are removed? To answer, select the appropriate options in the
answer area.

Solution:
References:
https://www.maketecheasier.com/what-system-restore-can-and-cannot-do-to-your-windows-
system/
https://superuser.com/questions/343112/what-does-windows-system-restore-exactly-back-up-
and-restore

Question 113
HOTSPOT
You have 10 computers that run Windows 10.
You have a Windows Server Update Services (WSUS) server.
You need to configure the computers to install updates from WSUS.
Which two settings should you configure? To answer, select the appropriate options in the
answer area.

Solution:
References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-
wsus#configure-automatic-updates-and-update-service-location
Question 114
You have a Microsoft 365 Enterprise E3 license.
You need to ensure that you can access the files on Computer1 by using a web browser on
another computer.
○ Sync your settings in the Settings app

○ the File Explorer desktop app
● the Microsoft OneDrive desktop app
○ Default apps in the Settings app

Question 115
You have computers that run Windows 10 and are configured as shown in the following table.
You have a removable USB drive named USBDrive1 that is encrypted by using BitLocker to Go.
You plan to use USBDrive1 on Computer1, Computer2, and Computer3.
You need to identify on which computers you can enable automatic unlocking of BitLocker on
USBDrive1.
Which computers should you identify?

○ Computer3 only
● Computer1 and Computer3 only
○ Computer1, Computer2, and Computer3
Explanation:
The BitLocker key is stored in the registry when you enable auto-unlock but only if the
operating system drive is encrypted with BitLocker. A TPM is not required.

Question 116
HOTSPOT
You have a computer named Computer1 that runs Windows 10 and has the users shown in the
following table.
You move Folder1 into Folder2.
Solution:
Explanation:
Box 1: No
If you move a shared folder, the share will no longer work.

Box 2: No
Folder1 will inherit the permissions of Folder2. User1 does not have permission to access
Folder2.
Box 3: Yes
User2 is a member of the Administrators group so he can access the administrative share
\\Computer1\E$.
User2 has Full Control permission to Folder2 so he can access \\Computer1\E$\Folder2.
Folder1 will inherit the permissions of Folder2 so User2 can access
\\Computer1\E$\Folder2\Folder1.

Question 117
HOTSPOT
Your network contains the segments shown in the following table.
You have computers that run Windows 10 and are configured as shown in the following table.
Windows Defender Firewall has the File and Printer Sharing allowed apps rule shown in the
following table.

Solution:

Question 118
HOTSPOT
You have a workgroup computer named Computer1 that runs Windows 10. From File Explorer,
you open OneDrive as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on
the information presented on the graphic.

Solution:
Question 119
Solution: You create two new local Group Policy Objects (GPOs) and apply one GPO to User1
and the other GPO to User2. You configure the Desktop Wallpaper setting in each GPO.
● Yes
○ No

Reference:
windows-10
Question 120
run Windows 10.
You discover that when users are on their lock screen, they see a different background image
every day, along with tips for using different features in Windows 10.
You need to disable the tips and the daily background image for all the Windows 10
computers.
Which Group Policy settings should you modify?
○ Turn off the Windows Welcome Experience

○ Turn off Windows Spotlight on Settings
○ Do not suggest third-party content in Windows spotlight
● Turn off all Windows spotlight features
References:
https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight

Question 121
HOTSPOT
You have a computer named Computer1 that runs Windows 10. Computer1 contains a folder
named Data on drive C. The Advanced Security Settings for the Data folder are shown in the
exhibit. (Click the Exhibit tab.)
You share C:\Data as shown in the following table.
User1 is a member of the Users group.
Administrators are assigned Full control NTFS permissions to C:\Data.

Solution:
Explanation:
User1 cannot write files when connected to \\Computer1\Data because the Users group only
has Read & Execute NTFS permission to the C:\Data folder and there are no explicit NTFS
permissions for User1.
User1 cannot write files locally because the Users group only has Read & Execute NTFS
permission to the C:\Data folder and there are no explicit NTFS permissions for User1.
Administrators cannot change the NTFS permissions of files and folders when connected to
\\Computer1\Data because they only have Change share permission. The would need Full
Control share permission. They could do it locally because they have Full Control NTFS
permission.

Question 122
You have a file named Reg1.reg that contains the following content.
What is the effect of importing the file?
○ A key named command will be renamed as notepad.exe.

● In a key named Notepad, the command value will be set to @="notepad.exe".
○ In a key named command, the default value will be set to notepad.exe.
Question 123
On Computer1, you create the local users shown in the following table.
Which two user profiles will persist after each user signs out? Each correct answer presents
part of the solution.
● User1
○ User2
○ User3
○ User4
● User5

Question 124
HOTSPOT
You have a computer that runs Windows 10. The computer is in a workgroup. The computer is
used to provide visitors with access to the Internet.
You need to configure the computer to meet the following requirements:
 Always sign in automatically as User1.

 Start an application named App1.exe at sign-in.
What should you use to meet each requirement? To answer, select the appropriate options in
the answer area.
Solution:
References:
http://www.itexpertmag.com/server/complete-manageability-at-no-extra-cost

Question 125
HOTSPOT
You have four computers that run Windows 10. The computers are configured as shown in the
following table.
On Computer1, you create a user named User1. In the domain, you create a user named
User2.
You create the groups shown in the following table.
You need to identify to which computers User1 can sign in, and to which groups you can add
User2.

Solution:
Explanation:
Box 1: Computer 1 only.

User1’s account was created on Computer1. The account is a local account on Computer1.
Therefore, User1 can only sign in to Computer1.
Box 2: Group5 only.

User2’s account was created in the domain. A domain is a security boundary. Therefore, you
can only add User2 to groups in the domain.

Question 126

User1 is a member of the Administrators group on a computer that runs Windows 10.
When User1 attempts to view the security settings of a folder named C:\SecretData, the user
receives the message in the Security exhibit. (Click the Security tab.)
On the computer, you sign in as a member of the Administrators group and view the
permissions to C:\SecretData as shown in the Permissions exhibit. (Click the Permissions
tab.)

You need to restore Use1's access to C:\SecretData.
○ From the Permissions tab of Advanced Security Settings for SecretData, select
Change to take ownership of the folder.
● From the Permissions tab of Advanced Security Settings for SecretData, select
Continue to attempt the operation by using administrative privileges.
○ Assign User1 Full control permissions to the C folder and set the inheritance to
This folder, subfolders and files.
○ From an elevated command prompt, run cacls.exe c:\secretdata /g user1:F.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/dont-have-
permission-access-folder

Question 127
HOTSPOT
Your network contains an Active Directory domain. The domain contains the users shown in
The Authenticated Users group has the Add workstations to domain user right in the Default
Domain Controllers Policy.
The Device Managers and Help Desk groups are granted the Create Computer objects
permission for the Computers container of the domain.
You have 15 workgroup computers that run Windows 10. Each computer contains a local user
account named LocalAdmin1 that is a member of the following groups:
 Administrators
 Device Owners
 Authenticated Users

Solution:
Explanation:
Box 1: No
User1 is a member of the Authenticated Users group which has the Add workstations to
domain user right. However, with the Add workstations to domain user right, you are
restricted to joining a maximum of 10 computers to the domain.
Box 2: No
domain user right. User2 is also a member of the Device Managers group which is granted the
Create Computer objects permission for the Computers container of the domain. The Create
Computer objects permission overrides the 10-computer limit imposed by the Add
workstations to domain user right so User2 can join more than 10 computers to the domain.
Box 3. Yes
domain user right. User3 is also a member of the Help Desk group which is granted the Create
Computer objects permission for the Computers container of the domain. The Create
Computer objects permission overrides the 10-computer limit imposed by the Add
workstations to domain user right so User3 can join all the computers to the domain.

Question 128
The Users group has Modify permissions to a folder named D:\Folder1.
User3 creates a file named File1.docx in Folder1.
Which users can take ownership of File1.docx?
○ Administrator and User1 only

● Administrator only
○ Administrator, User1, and User2
○ Administrator and User2 only
Explanation:
Only a member of the Administrator’s group can take ownership of a file or folder.

Question 129
HOTSPOT
You have two workgroup computers named Computer1 and Computer2 that run Windows 10.
The Guest account is enabled on both computers.
The computers contain the users shown in the following table.
The computers contain the shared folders shown in the following table.
Computer1 has password-protected sharing turned on. Computer2 has password-protected

sharing turned off.

Solution:
Explanation:
When password protected sharing is turned on, only people who have a user account and
password on your computer can access shared files.
Box 1: Yes
Password protected sharing is turned off on Computer2 so User1 can access Share2 from
Computer1.
Box 2: Yes
Password protected sharing is turned on on Computer1. User2 has an account on Computer1
so User2 can access Share1 from Computer2.
Box 3: Yes
The answer to this question depends on which version of Windows 10 is running on the
computers. This isn’t specified in the question so it’s likely that the question will be updated in
future.
Password protected sharing is turned on on Computer1. User3 does not have an account on
Computer1 so User3 cannot access Share1 from Computer2. However, the Guest account is
enabled which could provide access depending on which version of Windows 10 is running. If it
is Windows 10 Home or Pro, then the answer to this question is Yes. The Guest account does
provide access. However, in later versions of Windows 10 Enterprise and Windows 10
Education (from build 1709 onwards), the Guest account does not enable access to the shared
folder.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-
smb2-is-disabled-by-default

Question 130
You need to enable BitLocker Drive Encryption (BitLocker) on a computer named Computer1
that runs Windows 10. Computer1 has the following configurations:
 Contains only one 200-GB NTFS volume named C:\

 Contains 50 GB of unallocated disk space
 Is the member of a workgroup
 Has TPM enabled

○ Create a VHD.
○ Disable TPM.
● Create an additional volume.
○ Join Computer1 to an Azure Active Directory (Azure AD) tenant.
Explanation:
Two partitions are required to run BitLocker because pre-startup authentication and system
integrity verification must occur on a separate partition from the encrypted operating system
drive. This configuration helps protect the operating system and the information in the
encrypted drive.
Reference:
overview-and-requirements-faq
Question 131
You need to set the minimum password length to 12 characters.

● Local Security Policy
○ Credential Manager in Control Panel
○ Email & accounts in the Settings app
Explanation:
You can set the password length on computers that are not domain joined by using the Local
Security Policy or the Local Group Policy Editor.
Note:
There are several versions of this question in the exam. The question has two possible correct
answers:
1. Local Group Policy Editor

2. Local Security Policy
Other incorrect answer options you may see on the exam include the following:
1. System Protection in System Properties

2. Local Users and Groups in Computer Management
3. Sign-in options in the Settings app
Reference:
settings/how-to-configure-security-policy-settings
Question 132
You have 20 computers that run Windows 10. The computers are in a workgroup.
You need to create a local user named User1 on all the computers. User1 must be a member
of the Remote Management Users group.
What should you do?
○ From Windows Configuration Designer, create a provisioning package, and then

run the provisioning package on each computer.
○ Create a script that runs the New-ADUser cmdlet and the Set-AdGroup cmdlet.
● Create a Group Policy object (GPO) that contains the Local User Group Policy
preference.
○ Create a script that runs the New-MsolUser cmdlet and the Add-
ADComputerServiceAccount cmdlet.
References:
https://blogs.technet.microsoft.com/askpfeplat/2017/11/06/use-group-policy-preferences-to-
manage-the-local-administrator-group/

Question 133
Solution: From System Properties, you add D:\Scripts to the PATH environment variable.
○ Yes
● No
Question 134
You have several computers that run Windows 10. The computers are in a workgroup and
have BitLocker Drive Encryption (BitLocker) enabled.
You join the computers to Microsoft Azure Active Directory (Azure AD).
You need to ensure that you can recover the BitLocker recovery key for the computers from
Azure AD.
○ Disable BitLocker.
● Add a BitLocker key protector.
○ Suspend BitLocker.
○ Disable the TMP chip.
References:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-
your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors

Question 135
HOTSPOT
You have two workgroup computers named Computer1 and Computer2 that run Windows 10.
The computers contain the local security principals shown in the following table.
Which security principals can be members of GroupA and GroupC? To answer, select the

Solution:
Question 136
A user purchases a new computer that has Windows 10 Home preinstalled. The computer has
a biometric fingerprint reader.
You need to ensure that the user can use the fingerprint reader to sign in to the computer by
using an Azure Active Directory (Azure AD) account.
○ Register the computer to Azure AD.

● Install the latest feature updates on the computer.
○ Upgrade the computer to Windows 10 Enterprise.
○ Upgrade the computer to Windows 10 Pro.

Question 137
HOTSPOT
Your network contains an Active Directory domain. The domain contains three computers
named Computer1, Computer2, and Computer3 that run Windows 10. The computers are on
the same network and have network connectivity.
Windows Defender Firewall on Computer1 has the server-to-server connection security rule
All the connection security rules are enabled and configured to use only the Computer
(Kerberos VS) authentication method.

Solution:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-
an-authentication-request-rule

Question 138
HOTSPOT
Computer1 contains an image file named C:\Folder\Image.jpg.
Computer1 has the Local Computer\Administrators Policy shown in the following table.
Computer1 has the Local Computer\Non-Administrators Policy shown in the following table.
Computer1 has the local computer policy shown in the following table.

Solution:
Explanation:
Box 1: No
The Desktop Wallpaper setting in the Local Computer\Non-Administrators Policy specifies the
path to the wallpaper image. Therefore, User1 will not be able to change the wallpaper.
Box 2: Yes
The Remove Recycle Bin from desktop setting in the Local Computer\Administrators Policy is
Not Configured which means it will not overwrite the setting in the Local Computer Policy. The
Remove Recycle Bin from desktop setting in the Local Computer Policy is Disabled. Therefore,
the Recycle Bin icon is not removed. In other words, it will be visible on the desktop.
Box 3: No
The Remove Recycle Bin from desktop setting in the Local Computer\Non-Administrators
Policy is enabled. Therefore, the Recycle Bin will be removed for User1.
Question 139
run Windows 10.
You configure Microsoft Edge settings by using domain and local Group Policy Objects (GPOs).
You need to generate a report that contains all the Microsoft Edge policy settings applied to a
computer.
What should you do?
○ From PowerShell, run the Get-GPO cmdlet.

○ From PowerShell, run the Get-GPOReport cmdlet.
● From Microsoft Edge, open edge://policy.
○ From Microsoft Edge, open edge://settings.
Explanation:
The Get-GPOReport cmdlet would generate a report for all domain group policy objects.
However, this would not display the settings that are applied by local group policy objects.

To display the settings applied by both domain and local GPOs, you would have to open
Microsoft Edge and enter edge://policy in the address bar.
Question 140
HOTSPOT
You need to modify the Security Settings of Computer1 to meet the following requirements:
 A local group named Branch_Admins must be able to view and clear the Security log.
 Local users must be prompted to change their password three days before the
password expires.
Which two nodes of the Local Group Policy Editor should you access to configure the settings?
To answer, select the appropriate nodes in the answer area.

Solution:
Explanation:
User Rights Assignment > Manage auditing and security log.

Security Options > Interactive Logon: Prompt user to change password before expiration: 3
days.
Question 141
You have a computer that runs Windows 10 Pro. The computer contains the users shown in
You need to use a local Group Policy Object (GPO) to configure one group of settings for all the
members of the local Administrators group and another group of settings for all non-
administrators.
What should you do?
○ Use the runas command to open Gpedit.msc as each user.

● Run mmc as User1 and add the Group Policy Object Editor snap-in twice.
○ Open Gpedit.msc as User1 and add two Administrative Templates.
○ Run mmc as User1 and add the Security Templates snap-in twice.
Explanation:
Add the Group Policy Object Editor snap-in twice. Select Browse > Users > Administrators

when you add the first snap-in and select Browse > Users > Non-Administrators when you add
the second snap-in.
Question 142
run Windows 10.
You configure Microsoft Edge settings by using domain and local Group Policy Objects (GPOs).
You need to generate a report that contains all the Microsoft Edge policy settings applied to a
computer.
What should you do?
○ From PowerShell, run the Get-GPO cmdlet.

○ From PowerShell, run the Get-GPOReport cmdlet.
● From Microsoft Edge, open edge://policy.
○ From the Start menu, select Group Policy Object Editor.
Explanation:
The Get-GPOReport cmdlet would generate a report for all domain group policy objects.
However, this would not display the settings that are applied by local group policy objects.
To display the settings applied by both domain and local GPOs, you would have to open
Microsoft Edge and enter edge://policy in the address bar.

Configure Storage and Connectivity (39 questions)

Case Study

Overview
General Overview
Litware, Inc. is a consulting company that has a main office in Montreal and branch offices in
Seattle and New York.
Environment
The network contains an on-premises Active Directory domain named litware.com. The
domain contains the computers shown in the following table.
The network that uses 192.168.10.0/24 connects to the internet by using a Network Address
Translation (NAT) device.

Windows Admin Center is installed on Server1.
The domain contains the groups shown in the following table.
Computer1 Configuration
Computer1 contains the local user accounts shown in the following table.
Computer1 contains a folder named D:\Folder1 that has permission inheritance disabled.
Computer1 contains a file named D:\Folder1\Report.docx that has the permissions shown in
D:\Folder1\Report.docx has auditing configured as shown in the following table.
The Local Computer Policy for Computer1 is configured as shown in the following table.

Windows Defender Firewall for Computer1 has the rules shown in the following table.
Group1 and Group2 are members of the Remote Desktop Users group.

Requirements and Planned Changes
Planned Changes
Litware plans to make the following changes on Computer1:
 Grant User1 Allow Full control permissions to D:\Folder1\Report.docx.

 Grant User3 Allow Full control permissions to D:\Folder1.
Litware identifies the following technical requirements:
 Configure custom Visual Effect performance settings for Computer1.

 Manage Computer2 by using Windows Admin Center.
Delivery Optimization on the computers that run Windows 10 must be configured to meet the
following requirements:
 Content must be downloaded only from an original source.

 Downloading content from peer cache clients must be prevented.
 Downloads must be optimized by using the Delivery Optimization cloud service.

Question 143
HOTSPOT
Which Windows 10 computers can you ping successfully from Computer1 and Computer2? To
answer, select the appropriate options in the answer area.
Solution:
Explanation:

Box 1: Computer3 only.
Computer1 and Computer2 are domain joined so both will be using the Domain profile. The
firewall rules on Computer1 allow outbound ICMP on all profiles so outbound ICMP will be
allowed on the Domain profile.
The firewall rules on Computer2 allow inbound ICMP on the Public profile only, so it will be
blocked on the domain profile. Therefore, Computer2 cannot be pinged.
The firewall rules on Computer3 allow inbound ICMP on all profiles. Therefore, Computer3 will
not block the inbound pings.
Box 2: No Windows 10 computers.

The firewall rules on Computer2 allow outbound ICMP on the Private profile only, so it will be
blocked on the domain profile. Therefore, Computer2 cannot ping any computers.
Question 144
HOTSPOT
You implement the planned changes for Computer1.
Solution:
Explanation:
Box 1: Yes
User1 already has full control access through membership of Group1. Therefore, User1 can
write to the file.
Box 2: No
The planned changes will grant User2 full control access to the file. However, User2 is a
member of Group2 which has Deny/Write access. The Deny permission will always take
precedence. Therefore, User2 will not be able to write to the file.
Box 3: No
The planned changes will grant User3 full control access to the folder. That permission will be
inherited by the file. However, User3 is a member of Group2 which has Deny/Write access.
The Deny permission will always take precedence. Therefore, User3 will not be able to write to
the file.


Case Study

Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.

- User certificates
Security Policies
LocalAdmin.
(LAPS).
Problem Statements


requirements.

Question 145
You need to recommend a solution to configure the employee VPN connections.
○ Remote Access Management Console

○ Group Policy Management Console (GPMC)
○ Connection Manager Administration Kit (CMAK)
● Microsoft Intune
References:
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-
vpn/deploy/vpn-deploy-client-vpn-connections#bkmk_ProfileXML
Question 146
You need to take remote control of an employee’s computer to troubleshoot an issue.
What should you send to the employee to initiate a remote session?
● a numeric security code

○ a connection file
○ an Easy Connect request
○ a password
References:
https://support.microsoft.com/en-us/help/4027243/windows-10-solve-pc-problems-with-quick-
assist


Case Study

Overview

Requirements
Planned Changes
office users.
(EULA).

Question 147
You need to meet the technical requirement for User6.
What should you do?
○ Add User6 to the Remote Desktop Users group in the domain.

● Remove User6 from Group2 in the domain.
○ Add User6 to the Remote Desktop Users group on Computer2.
○ And User6 to the Administrators group on Computer2.
Question 148
You need to meet the technical requirement for the IT department users.
○ Issue computer certificates

○ Distribute USB keys to the IT department users.
○ Enable screen saver and configure a timeout.
● Turn on Bluetooth.
References:
https://support.microsoft.com/en-za/help/4028111/windows-lock-your-windows-10-pc-
automatically-when-you-step-away-from

Question 149
HOTSPOT
From the Settings app, you view the connection properties shown in the following exhibit.

Solution:
Question 150
You have 15 computers that run Windows 10. Each computer has two network interfaces
named Interface1 and Interface2.
You need to ensure that network traffic uses Interface1, unless Interface1 is unavailable.
What should you do?
● Run the Set-NetIPInterface –InterfaceAlias Interface1 –InterfaceMetric 1

command.
○ Run the Set-NetAdapterBinding –Name Interface2 –Enabled $True –ComponentID
ms_tcpip –ThrottleLimit 0 command.
○ Set a static IP address on Interface 1.
○ From Network Connections in Control Panel, modify the Provider Order.
References:
https://tradingtechnologies.atlassian.net/wiki/spaces/KB/pages/27439127/How+to+Change+N
etwork+Adapter+Priorities+in+Windows+10
https://docs.microsoft.com/en-us/powershell/module/nettcpip/set-netipinterface?view=win10-
ps

Question 151
run Windows 10. Users in the finance department use the computers.
From Computer1, you plan to run a script that executes Windows PowerShell commands on
the finance department computers.
You need to ensure that you can run the PowerShell commands on the finance department
computers from Computer1.
What should you do on the finance department computers?
○ From the local Group Policy, enable the Allow Remote Shell Access setting.
○ From the local Group Policy, enable the Turn on Script Execution setting.
○ From the Windows PowerShell, run the Enable-MMAgent cmdlet.
● From the Windows PowerShell, run the Enable-PSRemoting cmdlet.
References:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-
psremoting?view=powershell-6
Question 152
You have an Azure Active Directory (Azure AD) tenant that contains a user named
user1@contoso.com.
You join Computer1 to Azure AD. You enable Remote Desktop on Computer1.
User1@contoso.com attempts to connect to Computer1 by using Remote Desktop and

receives the following error message: “The logon attempt failed.”
You need to ensure that the user can connect to Computer1 by using Remote Desktop.
○ In Azure AD, assign user1@contoso.com the Cloud device administrator role.

● From the local Group Policy, modify the Allow log on through Remote Desktop
Services user right.
○ In Azure AD, assign user1@contoso.com the Security administrator role.
○ On Computer1, create a local user and add the new user to the Remote Desktop
Users group.
References:
settings/allow-log-on-through-remote-desktop-services

Question 153
DRAG DROP
You enable Windows PowerShell remoting on a computer that runs Windows 10.
You need to limit which PowerShell cmdlets can be used in a remote session.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.
Solution:
References:
https://www.petri.com/powershell-remoting-restricting-user-commands

Question 154

You have a VPN server that accepts PPTP and L2TP connections and is configured as shown in
the following exhibit.
A user named User1 has a computer that runs Windows 10 and has a VPN connection
configured as shown in the following exhibit.
User1 fails to establish a VPN connection when connected to a home network.

You need to identify which VPN client setting must be modified.
What should you identify?
● ServerAddress
○ TunnelType
○ AuthenticationMethod
○ L2tpIPsecAuth
○ EncryptionLevel
Explanation:
The server address is a private IP address. This needs to be the public IP address of the VPN
server.

Question 155
HOTSPOT
On Computer1, you create a VPN connection as shown in the following exhibit.
The corporate network contains a single IP subnet.

Solution:
Question 156
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a
user named UserA.
You have two computers named Computer1 and Computer2 that run Windows 10 and are
joined to contoso.com.
You need to ensure that UserA can connect to Computer2 from Computer1 by using Remote
Desktop.
Which three actions should you perform? Each correct answer presents part of the solution.
○ On Computer1, modify the registry.

○ On Computer2, modify the registry.
○ On Computer1, modify the properties of UserA.
○ On Computer1, enable Remote Desktop.
● On Computer2, modify the properties of UserA.
● On Computer 2, enable Remote Desktop.
● On Computer2, add the Everyone group to the Remote Desktop Users group.
○ On Computer1, add the Everyone group to the Remote Desktop Users group.
Reference:
https://docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc

Question 157
HOTSPOT
You need to ensure that Computer1 will respond to ping requests.
How should you configure Windows Defender Firewall on Computer1? To answer, select the

Solution:

Question 158
HOTSPOT
You have a computer named Computer1 that runs Windows 10. Computer1 has an IP address
of 10.10.1.200 and a subnet mask of 255.255.255.0.
You configure the proxy settings on Computer1 as shown in the following exhibit.

Solution:
References:
https://www.howtogeek.com/tips/how-to-set-your-proxy-settings-in-windows-8.1/

Question 159
You have a computer that is configured as shown in the following exhibit.
What can the computer connect to?
○ all the local computers and the remote computers within your corporate network
only
● all the local computers and the remote computers, including Internet hosts
○ only other computers on the same network segment that have automatic private
IP addressing (APIPA)
○ only other computers on the same network segment that have an address from a
class A network ID

Question 160
Your network contains an Active Directory domain named contoso.com.
A user named User1 has a personal computer named Computer1 that runs Windows 10 Pro.
User1 has a VPN connection to the corporate network.
You need to ensure that when User1 connects to the VPN, network traffic uses a proxy server
located in the corporate network. The solution must ensure that User1 can access the Internet
when disconnected from the VPN.
What should you do?
○ From Control Panel, modify the Windows Defender Firewall settings

○ From the Settings app, modify the Proxy settings for the local computer
○ From Control Panel, modify the properties of the VPN connection
● From the Settings app, modify the properties of the VPN connection
https://www.examtopics.com/discussions/microsoft/view/6799-exam-md-100-topic-3-question-
12-discussion/
D é a resposta correta. Nas propriedades da VPN, você pode adicionar uma configuração
proxy. A configuração proxy só estará ativa quando o usuário se conectar à VPN.
Question 161
You deploy 100 computers that run Windows 10. Each computer has a cellular connection and
a Wi-Fi connection.
You need to prevent the computers from using the cellular connection unless a user manually
connects to the cellular network.
What should you do?
○ Set the Use cellular instead of Wi-Fi setting for the cellular connection to
Never
○ Run the netsh wlan set hostednetwork mode=disallow command
● Clear the Let Windows manage this connection check box for the cellular
connection
○ Select the Let Windows manage this connection check box for the Wi-Fi
connection
References:
https://support.microsoft.com/en-za/help/10739/windows-10-cellular-settings

Question 162
You have a laptop named Computer1 that runs Windows 10.
When in range, Computer1 connects automatically to a Wi-Fi network named Wireless1.
You need to prevent Computer1 from automatically connecting to Wireless1.
Solution: From a command prompt, you run netsh wlan delete profile name="Wireless1".
● Yes
○ No
Reference:
https://lifehacker.com/remove-wi-fi-profiles-from-windows-8-1-from-the-command-
1449954864
Question 163
Solution: From the Services console, you disable the Link-Layer Topology Discovery Mapper
service.
○ Yes
● No

Explanation:
Link-Layer Topology Discovery is used by their Network Map feature to display a graphical
representation of the local area network (LAN) or wireless LAN (WLAN), to which the computer
is connected.
References:
https://en.wikipedia.org/wiki/Link_Layer_Topology_Discovery
Question 164
Solution: From the properties of the Wi-Fi adapter, you disable Link-Layer Topology Discovery
Responder.
○ Yes
● No
Explanation:
Link-Layer Topology Discovery is used by their Network Map feature to display a graphical
representation of the local area network (LAN) or wireless LAN (WLAN), to which the computer
is connected.
References:
https://en.wikipedia.org/wiki/Link_Layer_Topology_Discovery

Question 165
Your network contains an Active Directory domain named contoso.com. The domain contains
two computers named Computer1 and Computer2 that run Windows 10.
On Computer1, you need to run the Invoke-Command cmdlet to execute several PowerShell
commands on Computer2.
● On Computer2, run the Enable-PSRemoting cmdlet

○ From Active Directory, configure the Trusted for Delegation setting for the
computer account of Computer2
○ On Computer1, run the New-PSSession cmdlet
○ On Computer2, add Computer1 to the Remote Management Users group
Reference:
psremoting?view=powershell-6
Question 166
You are troubleshooting connectivity issues on Computer1.
You need to view the remote addresses to which Computer1 has active TCP connections.
Which tool should you use?
○ Performance Monitor
○ Task Manager
● Resource Monitor
○ Windows Defender Firewall with Advanced Security

Question 167
HOTSPOT
Your office has a dedicated wireless network for guests.
You plan to provide access cards that will have a QR code for guests. The QR code will link to a
network configuration file stored on a publicly accessible website and provide the wireless
network settings for Windows 10 devices.
Which tool should you use to create the configuration file and which file type should you use
for the configuration file? To answer, select the appropriate options in the answer area.

Solution:
Reference:
packages

Question 168
HOTSPOT
Your network contains the segments shown in the following table.
The network interface of the computer is configured as shown in the exhibit. (Click the Exhibit
tab.)
You need to identify which IP address the computer will have on the network when the
computer connects to the segments.
Which IP address should you identify for each segment? To answer, select the appropriate

Solution:

Question 169

HOTSPOT
Your network contains an Active Directory domain named adatum.com, a workgroup, and
computers that run Windows 10. The computers are configured as shown in the following
table.
The local Administrator accounts on Computer1, Computer2, and Computer3 have the same
user name and password.
On Computer1, Windows Defender Firewall is configured as shown in the following exhibit.
The services on Computer1 have the following states.

Solution:
Explanation:
Box 1: No
Because the firewall is blocking Remote Volume Management.
Box 2: No
Because the Remote Registry Service is stopped.
Box 3: No
Because the Remote Registry Service is stopped. Perfmon needs both the RPC service and the
Remote Registry service to be running.
Question 170
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS)
through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
○ Connection settings
○ Server authentication
○ Local devices and resources
● Connect from anywhere
Question 171
Solution: From the Settings app, you modify the properties of the Wireless1 known Wi-Fi
network.
● Yes
○ No
Explanation:
Removing Wireless1 as a known Wi-Fi network on Computer1 will prevent it from
automatically connecting.
Note: You can also type netsh wlan show profiles in the Command Prompt to manage and
delete wireless network profiles.
References:
https://kb.netgear.com/29889/How-to-delete-a-wireless-network-profile-in-Windows-10

Question 172

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to connect to your company’s network and create a VPN connection on Client2
named VPN1 that meets the following requirements:
 VPN1 must connect to a server named vpn.contoso.com.

 Only traffic to your company’s network must be routed through VPN1.

Explanation:
1. On Client2, click on the Start button and go to settings.
2. Select Network & Internet.
3. Select VPN on the left-hand side
4. Click on the Add a VPN connection button.
5. Next, select the VPN provider–This will almost always be Windows (built-in).
Name your connection and enter the server name as provided by your IT technician. (
6. VPN1 and vpn.contoso.com).
7. Add in your username and password as provided by your IT technician.
8. Click Save when done.
9. Closeout the PC settings windows.
Reference:
https://www.themillergroup.com/vpn-windows-10/

Question 173

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to ensure that you can successfully ping DC1 from Client3 by using the IP4 address
of DC1.
Explanation:
 On Client3, press Windows+R to access Run.

 Type cmd and click OK to access the command prompt.
 Type ipconfig and press Enter to check that you have a valid IP address.

 On Client3, press Windows+R to access Run.
 Type cmd and click OK to access the command prompt.
 Type "ping" and the IP address of the Domain Controller (e.g. "ping 172.16.1.43").
Reference:
http://www.turn-n-burn.com/DestinyNetworks/Downloads/WebHelp3-1-
1/Ping_the_Domain_Controller.htm

Question 174

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to ensure that a local user named User1 can establish a Remote Desktop connection
to Client2.
Explanation:
Add User to Remote Desktop Users Group via Settings App

1. Open the Settings app on Client2 and go to System -> Remote Desktop. Click on the
Select users that can remotely access this PC link on the right side.
2. When the Remote Desktop Users dialog opens, click on Add.
3. Click on Advanced.
4. Click on Find Now and then select any user account you want to add to the “Remote
Desktop Users” group, and click OK.
5. Click OK and you’re done.
Reference:
https://www.top-password.com/blog/add-user-to-remote-desktop-users-group-in-windows-10/

Question 175

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


You need to prevent user names and passwords from being filled in on forms automatically
when a user browses to websites from Client2.
Explanation:
1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to Computer
Configuration\Administrative Templates\Windows Components\Microsoft Edge
3. In the right pane of Microsoft Edge in Local Group Policy Editor, double click/tap on the
Configure Autofill policy to edit it.
4. Select Disabled, click/tap on OK.
5. In the right pane of Microsoft Edge in Local Group Policy Editor, double click/tap on the
6. Configure Password Manager policy to edit it.
7. Select Disabled, click/tap on OK.
8. You can now close the Local Group Policy Editor.
Reference:
https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies
https://www.tenforums.com/tutorials/115069-enable-disable-autofill-microsoft-edge-windows-
10-a.html

Question 176

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


You need to ensure that all the current and future users in the Active Directory domain can
establish Remote Desktop connections to Client1. The solution must use the principle of least
privilege.
Explanation:
Step 1. Add Remote Desktop Users to the Remote Desktop Users Group.
+ R keys to open run command box.
b. Type gpedit.msc and press Enter.
2. In Group Policy Editor navigate to: Computer Configuration > Windows Settings >
Security Settings > Local Policies > User Rights Assignment.
3. At the right Pane: double click at Allow log on through Remote Desktop Services.
4. Click Add User or Group.
5. Type remote and then click Check Names.
6. Select the Remote Desktop Users and click OK.
7. Click OK at 'Select users, computers…' window.
8. Finally click OK again and close Group Policy Editor.

Reference:
https://www.wintips.org/fix-to-sign-in-remotely-you-need-the-right-to-sign-in-through-remote-
desktop-services-server-2016/
1. Open Server Manager.

2. From Tools menu, select Active Directory Users and Computers
3. Double click at your domain on the left and then select Builtin.
4. Open Remote Desktop Users on the right pane.
5. At Members tab, click Add.
6. Type the AD users that you want to give Remote access to the RDS Server and click OK.
7. After selecting the remote desktop users, click OK again to close the window.
Step 2. Allow the log on through remote desktop Services.

1. Open Group Policy Editor. To do that:
a. Simultaneously press the Windows

Question 177

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


A web service installed on Client1 is used for testing.
You discover that users cannot connect to the web service by using HTTP.
You need to allow inbound HTTP connections to Client1.
Explanation:
To create an inbound port rule
1. Open the Group Policy Management Console to Windows Defender Firewall with
Advanced Security.
2. In the navigation pane, click Inbound Rules.
3. Click Action, and then click New rule.
4. On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click
Next.
5. On the Program page, click All programs, and then click Next.
6. On the Protocol and Ports page, select the protocol type that you want to allow. To
restrict the rule to a specified port number, you must select either TCP or UDP.
Because this is an incoming rule, you typically configure only the local port number.
TCP port 80. When you have configured the protocols and ports, click Next.
7. On the Scope page, you can specify that the rule applies only to network traffic to or
from the IP addresses entered on this page. Configure as appropriate for your design,
and then click Next.
8. On the Action page, select Allow the connection, and then click Next.
9. On the Profile page, select the network location types to which this rule applies, and
then click Next.
10.On the Name page, type a name and description for your rule, and then click Finish.
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-
an-inbound-port-rule
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Question 178

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


Administrators report that they cannot use Event Viewer to remotely view the event logs on
Client3.
You need to ensure that the administrators can access the event logs remotely on Client3. The
solution must ensure that Windows Firewall remains enabled.
Explanation:
1. Go to Control Panel -> System and Security -> Windows Firewall.

2. Click on the Advanced settings link in the left-hand side.

3. Enable COM+ Network Access (DCOM-In).
4. Enable all the rules in the Remote Event Log Management group.
Reference:
https://www.zubairalexander.com/blog/unable-to-access-event-viewer-on-a-remote-computer/

Question 179

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


You have already prepared Client1 for remote management.
You need to forward all events from the Application event log on Client1 to DC1.
Explanation:
Configuring the event source computer

1. Run the following command from an elevated privilege command prompt on the Windows
Server domain controller to configure Windows Remote Management:
winrm qc -q
2. Start group policy by running the following command:
%SYSTEMROOT%\System32\gpedit.msc
3. Under the Computer Configuration node, expand the Administrative Templates node,
then expand the Windows Components node, then select the Event Forwarding node.
4. Right-click the SubscriptionManager setting, and select Properties. Enable the
SubscriptionManager setting, and click the Show button to add a server address to the
setting. Add at least one setting that specifies the event collector computer. The
SubscriptionManager Properties window contains an Explain tab that describes the
syntax for the setting.
5. After the SubscriptionManager setting has been added, run the following command to
ensure the policy is applied:
gpupdate /force
Configuring the event collector computer

1. Run the following command from an elevated privilege command prompt on the Windows
Server domain controller to configure Windows Remote Management:
winrm qc -q
2. Run the following command to configure the Event Collector service:
wecutil qc /q
3. Create a source initiated subscription. This can either be done programmatically, by using
the Event Viewer, or by using Wecutil.exe. If you use Wecutil.exe, you must create an event
subscription XML file and use the following command:
wecutil cs configurationFile.xml
Reference:
https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-
subscription#forwarding-the-security-log
Question 180
Your company has a wireless access point that uses WPA2-Enterprise.
You need to configure a computer to connect to the wireless access point.
○ Create a provisioning package in Windows Configuration Designer.

● Request a passphrase.
○ Request and install a certificate.
○ Create a Connection Manager Administration Kit (CMAK) package.
References:
https://support.microsoft.com/en-za/help/17137/windows-setting-up-wireless-network

Question 181
A user named User1 has a computer named Computer1 that runs Windows 10.
User1 connects to a Microsoft Azure virtual machine named VM1 by using Remote Desktop.
User1 creates a VPN connection named VPN1 to connect to a partner organization.
When the VPN1 connection is established, User1 cannot connect to VM1. When User1
disconnects from VPN1, the user can connect to VM1.
You need to ensure that User1 can connect to VM1 while connected to VPN1.
What should you do?
○ From the proxy settings, add the IP address of VM1 to the bypass list to bypass
the proxy.
● From the properties of VPN1, clear the Use default gateway on remote
network check box.
○ From the properties of the Remote Desktop connection to VM1, specify a Remote
Desktop Gateway (RD Gateway).
○ From the properties of VPN1, configure a static default gateway address.
References:
https://www.stevejenkins.com/blog/2010/01/using-the-local-default-gateway-with-a-windows-
vpn-connection/
Question 182
Your network contains an Active Directory domain. The domain contains a user named
Admin1. All computers run Windows 10.
You enable Windows PowerShell remoting on the computers.
You need to ensure that Admin1 can establish remote PowerShell connections to the
computers. The solution must use the principle of least privilege.
To which group should you add Admin1?
○ Access Control Assistance Operators

○ Power Users
○ Remote Desktop Users
● Remote Management Users
References:
https://4sysops.com/wiki/enable-powershell-remoting/

Question 183
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using
Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution.
● Set the Startup Type of the Windows Remote Management (WS-Management)

service to Automatic.
○ Enable the Windows Defender Firewall: Allow inbound Remote Desktop
exceptions setting.
● Enable the Allow remote server management through WinRM setting.
● Enable the Windows Defender Firewall: Allow inbound remote administration
exception setting.
○ Enable the Allow Remote Shell access setting.
○ Set the Startup Type of the Remote Registry service to Automatic.
References:
http://www.mustbegeek.com/how-to-enable-winrm-via-group-policy/

Question 184
Your network contains an Active Directory domain. The domain contains the objects shown in
The domain is configured to store BitLocker Drive Encryption (BitLocker) recovery passwords.
User1 encrypts an external disk on Computer1 by using BitLocker to Go.
User2 moves the external disk to Computer2 and unlocks the disk.
You need to view the BitLocker recovery password.
Which objects are used to store the recovery password?

○ User1 only
● Computer1 only
○ User1 and Computer1 only
○ User1 and User2 only
Reference:
and-adds-faq

Question 185
A user has a computer that runs Windows 10.
When the user connects the computer to the corporate network, the user cannot access the
internal corporate servers. The user can access servers on the Internet.
You run the ipconfig command and receive the following output.
You send a ping request and successfully ping the default gateway, the DNS servers, and the
DHCP server.
Which configuration on the computer causes the issue?
● the DNS servers

○ the IPv4 address
○ the subnet mask
○ the default gateway address

Question 186
You have a computer named Computer1 that runs Windows 10. Computer1 is joined to an
Active Directory domain named adatum.com. The domain contains two groups named Group1
and Group2.
Computer1 contains a folder named C:\Folder1 that has the file permissions shown in the
following table.
You need to share C:\Folder1. The solution must ensure that the members of Group2 can
access all the files in the share.
What should you do?
○ From File Explorer, use Network File and Folder Sharing. Assign the Read
permission to Group2.
○ From File Explorer, use Advanced Sharing. Assign the Read share permission to
Group2.
○ From Control Panel, use Advanced sharing settings. Configure file and printer
sharing for the network profile of the domain.
● At a command prompt, run the net share Share=C:\Folder1
/grant:adatum\group2,read command.
Reference:
https://techgenix.com/net-share-command-30/
Question 187
You are troubleshooting the network connectivity of a computer that runs Windows 10. The
computer is connected physically to the network but rejects network traffic from an external
source.
You need to reinstall the TCP/IP stack on the computer.
What should you run?
● the netsh int ip reset command

○ the Reset-NetAdapterAdvancedProperty cmdlet
○ the netcfg -d command
○ the Debug-NetworkController cmdlet
Reference:
https://howtofix.guide/reset-tcp-ip/

Maintain Windows (76 questions)

Case Study

Overview
General Overview
Litware, Inc. is a consulting company that has a main office in Montreal and branch offices in
Seattle and New York.
Environment
The network contains an on-premises Active Directory domain named litware.com. The
domain contains the computers shown in the following table.
The network that uses 192.168.10.0/24 connects to the internet by using a Network Address
Translation (NAT) device.

Windows Admin Center is installed on Server1.
The domain contains the groups shown in the following table.
Computer1 contains a folder named D:\Folder1 that has permission inheritance disabled.
Computer1 contains a file named D:\Folder1\Report.docx that has the permissions shown in
D:\Folder1\Report.docx has auditing configured as shown in the following table.

Group1 and Group2 are members of the Remote Desktop Users group.

Requirements and Planned Changes
Planned Changes
Litware plans to make the following changes on Computer1:

 Grant User3 Allow Full control permissions to D:\Folder1.
Litware identifies the following technical requirements:
 Configure custom Visual Effect performance settings for Computer1.

 Manage Computer2 by using Windows Admin Center.
Delivery Optimization on the computers that run Windows 10 must be configured to meet the
 Content must be downloaded only from an original source.

 Downloading content from peer cache clients must be prevented.
 Downloads must be optimized by using the Delivery Optimization cloud service.
Question 188
Which users can sign in to Computer3 when the computer starts in Safe Mode?
● User31 only
○ User31 and User32 only
○ User31 and Admin1 only
○ User31, User 32, User33, and Admin1
○ User31, User32, and User33 only
Explanation:
Only users with membership of the local Administrators group can log on to a computer in safe
mode. Admin1 cannot log in because Computer3 is not joined to the domain.
References:
https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-
b90e7808-80b5-a291-d4b8-1a1af602b617
Question 189
You need to ensure that you can manage Computer2 by using Windows Admin Center on
Server1.
What should you do on Computer2?
○ Install the Remote Server Administration Tool (RSAT) optional features.

● Run the winrm quickconfig command.
○ Set the Windows Management Service Startup type to Automatic and start the
service.
○ Run the Set-Location cmdlet.
References:
https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-
center/azure/manage-azure-vms


Case Study

Overview
Active Directory
licenses.
Client Computers
joined to Azure AD.

- User certificates
Security Policies
LocalAdmin.
(LAPS).
Problem Statements

Provide employees with a configuration file to configure their VPN connection.

requirements.

Question 190
You need to recommend a solution to monitor update deployments.
○ Windows Server Update Services (WSUS)

○ the Update Management solution in Azure Automation
● the Update Compliance solution in Azure Log Analytics
○ the Azure Security Center
References:
https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-monitor
Question 191
HOTSPOT
You need to reduce the amount of time it takes to restart Application1 when the application
crashes.
What should you include in the solution? To answer, select the appropriate options in the
answer area.

Solution:
Reference:
https://www.howto-connect.com/how-to-attach-a-task-to-this-event-in-event-viewer-in-
windows-10/


Case Study

Overview

Requirements
Planned Changes
office users.
(EULA).

Question 192
You need to meet the quality update requirement for ComputerA.
For how long should you defer the updates?
○ 14 days
● 10 years
○ 5 years
○ 180 days
○ 30 days
References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview
Question 193
The computer fails to start, and you receive the following error message: “BOOTMGR image is
corrupt. The system cannot boot”.
You need to repair the system partition.
Which command should you run from Windows Recovery Environment (WinRE)?
○ fdisk.exe
○ chkdsk.exe
● diskpart.exe
○ bcdboot.exe
Explanation:
DiskPart, which has replaced fdisk, is a command-line utility that provides the ability to
manage disks, partitions or volumes in your computer running all versions of operating system
since Windows 2000.
References:
https://www.diskpart.com/windows-10/diskpart-windows-10-1203.html

Question 194
HOTSPOT
You have a computer named Computer1 that runs Windows 10. Computer1 contains a registry
key named Key1 that has the values shown in the exhibit. (Click the Exhibit tab.).
You have a Registration Entries (.reg) file named File1.reg that contains the following text.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Key1]
"String1"=-
@="2"
You need to identify the effect of importing File1.reg to Computer1.

Solution:
Explanation:
Box 1: String1 will be deleted.

To delete a value, append equals and then minus to the value. For example:
"String1"=-
Box 2: Value1 will have a value of 1

@="2" sets the default value to 1 but Value1 already has a DWORD value.
A DWORD (32-bit) value is a hexadecimal value. Value1 is 0x00000001 which is 1.
References:
https://www.computerhope.com/issues/ch000848.htm
https://www.computerperformance.co.uk/vista/reg-create/

Question 195
HOTSPOT
User Account Control (UAC) on Computer1 is configured as shown in the following exhibit.

Solution:
Explanation:
Box 1: Yes
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval
Mode is set to Prompt for consent When an operation requires elevation of privilege, the user
is prompted to select either Permit or Deny. If the user selects Permit, the operation continues
with the user's highest available privilege.
Box 2: Yes
User1 is a member of Administrators group.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval
Mode is set to Prompt for consent When an operation requires elevation of privilege, the user
is prompted to select either Permit or Deny. If the user selects Permit, the operation continues
with the user's highest available privilege.
Box 3: Yes
User Account Control: Behavior of the elevation prompt for standard users is set to Prompt for
credentials (Default) When an operation requires elevation of privilege, the user is prompted
to enter an administrative user name and password. If the user enters valid credentials, the
operation continues with the applicable privilege.
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-
control/user-account-control-security-policy-settings

Question 196
You have a computer named Computer1 that runs Windows 10 and is in a workgroup.
A local standard user on Computer1 named User1 joins the computer to the domain and uses
the credentials of User2 when prompted.
You need to ensure that you can rename Computer1 as Computer33.
Solution: You use the credentials of User1 on Computer1.
○ Yes
● No
Explanation:
Renaming a domain-joined computer will also rename the computer account in the domain. To
do this, you need domain administrator privileges.
User1 is a standard user.
References:
directory-security-groups#bkmk-domainadmins

Question 197
You have two computers named Computer1 and Computer2 that run Windows 10.
You have an Azure Active Directory (Azure AD) user account named admin@contoso.com that
is in the local Administrators group on each computer.
You sign in to Computer1 by using admin@contoso.com.
You need to ensure that you can use Event Viewer on Computer1 to connect to the event logs
on Computer2.
Solution: On Computer2, you run the winrm quickconfig command.
○ Yes
● No
Explanation:
Windows Remote Management is a component of the Windows Hardware Management
features that manage server hardware locally and remotely.
References:
https://docs.microsoft.com/en-us/windows/win32/winrm/about-windows-remote-management
Question 198
You deploy Windows 10 to several computers. The computers will be used by users who
frequently present their desktop to other users.
You need to prevent applications from generating toast notifications in the notification area.
Which settings should you configure from the Settings app?
○ Shared experiences
○ Privacy
● Focus assist
○ Tablet mode
Explanation:
Focus Assist will automatically hide incoming notifications, so they don’t pop up and distract
you while you’re playing a game, giving a presentation, or using a full-screen application.

Incorrect Answers:
A: Shared Experiences allow you to start a task on one device and finish it on another device.
D: Tablet mode makes Windows 10 more touch-friendly when using your device as a tablet.
References:
https://www.howtogeek.com/435349/how-to-disable-windows-10s-annoying-focus-assist-
notifications/

Question 199
HOTSPOT
Your network contains an Active Directory domain named adatum.com. The domain contains
two computers named Computer1 and Computer2 that run Windows 10.
The domain contains the user accounts shown in the following table.
Computer2 contains the local groups shown in the following table.
The relevant user rights assignments for Computer2 are shown in the following table.

Solution:
Explanation:
Box 1: Yes
User1 is an administrator and has the Allow log on through Remote Desktop Services.
Box 2: No
User2 is a member of Group2 which has the Deny log on through Remote Desktop Services.
Box 3: Yes
User3 is a member of the administrators group and has the Allow log on through Remote
Desktop Services.
Note: Deny permissions take precedence over Allow permissions. If a user belongs to two
groups, and one of them has a specific permission set to Deny, that user is not able to perform
tasks that require that permission even if they belong to a group that has that permission set
to Allow.
References:
https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-
permissions?view=azure-devops&tabs=preview-page%2Ccurrent-page

Question 200

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to ensure that Client3 starts in safe mode automatically the next time the computer
restarts. After completing the task, you must NOT restart Client3.
Explanation:
1. From Client3, open the System Configuration utility by pressing the Windows & R keys
simultaneously to display the Run box .
2. Type “msconfig” into the box, and then click OK.

3. In the “System Configuration” window, switch to the “Boot” tab.
4. Enable the “Safe Boot” check box, and then make sure the “Minimal” option below that is
selected. Click the “OK” button when you’re done.
5. You will be prompted to Restart or Exit without restart. Click Exit without restart.

Reference:
https://www.howtogeek.com/howto/windows-vista/force-windows-to-boot-into-safe-mode-
without-using-the-f8-key/

Question 201

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to create a user account named User5 on Client2. The solution must meet the
 Prevent User5 from changing the password of the account.

 Ensure that User5 can perform backups.
 Use the principle of least privilege.


Explanation:
1. On Client2, press the Win + X keys on your keyboard. Then, click or tap the Computer
Management option from the menu.
2. Expand the Local Users and Groups from the left side of the window, and select Users.
3. Right-click somewhere on the blank space found in the middle section of the window,
and click or tap on New User. This opens the New User window, where you can enter all
the details about the new user account.
4. Type the user name and, optionally, its full name and description.
5. Type the password to be used for that user and confirm it.
6. Select the User cannot change password check box.
7. Click Create and Windows immediately creates the user account. When you are done
creating user accounts, click Close in the New User window.
1. Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to
open Local Security Policy.
2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User
Rights Assignment, and double click/tap on the Back up files and directories
policy in the right pane.
3. Click/tap on the Add User or Group button.
4. Click/tap on the Object Types button.
5. Check all the boxes for Object types, and click/tap on the OK.
6. Click/tap on the Advanced button.
7. Click/tap on the Find Now button, select the name of the user or group
8. Click/tap on OK.
9. Click/tap on OK.
10.When finished, you can close Local Users and Groups.
Reference:
https://www.digitalcitizen.life/geeks-way-creating-user-accounts-and-groups
settings/user-rights-assignment

Question 202

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!
You need to create a group named Group2 on Client2. The members of Group2 must be able
to change the system time. The solution must use the principle of least privilege.
Explanation:
1. On Client2, Press Windows+R

2. Type lusrmgr.msc
3. Right click Groups and click New Group.

4. Type in the Group name and a description.
5. Click Add to add members to this group. Specify the name of the user or group or
computer to be added.
6. Click Create and Close.
1. Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to
open Local Security Policy.
2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User
Rights Assignment, and double click/tap on the Change the system time policy in
the right pane.
3. Click/tap on the Add User or Group button.
4. Click/tap on the Object Types button.
5. Check all the boxes for Object types, and click/tap on the OK.
6. Click/tap on the Advanced button.
7. Click/tap on the Find Now button, select the name of the user or group
8. Click/tap on OK.
9. Click/tap on OK.
10.When finished, you can close Local Users and Groups.
Reference:
https://www.windows-active-directory.com/local-user-management.html
https://www.ten
forums.com/tutorials/92910-allow-prevent-users-groups-change-time-windows-10-
a.html#option1

Question 203

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


Users who attempt to sign in to the domain from Client3 report that the sign-ins fail.
Explanation:
1. Use a local administrator account to log on to the computer.

2. Select Start, press and hold (or right-click) Computer > Properties.
3. Select Change settings next to the computer name.
4. On the Computer Name tab, select Change.
5. Under the Member of heading, select Workgroup, type a workgroup name, and then
select OK.
6. When you are prompted to restart the computer, select OK.
7. On the Computer Name tab, select Change again.
8. Under the Member of heading, select Domain, and then type the domain name.
9. Select OK, and then type the credentials of the user who has permissions in the domain.
10.When you are prompted to restart the computer, select OK.
11.Restart the computer.

Reference:
https://support.microsoft.com/en-us/help/2771040/the-trust-relationship-between-this-
workstation-and-the-primary-domain

Question 204

SIMULATION
time.
for that task.

password below.
Password: Passw0rd!


You need to ensure that Windows feature updates on Client1 are deferred for 15 days when
the updates become generally available.
Explanation:
1. Select the Start button, then select Settings > Update & Security > Windows Update.
2. Under Update settings, select Advanced options.
3. From the boxes under Choose when updates are installed, select the number of days
you would like to defer a feature update or a quality update.
Reference:
https://support.microsoft.com/en-us/help/4026834/windows-10-defer-feature-updates

Question 205
on Computer2.
Solution: On Computer2, you enable the Remote Event Log Management inbound rule from
Windows Defender Firewall.
● Yes
○ No
Reference:
and-2008/cc766438(v=ws.11)?redirectedfrom=MSDN

Question 206
on Computer2.
Solution: On Computer2, you create a Windows Defender Firewall rule that allows
eventwr.exe.
○ Yes
● No
Reference:
and-2008/cc766438(v=ws.11)?redirectedfrom=MSDN

Question 207
You test Windows updates on Computer1 before you make the updates available to other
computers.
You install a quality update that conflicts with a custom device driver.
You need to remove the update from Computer1.
Solution: From an elevated command prompt, you run the wusa.exe command and specify the
/uninstall parameter.
● Yes
○ No
References:
https://support.microsoft.com/en-us/help/934307/description-of-the-windows-update-
standalone-installer-in-windows

Question 208
computers.
Solution: From System Restore, you revert the system state to a restore point that was
created before the update was installed.
● Yes
○ No
Question 209
You have 100 computers that run Windows 10. The computers belong to a workgroup.
The computers have a low-bandwidth metered Internet connection.
You need to reduce the amount of Internet bandwidth consumed to download updates.
○ BranchCache in hosted mode

○ BranchCache in distributed cache mode
● Delivery Optimization
○ Background Intelligent Transfer Service (BITS)
References:
https://support.microsoft.com/en-us/help/4468254/windows-update-delivery-optimization-faq

Question 210
You have 20 computers that run Windows 10.
You configure all the computers to forward all the events from all the logs to a computer
named Computer1 that runs Windows 10.
When you sign in to Computer1, you cannot see any security events from other computers.
You can see all the other forwarded events from the other computers.
You need to ensure that the security events are forwarded to Computer1.
What should you do?
○ On each computer, run wecutil qc /q.

○ On each computer, add the NETWORK SERVICE account to the Event Log Readers
group.
○ On each computer, run winrm qc –q.
● On Computer1, add the account of Computer1 to the Event Log Readers group.
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-
forwarding-to-assist-in-intrusion-detection

Question 211
HOTSPOT
You have a computer named Computer1 that runs Windows 10 and contains the following
files:
 C:\Folder1\File1.bat
 C:\Folder1\File1.exe
 C:\Folder1\File1.cmd
A user named User1 is assigned Read & execute to all the files.
Computer1 is configured as shown in the exhibit.

Solution:
Explanation:
The command prompt will open in the user profile folder. In the exhibit, USERPROFILE is
C:\Users\User1.
PathExt is an Environment Variable that stores a list of the file extensions for operation system
to execute. When running a command line that does not contain an extension, the system
uses the value of this environment variable to determine which extensions to look for and in
what order, such as .com first, follow by .exe, .bat, .cmd, which happens to be the default
value stored in the PathExt by Windows.
In the exhibit, PATHEXT shows that .exe comes before .bat and .cmd. Therefore, File1.exe will
run.
Reference:
https://www.nextofwindows.com/what-is-pathext-environment-variable-in-windows

Question 212
You discover that Windows updates are failing to install on the computer.
You need to generate a log file that contains detailed information about the failures.
Which cmdlet should you run?
○ Get–LogProperties
○ Get–WindowsErrorReporting
● Get–WindowsUpdateLog
○ Get–WinEvent
References:
https://docs.microsoft.com/en-us/powershell/module/windowsupdate/get-
windowsupdatelog?view=win10-ps
Question 213
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2016 and a computer named Computer1 that
runs Windows 10.
Server1 contains a share named Backup. All users can read and write data in Backup.
On Monday at 13:00, you configure Backup and Restore (Windows 7) on Computer1 to use the
following settings:
 Backup Destination:\\Server1\Backup
 What do you want to back up?:Local Disk (D:), Include a system image of drives: System
Reserved, (C:)
 Schedule: Daily at 23:00
You need to identify how many backups will be available on Thursday at 17:00.

Solution:
References:
https://www.windowscentral.com/how-make-full-backup-windows-
10#create_system_image_windows10https://www.bleepingcomputer.com/tutorials/create-
system-image-in-windows-7-8/

Question 214
HOTSPOT
You are planning a recovery strategy for computers that run Windows 10.
You need to create recovery procedures to roll back feature updates and quality updates
within five days after an installation.
What should you include in the procedures? To answer, select the appropriate options in the
answer area.
Solution:
Reference:
https://www.thewindowsclub.com/rollback-uninstall-windows-10-creators-update
https://www.dummies.com/computers/pcs/undo-windows-update/

Question 215
You can start the computer but cannot sign in.
You need to start the computer into the Windows Recovery Environment (WinRE).
What should you do?
○ Turn off the computer. Turn on the computer, and then press F8.
○ Turn off the computer. Turn on the computer, and then press F10.
● From the sign-in screen, hold the Shift key, and then click Restart.
○ Hold Alt+Ctrl+Delete for 10 seconds.
References:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-
environment--windows-re--technical-reference
Question 216
HOTSPOT
You are a network administrator at your company.
A user attempts to start a computer and receives the following error message: “Bootmgr is
missing.”
You start the computer in recovery mode.
Which command should you run next? To answer, select the appropriate options in the answer
area.

Solution:
References:
https://neosmart.net/wiki/bootmgr-is-missing/
Question 217
Your company purchases 20 laptops that use a new hardware platform.
In a test environment, you deploy Windows 10 to the new laptops.
Some laptops frequently generate stop errors.
You need to identify the cause of the issue.
● Reliability Monitor
○ Task Manager
○ System Configuration
○ Performance Monitor
References:
https://lifehacker.com/how-to-troubleshoot-windows-10-with-reliability-monitor-1745624446

Question 218
HOTSPOT
You have 100 computers that run Windows 10. You have no servers. All the computers are
joined to Microsoft Azure Active Directory (Azure AD).
The computers have different update settings, and some computers are configured for manual
updates.
You need to configure Windows Update. The solution must meet the following requirements:
 The configuration must be managed from a central location.

 Internet traffic must be minimized.
 Costs must be minimized.
How should you configure Windows Update? To answer, select the appropriate options in the
answer area.

Solution:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization

Question 219
You have a computer named LON-CL1.Adatum.com that runs Windows 10.
From Event Viewer, you create a custom view named View1 that has the following filter:
The event does not appear in View1.
You need to ensure that the event appears in View1.
What should you do?
 User: User1
 Logged: Any time
 Event logs: System
 Computer: LON-CL1
 Event IDs: 10000 – 11000
 Event level: Error, Verbose
You open Event Viewer and discover the event shown in the exhibit. (Click the Exhibit tab.)

● Add a Task Category setting to the filter.
○ Add the computer account to the Event Log Readers group.
○ Create an event subscription.
○ Modify the Computer setting in the filter.
References:
https://www.techrepublic.com/article/how-to-use-custom-views-in-windows-10s-event-viewer/
Question 220
You have a computer named Computer1 that runs Windows 10 and has an application named
App1.
You need to use Performance Monitor to collect data about the processor utilization of App1.
Which performance object should you monitor?
● Process
○ Processor Performance
○ Processor Information
○ Processor
References:
https://www.cse.wustl.edu/~jain/cse567-06/ftp/os_monitors/index.html
Question 221
You have a computer that runs Windows 10 and has File History enabled. File History is
configured to save copies of files every 15 minutes.
At 07:55, you create a file named D:\Folder1\File1.docx.
You add D:\Folder1 to File History and manually run File History at 08:00.
You modify File1.docx at the following times:
 08:05
 08:12
 08:20
 08:24
 08:50
At 08:55, you attempt to restore File1.docx.
How many previous versions of File1.docx will be available to restore?

○ 2
○ 3
● 4
○ 5
Question 222
You manage devices that run Windows 10.
Ten sales users will travel to a location that has limited bandwidth that is expensive. The sales
users will be at the location for three weeks.
You need to prevent all Windows updates from downloading for the duration of the trip. The
solution must not prevent access to email and the Internet.
What should you do?
○ From Network & Internet in the Settings app, set a data limit.
○ From Accounts in the Settings app, turn off Sync settings.
● From Network & Internet in the Settings app, set the network connections as
metered connections.
○ From Update & Security in the Settings app, pause updates.
Question 223
You deploy Windows 10 to a computer named Computer1.
Computer1 contains a folder named C:\Folder1. Folder1 contains multiple documents.
You need to ensure that you can recover the files in Folder1 by using the Previous Versions
tab.
What are three possible ways to achieve the goal? Each correct answer presents a complete
the solution.
● Set up Backup and Restore (Windows 7) and include Folder1 in the backup.
● Enable File History and add Folder1 to File History.
● Enable File History and include Folder1 in the Documents library.
○ Select Allow files in this folder to have contents indexed in addition to
file properties from the properties of Folder1.
○ Select Folder is ready for archiving from the properties of Folder1.
Reference:
https://www.tenforums.com/tutorials/79490-restore-previous-versions-files-folders-drives-
windows-10-a.html

Question 224
HOTSPOT
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that
contains the users shown in the following table.
Computer1 is in a workgroup and has the local users shown in the following table.
User1 joins Computer1 to Azure AD by using user1@contoso.com.

Solution:
Question 225
HOTSPOT
Which users can analyze the event logs on Computer1? To answer, select the appropriate

Solution:
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-
accounts#sec-localsystem
Question 226
Your company has a main office and a branch office. The offices connect to each other by
using a WAN link. Access to the Internet is provided through the main office.
The branch office contains 25 computers that run Windows 10. The computers contain small
hard drives that have very little free disk space.
You need to prevent the computers in the branch office from downloading updates from peers
on the network.
What should you do?
○ From the Settings app, modify the Delivery Optimizations settings.

○ Configure the network connections as metered connections.
● Configure the computers to use BranchCache in hosted cache mode.
○ Configure the updates to use the Semi-Annual Channel (Targeted) channel.
References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-branchcache

Question 227
Solution: From Update & Security in the Settings app, you turn on Pause Updates.
○ Yes
● No
References:
https://www.makeuseof.com/tag/5-ways-temporarily-turn-off-windows-update-windows-10/

Question 228
Solution: From Network & Internet in the Settings app, you set the network connections as
metered connections.
● Yes
○ No
References:
https://www.makeuseof.com/tag/5-ways-temporarily-turn-off-windows-update-windows-10/

Question 229
Solution: From Network & Internet in the Settings app, you set a data limit.
○ Yes
● No
Question 230
computers.
Solution: From an elevated command prompt, you run the wmic qfe delete command.
○ Yes
● No

Question 231
You have a computer that runs Windows 10 and has BitLocker Drive Encryption (BitLocker)
enabled on all volumes.
You start the computer from Windows Recovery Environment (WinRE).
You need to read the data on the system drive.
What should you do?
○ Run cipher.exe and specify the /rekey parameter

○ Run cipher.exe and specify the /adduser parameter
○ Run manange-bde.exe and specify the -off parameter
● Run manage-bde.exe and specify the -unlock parameter
References:
https://www.repairwin.com/how-to-disable-bitlocker-in-windows-recovery-environment-winre/
Question 232
You complete a full back up of Computer1 to an external USB drive. You store the USB drive
offsite.
You delete several files from your personal Microsoft OneDrive account by using File Explorer,
and then you empty the Recycle Bin on Computer1.
You need to recover the files 60 days after you deleted them in the least amount of time
possible.
○ the OneDrive recycle bin

● the full backup on the external USB drive
○ Recovery in the Settings app
References:
https://support.office.com/en-us/article/restore-deleted-files-or-folders-in-onedrive-949ada80-
0026-4db3-a953-c99083e6a84f

Question 233
computers.
What are three possible ways to achieve the goal? Each correct answer presents a complete
solution.
● From Programs and Features, uninstall an update.

○ From Windows PowerShell, run the Remove-WindowsPackage cmdlet.
● From an elevated command prompt, run the wusa.exe command and specify the
/uninstall parameter.
○ From an elevated command prompt, run the wmic qfe delete command.
● From System Restore, revert the system state to a restore point that was created
before the update was installed.
Question 234
Computer1 has a Trusted Platform Module (TPM) version 1.2.
The domain contains a domain controller named DC1 that has all the Remote Server
Administration Tools (RSAT) installed.
BitLocker Drive Encryption (BitLocker) recovery passwords are stored in Active Directory.
You enable BitLocker on the operating system drive of Computer1.
A software update on Computer1 disables the TPM, and BitLocker enters recovery mode.
You need to recover your BitLocker password for Computer1.
What should you use to retrieve the recovery password?
○ Disk Management
○ manage –bde with the –unlock parameter
● Active Directory Users and Computers
○ repair-bde with the –f parameter

Question 235
HOTSPOT
user accounts shown in the following table.
In Event Viewer, you create two custom views named View1 and View2. All users have access
to the views. View1 shows errors and warnings from the Security event log. View2 shows
errors and warnings from the System event log.
Which users can use the views? To answer, select the appropriate options in the answer area.

Solution:
Question 236
You have a computer that runs Windows 8.1.
When you attempt to perform an in-place upgrade to Windows 10, the computer fails to start
after the first restart.
You need to view the setup logs on the computer.
Which folder contains the logs?
● \$Windows.~BT\Sources\Panther\
○ \Windows\Logs
○ \Windows\Temp
○ \$Windows.~BT\Inf
References:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-
files-and-event-logs

Question 237
run Windows 10.
On a different computer named Computer1, you plan to create a collector-initiated

subscription to gather the event logs from the Windows 10 computers.
You need to configure the environment to support the event log collection.
● Add Computer1 to the Event Log Readers group on the Windows 10 computers
○ Add Computer1 to the Event Log Readers group on Computer1
○ On the Windows 10 computers, change the Startup Type of Windows Event
Collector to Automatic
● Enable Windows Remote Management (WinRM) on the Windows 10 computers
○ Enable Windows Remote Management (WinRM) on Computer1
Reference:
and-2008/cc748890(v=ws.11)
Question 238
You have several computers that run Windows 10.
All users have Microsoft OneDrive for Business installed.
Users frequently save files to their desktop.
You need to ensure that all the users can recover the files on their desktop from OneDrive for
Business.
○ Copy ADMX and ADML files to C:\Users\Public\Desktop\

○ From Backup in the Settings app, add a drive
● Configure the Silently move Windows known folders to OneDrive settings
● Copy ADMX and ADML files to C:\Windows\PolicyDefinitions
○ Configure the Save documents to OneDrive by default setting
References:
https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise
https://docs.microsoft.com/en-us/onedrive/use-group-policy#KFMOptInNoWizard

Question 239
tab.
Solution: You enable File History and add Folder1 to File History.
● Yes
○ No
Reference:
https://support.microsoft.com/en-za/help/17128/windows-8-file-history
Question 240
tab.
Solution: You enable File History and add Folder1 in the Documents library.
● Yes
○ No

Reference:
Question 241
tab.
Solution: You set up Backup and Restore (Windows 7) and include Folder1 in the backup.
● Yes
○ No
Reference:
windows-10-a.html
Question 242
You have a computer that runs Windows 10. You use the computer to test new Windows
features.
You need to configure the computer to receive preview builds of Windows 10 as soon as
possible.
What should you configure from Update & Security in the Settings app?
● Windows Insider Program

○ Windows Update
○ Delivery Optimization
○ For developers
Reference:
https://insider.windows.com/en-us/getting-started/

Question 243
You have a computer named Computer1 that runs Windows 10. Computer1 connects to
multiple wireless networks.
You need to view the wireless networks to which Computer1 connects.
○ the System log in Event Viewer

● Wi-Fi in the Settings app
○ the properties of the wireless adapter in Network Connections in Control Panel
○ the Details tab for the wireless adapter in Device Manager
Reference:
https://www.windowscentral.com/how-connect-wi-fi-network-windows-10

Question 244
HOTSPOT
You include Folder1, Folder2, and Folder3 in the Documents library.
You configure File History to run every 15 minutes, and then turn on File History.
Solution:

Question 245
A user has a computer that runs Windows 10. The user has access to the following storage
locations:
 A USB flash drive

 Microsoft OneDrive
 OneDrive for Business
 A drive mapped to a network share
 A secondary partition on the system drive
You need to configure Back up using File History from the Settings app.
Which two storage locations can you select for storing File History data? Each correct answer
presents a complete solution.

○ OneDrive for Business
○ OneDrive
● the USB flash drive
● the secondary partition on the system drive
○ the drive mapped to a network share

Question 246

HOTSPOT
two computers named Computer1 and Computer2 that run Windows 10 and are joined to the
domain.
On Computer1, you create an event subscription named Subscription1 for Computer2 as

shown in the Subscription1 exhibit. (Click the Subcription1 tab.)
Subscription1 is configured to use forwarded events as the destination log.
On Computer1, you create a custom view named View1 as shown in the View1 exhibit. (Click
the View1 tab.)


Solution:

Question 247
tab.
Solution: You select Folder is ready for archiving from the properties of Folder1.
○ Yes
● No
Explanation:
The previous versions feature in Windows 10 allows you to restore a previous version of files,
folders, and drives that were saved or backed up as part of a restore point, File History, and/or
Windows Backup.
References:
windows-10-a.html

Question 248
● Yes
○ No
Explanation:
User3 is a domain administrator.
References:

Question 249
○ Yes
● No
Explanation:
User2 is a domain user, not an administrator. Use User3's credentials instead.
References:
directory-security-groups

Question 250
You need to enable boot logging on Computer1.
What should you do?
○ At a command prompt, run the bcdboot.exe command and specify the /v

parameter.
○ From the Settings app, configure the Start settings.
○ From System Properties in Control Panel, configure the Startup and Recovery
settings.
● From System Configuration configure the Boot settings.
Reference:
https://www.windowscentral.com/how-enable-boot-log-windows-10
Question 251
on Computer2.
Solution: On Computer2, you run the Enable-PSRemoting cmdlet.
○ Yes
● No
Explanation:
The solution to this question is to configure the firewall to enable the Remote Event Log
Management inbound rule.
The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote

commands that are sent by using the WS-Management technology.

Reference:
psremoting?view=powershell-7.1
Question 252
○ Yes
● No
Explanation:
User4 is a server operator, not an administrator. Members of the Server Operators group can
sign in to a server interactively, create and delete network shared resources, start and stop
services, back up and restore files, format the hard disk drive of the computer, and shut down
the computer.
Use User3's credentials instead.
Reference:

Question 253
From Event Viewer on Computer1, you have a task named Action1 that is attached to the
following event:
 Log: System
 Source: Kernel-General
 Event ID: 16
You need to modify the settings of Action1.

○ the Settings app
○ Task Scheduler
● Event Viewer
○ System Configuration
Explanation:
An Event Viewer task is created and modified in Event Viewer.
Reference:
https://www.techrepublic.com/article/how-to-use-custom-views-in-windows-10s-event-viewer/

Question 254
Solution: From Accounts in the Settings app, you turn off Sync settings.
○ Yes
● No

Question 255
HOTSPOT
You have a computer that runs Windows 10. You view the domain services status as shown in
the following exhibit.

Solution:
Explanation:
Device is Azure AD joined; not domain joined.

The MDM URLs in the exhibit indicate the device is enrolled in Endpoint Manager.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd
https://github.com/MicrosoftLearning/MD-101T00-
ManagingModernDesktops/blob/master/Instructions/Labs/0403-
Enrolling%20devices%20in%20Intune.md
Question 256
You sign in by using your Microsoft account and set up the Microsoft OneDrive sync app to
connect to your personal OneDrive account.
You plan to configure OneDrive to back up the important PC Folders.
Which three folders can be backed up by OneDrive?
● Desktop, Documents, and Pictures

○ Desktop, Music, and Pictures
○ Documents, Music, and Videos
○ Music, Pictures, and Videos

Reference:
https://support.microsoft.com/en-us/office/back-up-your-documents-pictures-and-desktop-
folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057
Question 257
You are troubleshooting Windows 10 updates that fail to install on a computer that runs
Windows 10.
You delete the contents of the SoftwareDistribution folder.
You need to delete the signatures of the Windows Update packages.
Which folder should you delete?
● %systemroot%\system32\catroot2
○ %systemdrive%\recovery
○ %systemroot%\WinSxS
○ %systemdrive%\System Volume Information
References:
https://tipsmake.com/how-to-delete-pending-updates-on-windows-10
Question 258
You are troubleshooting an issue that prevents you from installing Windows 10 updates.
You discover that the issue relates to corrupt protected system files.
You need to restore the corrupt system files.
○ scanstate
● sfc
○ chkdsk
○ chkntfs
References:
https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-
or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e

Question 259
You have computers that run Windows 10. The computers are joined to an Azure Active
Directory (Azure AD) tenant and enrolled in Microsoft Intune.
You need to recommend a solution for help desk administrators that meets the following
requirements:
 The administrators must assist users remotely by connecting to each user’s computer.
 The remote connections must be initiated by the administrators. The users must
approve the connection.
 Both the users and the administrators must be able to see the screen of the users’
computer.
 The administrators must be able to make changes that require running applications as a
member of each computer’s Administrators group.
Which tool should you include in the recommendation?

○ Remote Desktop
● Intune
○ Remote Assistance
○ Quick Assist
References:
https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-assist-mobile-devices

Question 260
HOTSPOT
You have a computer that runs Windows 10. The computer contains two local user accounts
named User1 and User2. User2 is a member of the local Administrators group.
User1 performs the actions shown in the following table.
User2 performs the actions shown in the following table.

Solution:
Question 261
You need to be able to recover the computer by using System Image Recovery.
What should you use to create a system image?
○ Windows System Image Manager (Windows SIM)

● Backup and Restore (Windows 7)
○ File History
○ System Protection
Reference:
https://answers.microsoft.com/en-us/windows/forum/windows_10/how-to-create-a-system-
image-in-windows-10/84fa6683-e3ac-4e93-9139-368af9267869
Question 262
You sign in to a computer that runs Windows 10 Pro.
You need to ensure that after a restart, the computer starts automatically in Safe Mode with
Networking.
What should you use to configure the restart options?
○ bootcfg
● BCDEdit
○ Windows System Image Manager (Windows SIM)
○ bootrec
Reference:
https://www.lifewire.com/how-to-force-windows-to-restart-in-safe-mode-2625163

Question 263
You have a Microsoft 365 tenant that contains 70 remote users.
The remote users work from various locations.
Recently, each remote user purchased a personal computer that runs Windows 10 Home.
You need to configure the VPN settings on the computers automatically by using the least
amount of administrative effort.
○ an unattend answer file

○ a Group Policy Object (GPO)
○ Windows Autopilot
● a provisioning package
Reference:
packages
Question 264
Computer1 was off for one year. During that time, two feature updates and 12 quality updates
were released.
From the Microsoft Update Catalog website, you download the missing updates and save the
updates to Computer1.
You need to ensure that Computer1 runs the latest version of Windows 10 and is fully
updated. The solution must minimize the amount of time required to update the computer.
What should you do?
● Install the last feature update, and then install the last quality update.
○ Install the last quality update, and then install both feature updates.
○ Install the last quality update, and then install the last feature update.
○ Install the last feature update, and then install all the quality updates released
after the feature update.
○ Install all the quality and feature updates in the order in which they were
released.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-
tools

Question 265
HOTSPOT
You have the computers shown in the following table.
You apply the 20H2 feature update as soon as the update is available.
How many months of servicing does each computer support without installing another feature
update? To answer, select the appropriate options in the answer area.

Solution:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-
tools
Question 266
run Windows 10.
You discover a known compatibility issue between a feature update and a device driver on the
computers.
You need to test the installation of the feature update on a test computer.
Which Windows Update setting should you configure by using a Group Policy Object (GPO)?
○ Automatic Updates detection frequency

● Disable safeguards for Feature Updates
○ Select the target Feature Update version
○ Reschedule Automatic Updates scheduled installations
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/safeguard-opt-out
Question 267
run Windows 10. The computers are used as shown in the following table.
You need to apply updates based on the computer usage.
○ Notifications & actions from System in the Settings apps.

● the Windows Update for Business settings by using a Group Policy Object (GPO)
○ the Windows Installer settings by using a Group Policy Object (GPO)
○ Delivery Optimization from Update & Security in the Settings apps
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-wufb-group-policy

Question 268
HOTSPOT
You have the computer shown in the following table.
You plan to configure deployment rings for Windows 10 quality and feature updates.
What is the maximum number of days you can defer installing quality updates, and which
computers support installing feature updates from Windows Update? To answer, select the
Solution:

Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb

Microsoft - 11 07 21 MD 100

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft - 11 07 21 MD 100

Uploaded by

Copyright:

Available Formats

Reference Solution for

Licensed to Vagner Santos vagner23ti@gmail.com

2 Licensed to Vagner Santos vagner23ti@gmail.com

To start the case study

The domain contains a user account for an employee named User10.

User10 has a computer named Computer10.

Fabrikam has the following operational procedures:

3 Licensed to Vagner Santos vagner23ti@gmail.com

Fabrikam identifies the following issues:

 Employees in the finance department use an application named Application1.

 Provide employees with a configuration file to configure their VPN connection.

4 Licensed to Vagner Santos vagner23ti@gmail.com

You need to implement a solution to configure the contractors’ computers.

NOTE: Each correct selection is worth one point.

The ‘configuration file’ in this case is known as a ‘provisioning package’.

A provisioning package (.ppkg) is a container for a collection of configuration settings. With

What should you do?

○ Request that a Windows 10 Enterprise license be assigned to User10, and then

6 Licensed to Vagner Santos vagner23ti@gmail.com

7 Licensed to Vagner Santos vagner23ti@gmail.com

To start the case study

Contoso has IT, human resources (HR), and finance departments.

Contoso uses Microsoft 365.

All computers run Windows 10 Enterprise.

8 Licensed to Vagner Santos vagner23ti@gmail.com

The domain has the users shown in the following table.

Computer1 has the local users shown in the following table.

Contoso identifies the following technical requirements:

Which Windows 10 deployment method should you use?

○ wipe and load refresh

Windows Autopilot is a collection of technologies used to set up and pre-configure new

10 Licensed to Vagner Santos vagner23ti@gmail.com

You need to meet the technical requirement for Computer1.

NOTE: Each correct selection is worth one point.

11 Licensed to Vagner Santos vagner23ti@gmail.com

Box 2: User 12.

You discover that none of the computers are activated.

What should you include in the recommendation?

○ Volume Activation Management Tool (VAMT)

12 Licensed to Vagner Santos vagner23ti@gmail.com

 Uses Microsoft Edge as the default browser

13 Licensed to Vagner Santos vagner23ti@gmail.com

NOTE: Each correct selection is worth one point.

As we have performed a clean installation of Windows 10 without formatting the drives,

15 Licensed to Vagner Santos vagner23ti@gmail.com

You have a computer named Computer1 that runs Windows10.

A service named Application1 is configured as shown in the exhibit.

Does this meet the goal?

17 Licensed to Vagner Santos vagner23ti@gmail.com

You have a computer named Computer1 that runs Windows 10.

A service named Application1 is configured as shown in the exhibit.

Does this meet the goal?

18 Licensed to Vagner Santos vagner23ti@gmail.com

19 Licensed to Vagner Santos vagner23ti@gmail.com

You have a computer named Computer1 that runs Windows 10.

A service named Application1 is configured as shown in the exhibit.

Does this meet the goal?

20 Licensed to Vagner Santos vagner23ti@gmail.com

21 Licensed to Vagner Santos vagner23ti@gmail.com

What should you do first?

● Purchase an infrared (IR) camera.

The company purchases 1,000 new computers.

NOTE: Each correct selection is worth one point.