Home > Sample chapters

Exam Ref 70-697 Configuring Windows Devices: Manage Identity

Answers

This section contains the solutions to the thought experiments and answers to the objective review questions in this chapter.

Objective 1.1: Thought experiment

  1. Office 365
  2. Most likely using the cloud, with options that enable the user to sync that data even when they aren’t online
  3. Billing; Global; Password; Service; User Management

Objective 1.1: Review

  1. Correct answer: A

    1. Correct: Options to restrict the use of Microsoft accounts for a group of users in a domain are in the Group Policy Management Editor window. Expand Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ Security Options.
    2. Incorrect: The User Rights Assignment node doesn’t provide options for restricting Microsoft accounts.
    3. Incorrect: To restrict a group of users in an Active Directory domain, you need to access Group Policy, not Local Group Policy.
    4. Incorrect: To restrict a group of users in an Active Directory domain, you need to access Group Policy, not Local Group Policy. Also, User Rights doesn’t offer the options you need.
  2. Correct answer: B

    1. Incorrect: Users can do this from their local computers.
    2. Correct: This is the correct answer; from their local computers, in the Settings app, from the Accounts page.
    3. Incorrect: You can’t connect a Microsoft account using Group Policy.
    4. Incorrect: This is achieved in the Settings app, but not from the Personalization page.
  3. Correct answer: D

    1. Incorrect: Active Directory synchronization is one of the things you can manage in the Office 365 Admin Center, but others are correct here.
    2. Incorrect: Valid, expired, and assigned licenses are some of the things you can manage in the Office 365 Admin Center, but others are correct here.
    3. Incorrect: User passwords, including resetting, is one of the things you can manage in the Office 365 Admin Center, but others are correct here.
    4. Correct: All of the above can be configured in the Office 365 Admin Center.
    5. Incorrect: All the answers are correct, not just B and C.
  4. Correct answer: E

    1. Incorrect: DISM is only one of the correct options listed.
    2. Incorrect: Windows PowerShell is only one of the correct options listed.
    3. Incorrect: Configuration Manager is only one of the correct options listed.
    4. Incorrect: Windows Intune is only one of the correct options listed.
    5. Correct: All of the above
    6. Incorrect: “Only C and D” isn’t correct because A and B are correct also.
  5. Correct answer: B

    1. Incorrect: Special Group Polices are required.
    2. Correct: Allow All Trusted Apps To Install is the required Group Policy setting that must be enabled.
    3. Incorrect: Allow Development Of Windows Store Apps isn’t the correct Group Policy setting to enable.
    4. Incorrect: You should not block Microsoft accounts; you need to enable the Group Policy setting listed for answer B.
  6. Correct answer: B

    1. Incorrect: You cannot make sideloaded apps mandatory and force their installation on clients by applying the applicable settings in Windows Intune.
    2. Correct: This statement is false.
  7. Correct answer: A

    1. Correct: You deep link apps to make Windows Store apps available through the company portal.
    2. Incorrect: You do not use deep linking to force the installation of apps on Windows 10 computers.
    3. Incorrect: You don’t use deep linking to add LOB apps to the Windows Store. It’s used to make Windows Store apps available through the company portal.
    4. Incorrect: “None of the above” isn’t correct. A is correct.

Objective 1.2: Thought experiment

  1. Yes. AC CS in Windows Server 2012 requires an existing PKI infrastructure.
  2. Client certificates are stored in the Personal certificate store for the applicable user account on the client computer.
  3. Trusted root certificates are stored in the Trusted Root Certification Authorities store on the client computer.
  4. Certmgr.msc can be used to open the Certmgr window.

Objective 1.2: Review

  1. Correct answers: A and B

    1. Correct: Backup-CARoleService is the correct command for backing up the CA database.
    2. Correct: Restore-CARoleService is the correct command for restoring the CA database.
    3. Incorrect: This isn’t a valid Windows PowerShell command.
    4. Incorrect: This isn’t a valid Windows PowerShell command.
  2. Correct answers: B and C

    1. Incorrect: A physical smart card can be removed.
    2. Correct: The solution here requires a compatible TPM chip and a virtual smart card.
    3. Correct: The solution here requires a compatible TPM chip and a virtual smart card.
    4. Incorrect: A biometric fingerprint reader doesn’t offer private keys for security.
    5. Incorrect: BitLocker Drive Encryption is used to protect data on the drive and isn’t for authentication purposes.
  3. Correct answer: C

    1. Incorrect: If you’ve joined the homegroup, you are connected to the network.
    2. Incorrect: BitLocker Drive Encryption isn’t required to join a homegroup.
    3. Correct: The time is configured incorrectly on the second computer.
    4. Incorrect: If you have joined the homegroup, you are running a compatible version of Windows.
  4. Correct answers: A and B

    1. Correct: A workgroup uses a distributed method for sharing data.
    2. Correct: A homegroup uses a distributed method for sharing data.
    3. Incorrect: A domain uses a centralized method of sharing and managing data and uses AD DS for authentication and user access.
    4. Incorrect: Although a workgroup is a distributed sharing method, a domain isn’t.
  5. Correct answer: D

    1. Incorrect: A VPN enables users to access your local network when they are away from the office. VPNs might use PPTP or L2TP to secure the connection.
    2. Incorrect: Remote Desktop Services enables users to access session-based desktops, virtual machine-based desktops, or applications from both within a network and from the Internet.
    3. Incorrect: App-V enables the application to run in a virtualized environment without having to install or configure it on the local machine.
    4. Correct: Secure Channel is a Security Support Provider (SSP), and the TLS/SSL protocol uses a client/server model that’s based on certificate authentication. It does require a PKI infrastructure.
  6. Correct answer: A

    1. Correct: You need to first configure the policy Account Lockout Threshold to state how many times a user can try to authenticate before additional measures are taken.
    2. Incorrect: The policy Reset Account Counter After is optional.
    3. Incorrect: These policies are available in both workgroups and domains.
    4. Incorrect: The Group Security Policy console is the appropriate place to create these policies.
  7. Correct answer: C

    1. Incorrect: Credential Manager can store Windows Store passwords as well as local ones.
    2. Incorrect: Credential Manager can store Windows Store passwords as well as those input for local resources.
    3. Correct: Credential Manager can store Windows Store passwords as well as passwords for local resources.
    4. Incorrect: Credential Manager can store both Windows Store passwords and local user passwords.
  8. Correct answer: B

    1. Incorrect: A Microsoft account can be used in a domain if it isn’t restricted through Group Policy.
    2. Correct: Enable the user to associate their own Microsoft account to achieve this.
    3. Incorrect: Workplace Join enables users to connect to your domain with their own personal devices.
    4. Incorrect: If you add Web Application Proxy, users can join your enterprise from any Internet-enabled location by using a device you’ve allowed using Workplace Join.