chapter 13
How many Windows Defender Application Control (WDAC) policies can a computer system have defined for it?
1
On which of the following computers should a Windows Defender Application Control default policy be created?
A reference computer
You use a Windows desktop system. You need to configure Windows Firewall to allow traffic for a newly installed application that dynamically opens multiple ports on an as-needed basis. What should you do?
Add an exception for the application.
You use a Windows system that is a member of a domain. The computer is used by several different users belonging to different groups. You have a custom application on the computer, and you want to configure the firewall as follows: Allow a specific port used by the application. Open the port only for members of the Sales group. Using Windows Firewall with Advanced Security, what should you do to configure the firewall with the least effort possible?
Add an outbound rule. Require only secure connections for the rule, and add the Sales group to the list of authorized groups.
You have installed a new Windows system, and you have not changed the default configuration of the Windows Firewall. How will the Windows Firewall handle inbound responses to requests sent from the local system?
All such traffic is allowed by default.
You have installed a new Windows 10 system, and you have not changed the default configuration of the Windows Firewall. How will the Windows Firewall handle inbound traffic that was initiated from an external server that a hacker is using to spread a worm?
All such traffic is blocked by default.
Windows provides several interfaces that can be used to configure the Windows Defender Firewall. Drag the Windows Firewall interface on the left to its appropriate description on the right. (Each tool may be used once, more than once, or not at all.)
Allows you to create rules based on ports. Windows Defender Firewall with Advanced Security Lets you add, change, or remove ports that are allowed through the firewall. Allowed apps Allows you to turn a firewall on or off for a specific profile or network. Firewall & Network Protection Allows you to create rules based on authentication. Windows Defender Firewall with Advanced Security The main interface and starting point for the other two interfaces. Firewall & Network Protection
What does Exploit protection use to help mitigate exploit techniques?
Antivirus software
Which type of settings needs to be configured for you to manage the implementation of Application Guard?
Application-Specific
Which capability of Windows Defender Advanced Threat Protection provides the first line of defense in the stack by ensuring that configuration settings are properly set and exploit mitigation techniques are applied?
Attack Surface Reduction
Which of the following are minimum requirements to implement Credential Guard? (Select three.)
CPU virtualization extensions TPM chip on motherboard Windows Secure Boot
You need to change how Windows provides notifications when the firewall blocks a new program. Click the links that you would choose to make this change. (Select two.)
Change notification settings Turn Windows Defender Firewall on or off
Match the Windows Security scan options to its description. Each scan option is only used once.
Checks all files and running programs on hard drive. Full scan Restarts the computer and uses up-to-date definitions to find and remove threats. Offline scan Checks folders where threats are commonly found. Quick scan Lets you choose which files and folders to scan. Custom scan
Which of the following web browsers can be used to access Windows Defender Advanced Threat Protection (ATP)? (Select two.)
Chrome Edge
What does Application Control use to lock down systems by allowing only certain things to run?
Code integrity policies
Windows Defender Advanced Threat Protection shows the collective state of your devices in the following categories: application, operating system, network, accounts, and security controls. Which capability provides this information?
Configuration Score
Where would you go on the computer system to enable Application Guard in Standalone mode?
Control Panel
Prevents suspicious or malicious software from making changes to protected folders. Block Prevents untrusted apps from writing to disk sectors. Block disk modification only Stops the Controlled Folder Access feature. Disable Tracks untrusted apps that write to disk sectors. Audit disk modification only Tracks rather than prevents changes to protected folders. Audit Mode
Controlled folder access
Your corporate security policy states that a specific connection-oriented application must be blocked from accessing the internet. You must use Windows Firewall with Advanced Security to complete the task. What should you do?
Create an outbound rule blocking the corresponding TCP port on each machine.
What should you do before you install a third-party anti-malware program?
Disable Windows Security.
Which of the following web browsers does Application Guard support? (Select two.)
Edge Internet Explorer
Listen to exam instructions You have a Windows system that has both wired and wireless network connections. The wired connection is on the internal private network, but the wireless connection is used for public connections. You need to allow help desk users to use Remote Assistance to help you while working on the wired network, but you want to block any such access from the wireless network. How can you configure Windows Firewall to allow and deny access as described?
Enable the Remote Assistance exception only on the private profile.
Which of the following PowerShell commands enable Application Guard in Standalone mode?
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Match each capability of Windows Defender Advanced Threat Protection with its description. Each capability is only used once.
Further reinforces the security perimeter of your network. Next Generation Protection Provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts Uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. Threat & Vulnerability Management Shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls. Configuration Score Lets you integrate Microsoft Defender Advanced Threat Protection into your existing workflows. Centralized Configuration and Administration
Where do you go to enable Windows Defender Credential Guard?
Group Policy
Which tool can be use to enable Application Guard in Enterprise Mode?
Group Policy
Which of the following determines the reputation of an app by which WDAC rules can be defined?
Intelligent Security Graph
Which of the following Microsoft solutions does Windows Defender Advanced Threat Protection (ATP) directly integrate with?
Intune
Which of the following best describes IPsec?
Is used to secure IP communication between network hosts.
What type of security ticket is used to establish the session with servers in an AD DS network?
Kerberos
Where are Kerberos tickets stored on the local system?
LSA
You are logged into the Windows Defender Security portal. You notice that a machine has a malware program on it. You know what this program is, and you want to leave a comment so others can identify the malware. Under which setting can you leave comments?
Manage alerts
Which of the following is a characteristic of a virus?
Must be attached to a file or program to run
Which Application Guard settings need to be configured so that any non-corporate approved resources can be accessed using Application Guard?
Network Isolation
Which statements are true regarding firewalls? (Select two.)
Network firewalls are typically implemented using hardware and positioned at the network's perimeter. Host-based firewalls are implemented using software and reside on the individual hosts within the network.
Which component of Exploit Guard helps prevent access to internet domains that may host phishing scams, exploits, and other malicious content?
Network protection
Which PowerShell cmdlet is used to generate the code integrity policy XML file?
New-CIPolicy
Listen to exam instructions You need to create an exception in a Windows 10 workstation's firewall that will allow externally initiated Remote Desktop sessions through. You want to do this from within a PowerShell session. Which command should you use?
New-NetFirewallRule -DisplayName "Allow Remote Desktop" -Direction Inbound -LocalPort 3389 -Protocol TCP -Action Allow
When should you disable the Windows firewall?
Only if the computer is protected by a different firewall program.
Listen to exam instructions You manage several Windows systems that are connected to the network as shown. Both Comp1 and Comp2 are configured to use static IP addresses. To test the connection between the computers, you enter ping 192.168.23.38 on Comp1's Command Prompt; however, the ping is unsuccessful and times out. You then use the ping 192.168.23.231 command on Comp2's Command Prompt, but the ping times out again. You need the ping commands to succeed between the two computers. What should you do?
Permit ICMPv4 traffic through the firewalls of both computers.
With a Windows firewall, which option best describes the role of the access control list?
Permits or denies network traffic through a firewall.
Which of the following tools must be used on the reference machine to generate the code integrity policy?
PowerShell
Match each controlled folder access configuration option to its description.
Prevents suspicious or malicious software from making changes to protected folders. Block Prevents untrusted apps from writing to disk sectors. Block disk modification only Stops the Controlled Folder Access feature. Disable Tracks untrusted apps that write to disk sectors. Audit disk modification only Tracks rather than prevents changes to protected folders. Audit Mode
Which of the following predefined exceptions in Windows Firewall allows users to view and control remote desktops?
Remote Assistance
If a program has been quarantined, what must you do to run it again?
Restore the program
Listen to exam instructions Your Windows system has been infected with malware that has replaced the standard boot loader on the hard disk with its own malicious software. Which type of exploit is being used in this scenario?
Rootkit
You have enabled Credential Guard in Group Policy, and you need it to take effect immediately. Which of the following actions will make this happen? (Select two.)
Run gpudpate /force from an elevated Command Prompt. Log the user out and back in.
Which of the following types of malware are designed to scam money from the victim? (Select two.)
Scareware Ransomware
Which PowerShell cmdlet can be used to enable and configure controlled folder access?
Set-MpPreference
Which PowerShell cmdlet can be used to configured exploit protection?
Set-ProcessMitigation
Once a piece of malware is detected and reverse-engineered, its unique characteristics are identified. Anti-malware programs use these characteristics to identify malware. What do anti-malware programs call these unique characteristics of malware?
Signature
Which Windows Security feature helps protects a device against potentially dangerous apps, files, sites, and downloads?
SmartScreen
Which Application Guard mode allows users to manage their own device settings?
Standalone
Using Group Policy, you have accessed Windows Defender Application Guard's Network Isolation policy. Which of the following settings associated with this policy turns off Network Isolation's automatic discovery of private network hosts in the domain-corporate environment?
Subnet definitions are authoritative
What is the purpose of Credential Guard?
To prevent attackers from stealing credentials
Which of the following is a prerequisite for Windows Defender Application Control?
UEFI firmware
You manage a Windows computer that is shared by multiple users. Recently, a user downloaded and installed two malware programs on the computer. The applications had a .msi extension. What is the first line of defense in protecting your system against applications like these from being copied or downloaded to your system?
Use anti-malware software that provides real-time protection.
Which technology does Credential Guard use to block access to the tickets stored within the LSA?
VBS
Which of the following can tag processes running on the local system as belonging to a VM running within Hyper-V?
VSM
Group Policy can be used to deploy WDAC policies to which of the following versions of Windows 10?
Windows 10 Enterprise
Which version of Windows 10 is the minimum requirement to implement the Network Protection feature of Exploit Guard?
Windows 10 Enterprise E3
Which of the following meets the minimum licensing requirement to use Microsoft Defender Advanced Threat Protection?
Windows 10 Enterprise E5
Which of the following versions of Windows meets the minimum requirements to create WDAC policies?
Windows 10 Pro build 1903
You have noticed malware on your network that is spreading from computer to computer and deleting files. Which type of malware are you most likely dealing with?
Worm
Listen to exam instructions You want to disable all outbound firewall rules using a PowerShell cmdlet. Which command should you use?
disable-netfirewallrule -Direction Outbound
You want to display a list of all disabled firewall rules in PowerShell. Which command should you use?
get-netfirewallrule -Enabled False
You are trying to set up and configure Microsoft Defender Advanced Threat Protection on your network. One of the client machines is not reporting properly. You need to verify that the diagnostic data service is enabled. Which command can you run to check this?
sc qc diagtrack
Which command can be used to attempt to repair infected files?
sfc
Put the steps for the suggested procedure for remediation of an infected system in the order they should be performed in.
1. Identify the symptoms 2. Quarantine the infected system 3. Disable System Restore 4. Update anti-malware definitions 5. Scan for and remove malware 6. Schedule future anti-malware scans 7. Re-enable System Restore 8. Educate the end user
You are trying to enable Application Guard on a system that has a 64-bit operating system and a CPU with four cores. You have received a message that your system doesn't meet the minimum hardware requirements. Which of the following is the most likely reason for this error?
4 GB RAM.
You are trying to implement Credential Guard on a Windows 10 Pro machine, but you can't find the Credential Guard option. Which of the following is the most likely reason?
Credential Guard is not available on Windows 10 Pro.
Which malware type is designed to facilitate identity theft?
Crimeware
Which Exploit protection mitigation needs to be enabled if you want to prevent executable code from being run from data-only memory pages?
Data Execution Prevention (DEP)
Which Windows Security feature alerts you if there are storage capacity issues?
Device performance & health
Which driver must be enabled for Windows Defender Advanced Threat Protection (ATP) to run?
ELAM
Which capability of Windows Defender Advanced Threat Protection (ATP) is put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars?
Endpoint Detection & Response
Listen to exam instructions As part of your security auditing strategy, you would like a Windows 10 notebook system to record packets that have been dropped by firewall rules on your computer. You want to record only the packets dropped on public interfaces. You do not want to record information about allowed packets. What should you do?
In Windows Firewall with Advanced Security, configure logging for the public profile.
When setting up a connection security rule, which authentication method requires both computers to be in the same Active Directory forest?
Kerberos
A user keeps attempting to open a text file. All that happens is a Command Prompt window flashes on screen and then disappears. Which of the following actions will help you determine the cause of this issue?
Show full file extensions.
You have enabled and configured Application Guard in Enterprise mode and are now configuring the Network Isolation settings. You have chosen to enable the Enterprise resource domains hosted in the cloud option and added .testout.com to the list. What will happen when a user attempts to go to www.testout.com using the Microsoft Edge browser?
The site opens normally in Edge.
What are the vectors that an attacker can use to enter or extract data from an environment called?
Attack surface
You want to set up Exploit Protection. Which of the following steps should you take? (Select two. Each answer is a part of the process.)
Define your Exploit Protection settings and export to an XML file. Enable the Group Policy setting and enter path to the exported file.
After creating your code integrity policy XML file, you have gone into Group Policy and enabled the Deploy Windows Defender Application Control option. You specified the path to the code integrity policy file. When that policy file is downloaded to the client, what is the code integrity policy named?
SIPolicy.p7b
Which of the following options under Credential Guard Configuration would you select if you need to be able to disable Credential Guard remotely?
Enabled without lock
Listen to exam instructions You have a notebook system that is used both on public networks and on your private company network. The private network contains FTP servers that hold sensitive data. To protect the data, you need to ensure that the computer can connect to FTP servers only while it is connected to the private work network. What should you do?
In Windows Firewall with Advanced Security, create a new rule.
You're a system administrator for an international trading company that uses Azure Active Directory (AD) and Microsoft Intune to manage its mobile devices. All the company-owned mobile devices are registered in Azure AD and enrolled in Microsoft Intune. You've created the following dynamic user groups to manage access to company resources. Managers: jobTitle = "Manager" Consultants: jobTitle = "Customer Consultant" OfficeAdmin: jobTitle = "Office Administrator" SalesReps: jobTitle = "Sales Representative" You've also created a device compliance policy that: Marks a device that's enrolled in Intune as Not Compliant if Windows Defender anti-malware (Windows Security) isn't running on a managed Windows 10 device. Sends an email notification to an employee (and you) indicating that the device is non-compliant. Is assigned to All Groups (with the exception of users in the OfficeAdmin group). After deploying the device compliance policy, you receive an email notification that a managed Windows 10 device that's assigned to a Sales Representative is Not Compliant. You need to bring the Windows 10 device back into compliance. SOLUTION: You check with the Sales Representative and find out that she accepted the Sales Representative position after being an Office Administrator. You make sure that the Job Title in her user account is set to "Sales Representative."
No
Jared is a system engineer for an import distribution company. He's looking at using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to provide security protection for all the company's devices. The devices are registered in Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune. He's especially concerned about providing protection for the following security issues. Detecting and stopping malware before it gets to the company devices. Submitting sample files to Microsoft to help with protecting devices. Preventing others from tampering with important security features on the devices. What is the Microsoft Defender (Windows Security) feature that would meet these security requirements?
Virus & threat protection
Jared is a system engineer for an import distribution company that has employees in offices in Europe, Asia, and the United States. He's currently using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to provide security protection for all the company devices. The devices are registered in Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune. Jared has just received 100 Windows 10 laptop devices for sales reps at the New York City company headquarters. The devices are already joined to Azure AD and enrolled in Intune. Jared creates and applies an Intune disk encryption policy for the Windows 10 devices that includes the following BitLocker requirements. Enforce the use of BitLocker on all the devices. Hide any prompts about third-party encryption from the employees. After distributing the devices, one of the sales reps sends Jared an email stating that he's experiencing data loss and other issues on his laptop. SOLUTION: Jared checks with the sales rep (who has some IT experience) and finds out that he installed his favorite third-party encryption software on the laptop before BitLocker was enabled. Jared reinstalls Windows 10 on the laptop and reconfigures the Intune encryption policy to prompt the employees to confirm that no third-party encryption is in place in order to avoid the problem in the future
Yes
You're a system engineer for an import distribution company with offices in Europe, Asia, and the United States. You're currently using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to provide security protection for all the company's Windows 10 devices. These devices include: Laptops running Windows 10 version 1703 Laptops running Windows 10 version 1909 Dell Latitude tablets running Windows 10 Pro version 2004 You want to use Microsoft Intune to meet the following company security requirements on these devices. Employees shouldn't be able to write data to removable drives that aren't protected by BitLocker. Employees shouldn't be able to change installation options, such as entering a directory to install files. Device Lock must be enabled on the devices. Employees shouldn't be able to disable SmartScreen. In addition, you've created the following Azure AD static user groups that use these particular devices. SalesReps: Sales representatives using the Dell tablets. Managers: Company managers using laptops running Windows 10 version 1703. OffStaff: Office staff using laptops running both Windows 10 versions (1703 and 1909). MarketReps: Marketing representatives using the Dell tablets and laptops running Windows 10 version 1703. You decide to start by using Intune to enforce the security requirements for the marketing representatives. SOLUTION: You update the laptops that are used by the marketing representatives from Windows 10 version 1703 to Windows 10 version 2004. You then create a security profile from the latest MDM security baseline (checking to make sure that the profile options meet the security requirements), and you assign the profile to the MarketReps user group.
Yes
Listen to exam instructions You're a system engineer for an import distribution company with offices in Europe, Asia, and the United States. You're currently using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to provide security protection for all the company's Windows 10 devices. In order to meet the company security requirements (and to help you apply the security settings that are recommended by the Windows security teams), you decide to begin using Intune security baselines to create security profiles for the Windows 10 devices in your company. However, when you attempt to create your first security profile using the MDM security baseline, you're denied access to the security baseline feature. Which of the following is the MOST likely reason for this issue?
Your Azure AD user account doesn't have the built-in Policy and Profile Manager role assigned to it.
