13.3.5 Client Pro Practice Questions
You are trying to implement Credential Guard on a Windows 10 Pro machine, but you can't find the Credential Guard option. Which of the following is the most likely reason? Credential Guard is not available on Windows 10 Pro. You are not looking in Group Policy. You are running a 64-bit version of Windows. You have VMware installed.
Credential Guard is not available on Windows 10 Pro. EXPLANATION Credential Guard is not available on Windows 10 Pro. It is only available on Windows 10 Enterprise and Windows 10 Education. Credential Guard must be enabled in Group Policy, but the most likely reason for the issue in this scenario is the wrong version of Windows 10. Credential Guard requires a 64-bit version of Windows, so this is not a likely reason. Having a different virtualization software, such as VMware, would not prevent Credential Guard from working. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
Which of the following options under Credential Guard Configuration would you select if you need to be able to disable Credential Guard remotely? Enabled with UEFI lock Disabled Enabled without lock Not Configured
Enabled without lock EXPLANATION The Enabled without lock option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (version 1511). The Disabled option turns off Credential Guard remotely if it was previously turned on with the Enabled without lock option. The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely. In order to disable this feature, you must set the Group Policy to Disabled and remove the security functionality from each computer. This must be done with a physically present user in order to clear the configuration persisted in UEFI. The Not Configured option leaves the policy setting undefined since Group Policy does not write the policy setting to the registry. In this manner, it has no impact on computers or users. If there is a current setting in the registry, it is not modified. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
Where do you go to enable Windows Defender Credential Guard? Computer Management Group Policy Windows Defender settings Server Roles
Group Policy EXPLANATION Windows Defender Credential Guard is enabled in Group Policy settings. The settings are located at Computer Configuration > Administrative Templates > System > Device Guard. Server Roles allows you to enable or disable different features of the Windows Server, but not Credential Guard. Windows Defender settings is not where Credential Guard is enabled. Computer Management allows you to manage different settings and configurations for the computer, but not for Credential Guard. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
What type of security ticket is used to establish the session with servers in an AD DS network? Active Directory Domain Service LSA Kerberos VSM
Kerberos EXPLANATION Kerberos tickets are used to establish sessions with servers within the AD DS network. When a server receives a request for a session, it checks the Kerberos ticket for authentication. After authentication, the server checks the source of the ticket to validate that it's from a trusted source. Active Directory Domain Service (AD DS) handles user management functions in Windows Server. The Local Security Authority (LSA) is where Kerberos tickets and other security-related information are stored on the local system. Virtual Secure Mode (VSM) is a feature in Hyper-V that provides added security to any data stored in physical RAM. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
Where are Kerberos tickets stored on the local system? VBS AD DS VSM LSA
LSA EXPLANATION The Local Security Authority (LSA) is where Kerberos tickets and other security-related information are stored on the local system. Active Directory Domain Service (AD DS) handles user management functions in Windows Server. Virtualization-based security (VBS) is used to harden, or protect, the LSA process running on the local workstation. Virtual Secure Mode (VSM) is a feature in Hyper-V that provides added security to any data stored in physical RAM. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
You have enabled Credential Guard in Group Policy, and you need it to take effect immediately. Which of the following actions will make this happen? (Select two.) Nothing. Group Policies apply immediately. Push the policy from the server. Have the user run gpudate /force in Command Prompt. Log the user out and back in. Run gpudpate /force from an elevated Command Prompt.
Run gpudpate /force from an elevated Command Prompt. Log the user out and back in. EXPLANATION Group Policy settings are generally applied after a user logs out and then back in. You can immediately apply Group Policy settings by running gpupdate /force from an elevated Command Prompt. You can't push Group Policies out to be immediately applied. They are only applied using the two methods above. Group Policies are not immediately applied without action on your part. Running gpupdate /force will not work, as the user does not have the proper privileges. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
Which of the following are minimum requirements to implement Credential Guard? (Select three.) 2 GHz CPU Windows Secure Boot 4 GB RAM Windows 10 Home edition or above TMP chip on motherboard CPU virtualization extensions 32-bit version of Windows
TMP chip on motherboard CPU virtualization extensions Windows Secure Boot EXPLANATION Before you can implement Credential Guard on your Windows system, the following requirements must be met: - Credential Guard is available only on 64-bit editions of Windows 10 Enterprise and Windows 10 Education. - The CPU must include virtualization extensions: ~ For Intel CPUs: VT-x ~ For AMD CPUs: AMD-V - The CPU must support Second Layer Address Translation (SLAT). - You must enable virtualization in the UEFI firmware. - You must have a TMP chip on the motherboard. - You must have Windows Secure Boot. Windows 10 Home edition would not include Credential Guard. The amount of RAM is not pertinent to Credential Guard. There is no minimum amount of RAM for running Credential Guard. A 32-bit version of Windows will not meet the minimum requirements for Credential Guard. The speed of the CPU does not matter, but you must have the virtualization extensions and meet the minimum requirements for Windows. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
What is the purpose of Credential Guard? To authenticate Kerberos tickets To verify user credentials To prevent attackers from stealing credentials To encrypt usernames and passwords
To prevent attackers from stealing credentials EXPLANATION Credential Guard is a component of Windows Defender that is a virtualization-based isolation technology for Local Security Authority Subsystem Service (LSASS). Its purpose is to prevent attackers from stealing credentials. Credential Guard does not encrypt usernames and passwords. Credential Guard is not responsible for verifying user credentials. The LSA handles this process. Credential guard does not authenticate Kerberos tickets. This is done by the AD DS. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
Which technology does Credential Guard use to block access to the tickets stored within the LSA? VBS VSM Kerberos AD DS
VBS EXPLANATION Virtualization-based security (VBS) is used to harden, or protect, the Local Security Authority (LSA) process running on the local workstation. Active Directory Domain Service (AD DS) handles user management functions in Windows Server. Kerberos tickets are used to establish sessions with servers within the AD DS network. Virtual Secure Mode (VSM) is a feature in Hyper-V that provides added security to any data stored in physical RAM. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard
Which of the following can tag processes running on the local system as belonging to a VM running within Hyper-V? Kerberos LSA VBS VSM
VSM EXPLANATION Virtual Secure Mode (VSM) is a feature in Hyper-V that provides added security to any data stored in physical RAM. VSM is able to tag processes running on the system as belonging to a virtual machine (VM) running within Hyper-V. Credential Guard uses this functionally to reallocate the LSA process and its associated data in RAM to a minimal virtual machine space that resides away from the host Windows operating system. The Local Security Authority (LSA) is where Kerberos tickets and other security-related information are stored on the local system. Virtualization-based security (VBS) is used to harden, or protect, the LSA process running on the local workstation. Kerberos tickets are used to establish sessions with servers within the AD DS network. REFERENCES TestOut Client Pro - 13.3 Windows Defender Credential Guard