CH 9-13
12-23 Which PKI-related service is used for network devices such as switches and routers to enroll for an X.509 digital certificate from a CA? Answer: Network Device Enrollment Service (NDES), otherwise known as Simple Certificate Enrollment Protocol (SCEP)
Network Device Enrollment Service (NDES), otherwise known as Simple Certificate Enrollment Protocol (SCEP)
10-26 When the use of Internet Explorer 8, 9, and 10 is spread among your users, how many preference items must be created for Internet Explorer preferences? Answer: One for each version
One for each version
10-25 When you want to remove a setting when the GPO that delivered it is removed, which option must be selected on the Common tab? Answer: Remove this item when it is no longer applied
Remove this item when it is no longer applied
13-21 Which specific configuration must the relying party server have? Answer: Windows Identity Foundation or AD FS 1.0 claims-aware agent
Windows Identity Foundation or AD FS 1.0 claims-aware agent
10-21 Which four File Preference actions can be performed via GPOs? You can create, replace, update, or delete files and folders through group policies.
You can create, replace, update, or delete files and folders through group policies.
9-20 Describe the steps necessary to deploy software with group policies. (You have to create a distribution point, create a GPO to use for software distribution, and then assign a package to a user or computer.)
You have to create a distribution point, create a GPO to use for software distribution, and then assign a package to a user or computer.
13-23 Which other software is required to be installed before installing the Windows Identity Foundation SDK 4.0? Answer: .NET Framework 3.5 and the Windows Identity Foundation 3.5
.NET Framework 3.5 and the Windows Identity Foundation 3.5
12-26 When exporting to a .pfx file, which of the following must be provided? Answer: A password to protect the private key.
A password to protect the private key.
12-25 To configure key archival on a certificate template, which option must be enabled? Answer: Archive subject's encryption private key
Archive subject's encryption private key
11-24 Why should you consider configuring delta CRLs on your CA? Answer: CRLs can get very large over time
CRLs can get very large over time
13-25 Which of the following commands enables the AD FS Device Registration Service? Answer: Enable-AdfsDeviceRegistration
Enable-AdfsDeviceRegistration
12-24 By default, how often are group policies refreshed for domain members? Answer: Every 90 minutes
Every 90 minutes
12-21 In which folder of the Certificates MMC snap-in would you find the certificate belonging to your Enterprise Subordinate CA? Answer: Intermediate Certification Authorities
Intermediate Certification Authorities
12-22 What is the function of an enrollment agent? Answer: It allows the right to enroll other users for certificates.
It allows the right to enroll other users for certificates.
13-24 Describe the function of the relying party trust. Answer: It identifies the relying party so the federation server knows which application can use AD FS.
It identifies the relying party so the federation server knows which application can use AD FS
11-22 By default, how are requests processed that are submitted to a Standalone CA? Answer: They are held pending CA administrator action
They are held pending CA administrator action
13-7 While testing AD FS claims-based authentication with a sample application, you encounter an error due to the self-signed certificate you opted to use. What can you do to eliminate this error? (*Choose all that apply*) a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store b. Add the self-signed certificate to the application server's Trusted Root Certification Authorities store c. Issue a valid certificate from your internal CA d. Configure AD FS to ignore self-signed certificate errors
a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store c. Issue a valid certificate from your internal CA
13-15 Which of the following components of Active Directory Federation Services is responsible for forwarding packets from external hosts to internal federation servers? a. Federation server proxy b. Claims provider c. Relying party d. Claim
a. Federation server proxy
13-8 By default, the AD FS server is configured with a claims provider trust named Active Directory. If you are communicating with other organizations, you need to create additional claims provider trusts for each federated organization. Which of the following options are available to get the data you need for the creation of these claims provider trusts? (*Choose all that apply*) a. Import data about the claims provider through the federation metadata b. Manually configure the claims provider trust c. Import data about the claims provider from a file d. Create a site-to-site VPN tunnel to bridge networks together
a. Import data about the claims provider through the federation metadata b. Manually configure the claims provider trust c. Import data about the claims provider from a file
13-9 Which step(s) must be performed when configuring a claims provider trust—steps that you will not need to perform while configuring a relying party trust? (*Choose all that apply*) a. Map attributes b. Specify the application c. Edit claims rules d. Provide a URL for the partner federation server
a. Map attributes c. Edit claims rules
13-4 Which options are available for the storage of the AD FS configuration settings? (*Choose all that apply*) a. SQL Server b. AD LDS or ADAM c. Windows Internal Database d. AD DS
a. SQL Server c. Windows Internal Database
13-3 In order to utilize AD FS, which of the following is the oldest version of Windows Server that any domain controller can be using? a. Windows Server 2003 SP1 b. Windows Server 2008 SP1 c. Windows Server 2008 R2 d. Windows Server 2012 e. Windows Server 2012 R2
a. Windows Server 2003 SP1
13-12 Which of the following features allows you to join a device (such as a smart phone) to the organization network without joining the device to the Active Directory domain? a. Workplace Join b. Domain Join c. Universal Join d. Global Join
a. Workplace Join
9-15 Where is the Central Store located? a. in the SYSVOL directory b. Microsoft Online c. TechNet d. on a domain controller public share
a. in the SYSVOL directory
10-15 GPP can be configured on domain controllers running which version of Windows Server? (*Choose all that apply*) a. 2003 b. 2008 c. 2008 R2 d. 2012
b. 2008 c. 2008 R2 d. 2012
13-16 Which of the following components of Active Directory Federation Services is the server that issues claims and authenticates users? a. Federation server proxy b. Claims provider c. Relying party d. Claim
b. Claims provider
13-11 In AD FS, which of the following allows you to create issuance authorization rules for relying party applications and allows you to use a custom 'Access Denied' message? a. Relying party permission policy b. Multifactor access control c. Usage policy d. Federation Service proxy
b. Multifactor access control
12-33 Which of the following statements best describes an advantage of configuring credential roaming? a. The user's certificates are securely stored in Active Directory. b. The user's certificates follow the user to each computer he or she logs in to. c. The user's certificates are automatically enrolled and issued upon first login. d. The user's certificates can be easily placed on a USB storage device.
b. The user's certificates follow the user to each computer he or she logs in to.
13-1 Which of the following best describes a benefit Single Sign-On provides for application users? a. Users are prohibited from being able to register multiple accounts within an application. b. Users are prevented from needing to remember multiple usernames and passwords. c. Users are provided an easy way to remember the login information for the application. d. Users are provided faster account lockout remediation.
b. Users are prevented from needing to remember multiple usernames and passwords.
13-6 Which add-on component can be downloaded from the Microsoft.com website to create a test Windows Identity Foundation (WIF) application which you can use to test AD FS claims-based authentication? a. AD FS Claims-Based Authentication Accelerator b. Windows Identity Foundation SDK 4.0 c. Windows Identity Foundation 3.5 d. AD FS Sample Application Accelerator
b. Windows Identity Foundation SDK 4.0
13-31 Which of the following commands should be used when configuring a new AD FS farm using the Windows Internal Database? a. fsconfig.exe StandAlone b. fsconfig.exe CreateFarm c. fsconfig.exe CreateSQLFarm d. fsconfig.exe JoinFarm
b. fsconfig.exe CreateFarm
13-13 Which of the following services is used to provision a device object in AD DS and issue a certificate for the Workplace-Joined Device? a. Domain Join Service b. AD FS Authentication Service c. Device Registration Service d. Device Emulation Service
c. Device Registration Service
10-2 For GPP editing states, which key is used to toggle Enable Current? a. F4 b. F5 c. F6 d. F7
c. F6
13-17 Which of the following components of Active Directory Federation Services is the application or web service that accepts claims? a. Federation server proxy b. Claims provider c. Relying party d. Claim
c. Relying party
12-31 You work at a government agency and have been tasked to implement a PKI built on Windows Server 2016. Which certificate template version must be used to meet the requirements imposed on your agency? a. Version 1 b. Version 2 c. Version 3 d. Version 4
c. Version 3
13-2 Which of the following are supported as attribute stores for AD FS? a. ADAM in Windows Server 2003, and AD LDS in Windows Server 2008 and higher b. Microsoft SQL Server 2005 c. Microsoft SQL Server 2008 d. All of the above
d. All of the above
13-10 In Windows Server 2016, which of the following is used to control who can use an AD FS application or service? a. Usage policies b. Proxy policies c. Rights policies d. Authentication policies
d. Authentication policies
13-14 Which of the following components of Active Directory Federation Services is a statement made by a trusted entity and includes information identifying the entity? a. Federation server proxy b. Claims provider c. Relying party d. Claim
d. Claim
13-5 Which PowerShell cmdlet is used to list the attribute stores currently configured for AD FS? a. List-ADFSAttributeStore b. Show-ADFSAttributeStore c. Display-ADFSAttributeStore d. Get-ADFSAttributeStore
d. Get-ADFSAttributeStore
12-32 Which of the following options can be used to most easily ensure the currently logged-in user has all applicable autoenrollment certificates and that roaming certificates have been downloaded locally? a. Have the user log out of the computer, and then log back in again b. Have the user issue the certutil -user -pulse command c. Have the user lock and unlock the workstation d. Have the user issue the gpupdate /force command
d. Have the user issue the gpupdate /force command
10-9 Which component allows you to create multiple Registry preference items based on registry settings that you select? a. the Registry Scope b. the Registry Extension c. the Registry Configurator d. the Registry Wizard
d. the Registry Wizard
13-22 Which command-line command can be used to configure the AD FS server? Answer: fsconfig.exe
fsconfig.exe
9-24 is a security template? A security template is a collection of configuration settings stored in a text file with the INF extension. They're deployed as part of a computer or group policy.
A security template is a collection of configuration settings stored in a text file with the INF extension. They're deployed as part of a computer or group policy.
9-22 When you select the Assign software to a computer option, when does the software install on the computer? The software installs after the next reboot.
The software installs after the next reboot.
9-21 When you use the Assign software to a user option, how does the new software install to the user's computer? The user must launch the application or an associated file and then that application or file installs itself on first use.
The user must launch the application or an associated file and then that application or file installs itself on first use.
11-26 How do you configure a junior administrator to have the backup operator role for your CA? Answer: You must add their account to the Backup Operators group on the CA.
You must add their account to the Backup Operators group on the CA.
11-23 Before using a CAPolicy.inf file, what must you do? Answer: You must put the file in the required location before you install the AD CS or renew the CA certificate.
You must put the file in the required location before you install the AD CS or renew the CA certificate.
11-27 What will you find in the certificate revocation list (CRL)? Answer: You will find identifying information about every certificate ever revoked by the CA that published the CRL
You will find identifying information about every certificate ever revoked by the CA that published the CRL
10-5 Which Windows extension allows you to add, replace, or delete sections or properties in configuration settings or setup information files? a. .ini files b. files c. folders d. environment
a. .ini files
10-6 Which wildcard characters can be used to copy, replace, update, or delete files? (*Choose all that apply*) a. ? b. X c. $ d. *
a. ? d. *
11-2 Which of the following is not a benefit of PKI? a. Availability b. Integrity c. Confidentiality d. Authenticity
a. Availability
11-18 Which PKI role in AD CS issues certificates and manages certificate validity? a. CA b. Online Responder c. Network Device Enrollment Service d. CA Web Enrollment
a. CA
11-15 Which two values are required in a CAPolicy.inf file to set the CRL period to 4 hours? a. CRLPeriod=Hours b. CRLPeriodUnits=4 c. CRLDeltaPeriod=Hours d. CRLDeltaPeriodUnits=4
a. CRLPeriod=Hours b. CRLPeriodUnits=4
10-1 Which of the following utilities is used to create GPO preferences? a. Group Policy Management Editor b. Group Policy Preference Editor c. Group Policy Editor d. Group Policy Wizard
a. Group Policy Management Editor
11-14 To grant a junior administrator the ability to issue and revoke all certificate templates on your CA, which permission should be granted his or her AD account? a. Issue and Manage Certificates: Allow b. Manage CA: Allow c. Request Certificates: Allow d. Read: Allow
a. Issue and Manage Certificates: Allow
11-7 By default, if you install a CA server on January 1, 2018, when does the CA certificate expire? a. January 1, 2023 b. January 1, 2028 c. January 1, 2031 d. January 1, 2038
a. January 1, 2023
9-5. Which of the following are legitimate Administrative Template Property Filters? (*Select all that apply*) a. Keyword Filters b. Requirements Filters c. Security Filters d. Operating System Filters
a. Keyword Filters b. Requirements Filters
9-12 Which of the following is a state of an Administrative Template? (*Choose all that apply*) a. Not Configured b. Enabled c. Disabled d. Deployed
a. Not Configured b. Enabled c. Disabled
11-5 In Windows Server 2016 AD CS, how many Root CAs can be installed in a single certificate hierarchy? a. One b. Two c. Three d. Unlimited
a. One
12-2 Your organization issues certificates for code signing and user authentication to employees from a Windows Server 2016-based certificate authority. In which folders of the Certificates MMC snap-in would a user find the certificates that have been issued to him or her? (*Choose all that apply*) a. Personal b. Trusted People c. Other People d. Active Directory User Object
a. Personal d. Active Directory User Object
12-4 Which of the following permissions must be configured on the ACL of a certificate template in order for a user to be able to automatically enroll for the certificate via Group Policy? (*Choose all that apply*) a. Read b. Write c. Enroll d. Auto-enroll
a. Read c. Enroll d. Auto-enroll
10-13 Which of the following are Windows Settings preference extensions? (*Choose all that apply*) a. Registry b. Shortcuts c. Folders d. Storage
a. Registry b. Shortcuts c. Folders
12-3 Which of the following usages are allowed by the User certificate by default? (*Choose all that apply*) a. Secure Email b. Encrypting File System c. Client Authentication d. Document Signing
a. Secure Email b. Encrypting File System c. Client Authentication
10-3 Which of the following best describes how to stop processing a preference if an error occurs? a. Select the Stop processing items option on the Common tab. b. Select the Remove this item option on the Common tab. c. Select the Stop on any error option in the GPP Wizard. d. Select the Stop on all errors option in the GPP Wizard.
a. Select the Stop processing items option on the Common tab.
10-7 Which GPP is used to provide users access to a common network location? (*Choose all that apply*) a. Shortcut b. File c. Drive Maps d. Folders
a. Shortcut c. Drive Maps
9-16 Which of the following nodes contains only one node, Software installation, which allows you to install and maintain software within your organization? a. Software Settings b. Windows Settings c. Computer Configuration d. User Configuration
a. Software Settings
10-17 Which option determines that when an error occurs while processing a preference, no other preferences in this GPO will process? a. Stop processing items in this extension if an error occurs. b. Run in logged-on user's security context. c. Apply once and do not reapply. d. Use item-level targeting.
a. Stop processing items in this extension if an error occurs.
9-10 The Security template allows you to configure which of the following settings? (*Select all that apply*) a. System Services b. Registry Entries c. Registry Permissions d. File System Permissions
a. System Services c. Registry Permissions d. File System Permissions
11-33 Which of the following fully backs up the CA without backing up more than necessary? a. System state backup b. Full system backup c. CA backup using Certification Authority console d. Bare metal recovery
a. System state backup
9-8 What are MST files used for? a. They deploy customized software installation files b. They are template files for software packages c. They are custom patch files d. They specialize in software installation test files
a. They deploy customized software installation files
9-26 When configuring Group Policy to deploy applications, the applications must be mapped to which of the following locations? a. UNC path b. drive letter c. shared folder d. full install path
a. UNC path
10-12 To which of the following items can shortcuts be configured when performing GPP deployments? (*Choose all that apply*) a. Windows Firewall applet b. Documents folder c. Microsoft Excel d. Printer
a. Windows Firewall applet b. Documents folder c. Microsoft Excel d. Printer
12-8 As a security precaution, which of the following actions should be performed immediately after you have configured a CA to issue a KRA certificate? a. You should configure the ACL on the template with the specific security principals who will be designated KRAs. b. You should perform a backup of the CA database. c. You should perform a backup of the server's system state. d. You should publish a new Certificate Revocation List (CRL).
a. You should configure the ACL on the template with the specific security principals who will be designated KRAs.
9-2. Which of the following methods can be used to deploy security templates? (*Choose two answers*) a. using Active Directory GPOs b. using the Security Configuration and Analysis snap-in c. copying a text file to each managed computer's admin$ share d. using a logon script
a. using Active Directory GPOs b. using the Security Configuration and Analysis snap-in
9-3. Which of the following best describes an ADMX file? a. An ADMX file is an ADM file translator. b. An ADMX file is the ADM format for newer operating systems. c. An ADMX file is a template buffer. d. An ADMX file is the protocol that deploys ADM files across networks.
b. An ADMX file is the ADM format for newer operating systems.
11-32 Which of the following statements best describes why you should consider making the Root CA an offline CA? a. Because it improves certificate issuing speed. b. Because it improves security of the root CA and its private keys. c. Because it reduces the number of CAs you actively need to manage. d. Because it prevents requests from inadvertently being sent to the Root CA.
b. Because it improves security of the root CA and its private keys.
9-9 Windows Installer cannot install .exe files. To distribute a software package that installs with an .exe file, what must be done to it? a. It must be converted to a ZIP file. b. It must be converted to an MSI file. c. It must be converted to an MSP file. d. It must be converted to an MST file.
b. It must be converted to an MSI file.
11-16 Which PKI role in AD CS is used to validate certificates? a. CA b. Online Responder c. Network Device Enrollment Service d. CA Web Enrollment
b. Online Responder
11-1 Which of the following is another name for Asymmetric encryption? a. Public key infrastructure b. Public key cryptography c. Digital certificate d. Certificate authority
b. Public key cryptography
11-3 Which of the following is the role in the PKI that is responsible for the distribution of keys and the validation of identities? a. Certificate authority b. Registration authority c. Registration agent d. Key recovery agent
b. Registration authority
10-14 When working with Network Drive Mapping Preferences, which preference behaviors delete drive mappings? (*Choose all that apply*) a. Create b. Replace c. Update d. Delete
b. Replace d. Delete
10-19 Which option ensures that the logged-on user context will be used? a. Stop processing items in this extension if an error occurs. b. Run in logged-on user's security context. c. Apply once and do not reapply. d. Use Item-level targeting.
b. Run in logged-on user's security context.
11-12 How is an Online Responder different than a certificate revocation list (CRL)? a. The Online Responder is available via HTTP, whereas the CRL is only available via LDAP b. The Online Responder provides a validation response for a single certificate, whereas the CRL provides revocation information about all revoked certificates c. The Online Responder is accurate in real-time, whereas the CRL is time-delayed d. The Online Responder must be provided by a domain-joined server, whereas a non domain-joined machine can provide the CRL
b. The Online Responder provides a validation response for a single certificate, whereas the CRL provides revocation information about all revoked certificates
12-11 To recover a key from the CA database using the certutil utility, which information must be known about the certificate? a. The password for the private keys b. The certificate serial number c. The certificate subject name d. The certificate key length
b. The certificate serial number
12-13 Which certificate format supports storage of certificates and all certificates in a certification path and usually has a .p7b or .p7c filename extension? a. Base64-encoded X.509 b. DER-encoded binary X.509 c. Personal Information Exchange (PKCS #12) d. Cryptographic Message Syntax Standard (PKCS #7)
d. Cryptographic Message Syntax Standard (PKCS #7)
10-8 Which Microsoft component must be installed before you can support GPPs on older Windows versions (Server and Workstation)? a. GPP Registry Tweaks b. GPP Service Pack 1 c. A special GPP hotfix d. GPP Client-Side Extensions
d. GPP Client-Side Extensions
12-1 Which of the following best describes the contents of the certificate chain? a. It is a list of all trusted root certificates. b. It is a list of certificate authorities that can be used to authenticate an entity certificate. c. It is a list of all trusted root certificate authorities. d. It is a list of certificates that can be used to authenticate an entity certificate.
d. It is a list of certificates that can be used to authenticate an entity certificate.
10-4 Which Windows extension allows you to copy registry settings and apply them to other computers' create, replace, or delete registry settings? a. Applications b. Environment c. Files d. Registry
d. Registry
10-18 Which option determines which users or computers will receive a preference based on a criterion such as computer name, IP address range, operating system, security group, user, or Windows Management Instrumentation (WMI) queries? a. Stop processing items in this extension if an error occurs. b. Run in logged-on user's security context. c. Apply once and do not reapply. d. Use item-level targeting.
d. Use item-level targeting.
9-17 Which of the following nodes contains settings that are applied when the user logs on? a. Software Settings b. Windows Settings c. Computer Configuration d. User Configuration
d. User Configuration
10-32 GPPs are divided into which two sections? a. Windows and Registry b. Applications and Registry c. Applications and Control Panel d. Windows and Control Panel
d. Windows and Control Panel
11-10 What should be done as soon as possible once you have been notified that a user has lost control of the private keys for their certificates? a. You should reset the user's password. b. You should disable the user's account. c. You should reissue the user a new certificate. d. You should revoke the user's issued certificates.
d. You should revoke the user's issued certificates.
10-34 Which object can be created to organize Registry preference items? a. an OU b. a Control Panel applet c. a file system folder d. a Collection
d. a Collection
9-25 An application cannot be published to a _______________. a. GPO b. user c. group d. computer
d. computer
9-14 Unlike ADM files, ADMX files are not stored in which of the following locations? a. in the Central Store b. on the domain controller c. in the SYSVOL folder d. in individual GPOs
d. in individual GPOs
11-21 A __________ is an electronic document that contains an identity, such as a user or organization name, along with a corresponding public key. Answer: digital certificate
digital certificate
9-28 If you, as administrator, change an installed application, how do you update your users? a. by redeploying the application via the GPO b. by instructing the users to reinstall the application c. by creating a GPO to remove the old application and installing the new one d. by distributing the updates on next logon
a. by redeploying the application via the GPO
10-10 Which of the following are possible targets for individual preferences? (*Choose all that apply*) a. computer name b. CPU speed c. printer preference d. port assignment
a. computer name b. CPU speed
11-11 Your network has a mix of Windows, Macintosh, Linux and AIX computers. All of your internal web applications use Web Server certificates issued by your PKI. How will you need to configure your AIA and CDP? a. As LDAP paths b. As file server paths c. As URLs (HTTP paths) d. As CIFS paths
c. As URLs (HTTP paths)
11-31 Which of the following best describes the benefit of using asymmetric encryption instead of symmetric encryption? a. Asymmetric encryption is faster to encrypt and decrypt b. Asymmetric encryption does not require out-of-band key exchange c. Asymmetric encryption does not require a complex infrastructure to manage private keys d. Asymmetric encryption does not require the usage of a digital certificate for the public keys
c. Asymmetric encryption does not require a complex infrastructure to manage private keys
11-4 Which of the following is not a choice when installing a new CA? a. Standalone CA b. Enterprise CA c. Bridged CA d. Root CA
c. Bridged CA
9-18 Which of the following nodes contains settings that are applied to the computer regardless of who logs on to the computer? a. Software Settings b. Windows Settings c. Computer Configuration d. User Configuration
c. Computer Configuration
11-9 Which of the following is the function of the AIA? a. It specifies where to find up-to-date CRLs that are signed by the CA. b. It specifies where to find up-to-date CRLs that are signed by the RA. c. It specifies where to find up-to-date certificates for the CA. d. It specifies which CAs are available to issue certificates to clients
c. It specifies where to find up-to-date certificates for the CA.
11-19 Which PKI role in AD CS can be used to issue certificates to routers and switches? a. CA b. Online Responder c. Network Device Enrollment Service d. CA Web Enrollment
c. Network Device Enrollment Service
12-12 Which certificate format supports the export of a certificate and its private key? a. Base64-encoded X.509 b. DER-encoded binary X.509 c. Personal Information Exchange (PKCS #12) d. Cryptographic Message Syntax Standard (PKCS #7)
c. Personal Information Exchange (PKCS #12)
9-1 Which of the following operating systems can have its security settings managed by using security templates? (*Select all that apply*) a. Windows XP b. Windows Vista c. Windows 7 d. Windows 8 e. Windows 10
c. Windows 7 d. Windows 8 e. Windows 10
9-6 Which of the following is the software component used for installation, maintenance, and removal of software on Windows? a. Control Panel b. Add/Remove Programs applet c. Windows Installer d. Application Installer
c. Windows Installer
10-23 Describe Group Policy Preferences (GPPs). Answer: GPPs are a new group of Group Policy Client-Side Extensions (CSEs) that include folder options, drive maps, printers, tasks, services, and Start Menu items.
GPPs are a new group of Group Policy Client-Side Extensions (CSEs) that include folder options, drive maps, printers, tasks, services, and Start Menu items.
9-23 What are the four Administrative Template Property Filters? Managed or Non-Managed settings, Configured or Not Configured, Keyword Filters, and Requirements Filters
Managed or Non-Managed settings, Configured or Not Configured, Keyword Filters, and Requirements Filters
10-22 What do the network drive maps allow you to do with GPOs? Network drive maps allow you to create dynamic drive mappings to network shares, modify mapped drives, delete a mapped drive, or hide or show drives.
Network drive maps allow you to create dynamic drive mappings to network shares, modify mapped drives, delete a mapped drive, or hide or show drives.
10-24 Which GPPs support editing states? Answer: Start Menu settings, Regional and Language settings, Internet options, Folder options, and Power options
Start Menu settings, Regional and Language settings, Internet options, Folder options, and Power options
9-27 Which of the following occurs when an application deployed via group policies becomes damaged or corrupted? a. The installer notifies the administrator of the faulty application. b. The installer will detect and reinstall or repair the application. c. The user must request a reinstall of the application. d. The user must initiate a repair of the application.
b. The installer will detect and reinstall or repair the application.
12-6 In addition to the permissions required on the certificate templates used for auto-enrollment, which other requirements must be met to support auto-enrollment in your organization? (*Choose all that apply*) a. The certificate template must be a version 3 or higher b. The issuing CA must be an enterprise CA c. DNS must be configured to support auto-enrollment d. Group Policy must be configured to support auto-enrollment
b. The issuing CA must be an enterprise CA d. Group Policy must be configured to support auto-enrollment
12-7 Which minimum certificate version is required to enable key archival and recovery? a. Version 1 b. Version 2 c. Version 3 d. Version 4
b. Version 2
11-13 Which Windows client operating systems are capable of using the Online Responder to check certificate revocation status? (*Choose all that apply*) a. Windows XP Professional b. Windows 7 c. Windows 8 d. Windows 10
b. Windows 7 c. Windows 8 d. Windows 10
9-19 Which of the following nodes allows you to configure settings such as Name Resolution Policy, Security Settings, and Policy-Based QoS nodes? a. Software Settings b. Windows Settings c. Computer Configuration d. User Configuration
b. Windows Settings
9-13 Which language is an ADMX file based on? a. HTML b. XML c. SGML d. Java
b. XML
12-9 Which of the following actions must be performed immediately after issuing the first KRA certificate to a trusted user to enable key archival and recovery on the CA? (*Choose all that apply*) a. You must restart the CA. b. You must configure key archival on the CA properties. c. You must archive the keys for the issued KRA certificate. d. You must perform a backup of the CA database.
b. You must configure key archival on the CA properties. c. You must archive the keys for the issued KRA certificate.
10-31 Which of the following is the key difference between preferences and policy settings? a. deployment b. enforcement c. staging d. refresh interval
b. enforcement
10-33 Windows Settings are common configuration settings used in Windows but not used where? a. the Registry b. the Control Panel c. Administrative Tools d. Computer Properties
b. the Control Panel
10-16 Normally, preferences are refreshed at the same interval as Group Policy settings. Which option ensures this preference setting will be applied only once on logon or startup? a. Stop processing items in this extension if an error occurs. b. Run in logged-on user's security context. c. Apply once and do not reapply. d. Use item-level targeting.
c. Apply once and do not reapply.
9-4. Which of the following best describes the Central Store? a. The Central Store is an App Store from which you can deploy GPOs. b. The Central Store is a public share that allows users to place GPO requests into a queue. c. The Central Store is a repository for Administrative Templates. d. The Central Store is an online App Store for Administrative Templates.
c. The Central Store is a repository for Administrative Templates.
11-8 You have built a two-tier PKI with an offline Root CA and an online Enterprise Subordinate CA. Which of the following actions must be performed so that Active Directory clients will trust certificates issued from the Subordinate CA? a. You must manually import the Subordinate CA certificate into Active Directory one time. b. You must manually import the Subordinate CA certificate into Active Directory every time the Root CA CRL is updated. c. You must manually import the Root CA certificate into Active Directory one time. d. You must manually import the Root CA certificate into Active Directory every time the Root CA CRL is updated.
c. You must manually import the Root CA certificate into Active Directory one time.
12-5 Which of the following URLs would be the correct one to visit to get to the Web Enrollment pages? a. https://<servername>/certificates b. https://<servername>/ca c. https://<servername>/certsrv d. https://<servername>/certsrvcs
c. https://<servername>/certsrv
10-11 Which of the following is defined as changing the scope of individual preference items so that the preference items apply only to selected users or computers? a. individual targeting b. user-specific targeting c. item-level targeting d. focused targeting
c. item-level targeting
11-25 A __________ is a policy that is defined by the issuing organization's responsibilities when issuing the certificates, including identifying the organization issuing the certificates, what the certificates will be used for, the process used when assigning the certificates, how the certificates are revoked, and how the certificates are protected. Answer: certification practice statement (CPS)
certification practice statement (CPS)
9-7 Which of the following is the filename extension for the files in which installation information is stored? a. .txt b. .xml c. .ini d. .msi
d. .msi
9-11 Which of the following is the default location for ADMX files? a. C:\Windows\SYSVOL\ADMX b. C:\Windows\System32\XML\ADMX c. C:\Windows\Inf d. C:\Windows\PolicyDefinitions
d. C:\Windows\PolicyDefinitions
11-17 Which PKI role in AD CS is used to allow non-Windows operation system users to request certificates? a. CA b. Online Responder c. Network Device Enrollment Service d. CA Web Enrollment
d. CA Web Enrollment
11-6 Which of the following files can be deployed to CAs so they have predefined values or parameters during installation? a. CAValue.xml b. CAConfig.inf c. CASetting.xml d. CAPolicy.inf
d. CAPolicy.inf
12-10 When performing key recovery as a KRA, in which format will you retrieve the key from the database? a. Base64-encoded X.509 b. DER-encoded binary X.509 c. Personal Information Exchange (PKCS #12) d. Cryptographic Message Syntax Standard (PKCS #7)
d. Cryptographic Message Syntax Standard (PKCS #7)