CompTIA 220-1102 A+ Certification Exam: Core 2 Dumps and Practice Test Questions Set 3 Q41-60

Visit here for our full CompTIA 220-1102 exam dumps and practice test questions.

Question 41

A company wants to ensure that any Windows laptop accessing sensitive corporate data automatically requires the device to be compliant with all security policies, including up-to-date antivirus definitions, encryption enabled, and all critical updates applied. The policy must be enforced before granting access to any network resources. Which solution BEST meets this requirement?

A) Network Access Control (NAC)
B) Task Manager
C) Windows Media Player
D) Calculator

Answer: A) Network Access Control (NAC)

Explanation:

A) Network Access Control is designed to enforce policy-based access controls on all devices attempting to connect to a network. NAC evaluates the health of a device before granting access, checking compliance with requirements such as antivirus status, patch level, encryption, and firewall settings. Devices that do not meet these requirements can be blocked, quarantined, or given restricted access until remediation occurs. NAC integrates with Active Directory or other identity providers to ensure only authorized and compliant devices gain access. It can also continuously monitor devices to ensure ongoing compliance. This solution is widely used in enterprises to reduce the risk of malware propagation and unauthorized data access while maintaining strict security standards.

B) Task Manager provides real-time information about running processes, CPU and memory usage, and network activity. While it is useful for troubleshooting and performance monitoring, it cannot enforce compliance, validate security status, or prevent noncompliant devices from accessing the network. It is not a policy enforcement tool.

C) Windows Media Player is a multimedia application used to play audio and video files. It cannot enforce device compliance, monitor security policies, or control network access. Its functionality is unrelated to security enforcement.

D) Calculator is a basic arithmetic tool and has no capabilities for device evaluation, policy enforcement, or access control. It cannot interact with security policies or network authentication systems.

Network Access Control is correct because it evaluates device compliance, enforces policies before granting network access, and prevents noncompliant devices from accessing sensitive resources, exactly meeting the enterprise’s requirements.

Question 42

A Windows administrator needs to analyze a memory dump file created during a Blue Screen of Death (BSOD) to determine which driver or system component caused the crash. The administrator requires a tool that can interpret kernel-mode memory, display call stacks, and allow detailed debugging of the system state. Which tool is BEST suited for this task?

A) WinDbg
B) Notepad
C) Paint
D) Calculator

Answer: A) WinDbg

Explanation:

A) WinDbg is part of the Windows Debugging Tools suite and is designed to analyze crash dump files, kernel memory, and system state during failures. It can load full memory dumps, display call stacks, highlight the offending driver or system component, and provide detailed debugging information about the conditions leading to a crash. WinDbg supports symbol loading, advanced filtering, and scripted analysis, making it ideal for enterprise-level troubleshooting of complex Windows systems. It allows administrators to pinpoint root causes of BSODs and determine if crashes are hardware- or software-related. This level of analysis is critical for environments requiring high uptime and reliability, where simple trial-and-error troubleshooting is insufficient.

B) Notepad is a text editor and cannot analyze memory, interpret dump files, or provide debugging information. It can open a crash dump as a binary file, but this provides no meaningful analysis and is not a viable troubleshooting tool for BSODs.

C) Paint is a graphics application and has no debugging, memory analysis, or crash investigation capabilities. It cannot interpret system state, kernel memory, or driver information.

D) Calculator is a basic arithmetic tool. It cannot process memory dumps, display call stacks, or assist in system debugging. It provides no functionality relevant to system crashes.

WinDbg is correct because it is explicitly designed for analyzing BSOD memory dumps, identifying faulty drivers or components, and enabling deep system-level troubleshooting. None of the other tools provide memory analysis or crash diagnostics.

Question 43

An enterprise wants to ensure that only approved applications can run on Windows systems, blocking unauthorized executables and scripts. The solution must be centrally manageable and allow the use of both publisher rules and hash rules for software control. Which technology BEST satisfies this requirement?

A) AppLocker
B) Paint
C) WordPad
D) Calculator

Answer: A) AppLocker

Explanation:

A) AppLocker provides enterprise-level application control by allowing administrators to define which applications, scripts, and installers may execute. It supports rule creation based on file publisher, file path, or file hash, enabling granular control over permitted software. By centrally managing AppLocker through Group Policy, organizations can enforce compliance consistently across all Windows clients. This prevents unapproved or malicious software from running, mitigating the risk of malware infection, unauthorized access, and data leakage. It can also integrate with auditing to monitor blocked attempts and generate compliance reports, making it a robust tool for enterprise software governance.

B) Paint is a graphics tool and cannot manage application execution or enforce software control. It cannot block unauthorized programs or provide auditing capabilities.

C) WordPad is a basic word processor. While useful for text editing, it has no ability to control the execution of applications, enforce rules, or restrict scripts. It cannot support enterprise security policies.

D) Calculator is a simple tool for arithmetic calculations. It provides no software control or security functionality and cannot restrict application execution.

AppLocker is correct because it enforces controlled execution of applications based on trusted signatures, paths, or hashes, allowing centralized management and auditing. It is the only solution among the listed tools designed for software control in enterprise environments.

Question 44

A company wants all Windows laptops to encrypt sensitive data on removable drives automatically. The encryption must require a password to unlock the drive and integrate with corporate recovery policies. Which technology BEST fulfills these requirements?

A) BitLocker To Go
B) Task Manager
C) Paint
D) Windows Calculator

Answer: A) BitLocker To Go

Explanation:

A) BitLocker To Go provides encryption for removable storage devices such as USB drives. It allows administrators to enforce password-protected access, ensuring that unauthorized users cannot access the encrypted data. The feature integrates with enterprise recovery policies, enabling recovery keys to be stored in Active Directory or another secure location. This ensures that encrypted drives can be recovered if a password is lost, while still protecting data confidentiality. BitLocker To Go is widely deployed in enterprise environments to mitigate risks associated with lost or stolen removable media, such as unauthorized access or data leakage.

B) Task Manager provides monitoring of processes and performance metrics. It does not encrypt drives, enforce password protection, or integrate with recovery policies. It cannot secure data on removable media.

C) Paint is a graphics application and does not provide encryption, password protection, or recovery management. It has no relevance to securing removable drives.

D) Windows Calculator is a simple arithmetic tool. It cannot encrypt storage devices or enforce corporate recovery policies. It provides no security functionality.

BitLocker To Go is correct because it encrypts removable drives, enforces password protection, and integrates with enterprise recovery procedures, fully meeting the organization’s security requirements.

Question 45

A security administrator wants to ensure that all Windows systems in the organization send their security and application logs to a central server in real time. The logs should be securely transmitted and suitable for correlation and alerting by SIEM tools. Which technology BEST achieves this goal?

A) Windows Event Forwarding (WEF)
B) Paint
C) Calculator
D) Character Map

Answer: A) Windows Event Forwarding (WEF)

Explanation:

A) Windows Event Forwarding allows multiple Windows clients to forward event logs, including security, system, and application events, to a centralized collector server. It supports secure communication over HTTPS and Kerberos authentication, ensuring that log data is not tampered with during transit. WEF enables the collection of critical logs in real time, which can then be integrated with SIEM tools for correlation, alerting, and forensic analysis. Administrators can configure subscription filters to capture specific events of interest, making it possible to focus on security-relevant data. This centralization improves visibility, ensures compliance with auditing requirements, and facilitates rapid incident detection.

B) Paint is a graphics application and has no capability to collect, forward, or secure event logs. It cannot transmit logs or integrate with SIEM tools.

C) Calculator performs arithmetic operations and cannot manage event logs, send data, or integrate with centralized monitoring solutions.

D) Character Map is a typographic utility and cannot collect, forward, or secure system logs. It provides no security monitoring functionality.

Windows Event Forwarding is correct because it securely centralizes event logs, supports integration with SIEM systems, and allows enterprise-wide monitoring and alerting, meeting all organizational requirements.

Question 46

An enterprise requires that all Windows servers enforce secure communications for remote management sessions. Administrators must verify the identity of clients, ensure data is encrypted in transit, and prevent credential interception. Which configuration BEST meets these requirements?

A) Configure WinRM with HTTPS and certificate-based authentication
B) Enable Airplane Mode
C) Turn off Windows Firewall
D) Use Sticky Keys

Answer: A) Configure WinRM with HTTPS and certificate-based authentication

Explanation:

A) Configuring Windows Remote Management (WinRM) to use HTTPS ensures that all remote management traffic is encrypted using TLS, preventing eavesdropping and man-in-the-middle attacks. Certificate-based authentication allows mutual verification of both client and server identities, ensuring that only authorized administrators can connect to the servers. This configuration protects credentials during transmission and maintains the confidentiality and integrity of management sessions. Enterprises often implement this setup for secure administration across untrusted networks and to comply with regulatory security requirements. It provides both encryption and identity verification, making it ideal for safeguarding sensitive remote operations.

B) Enabling Airplane Mode disables all wireless and network communications. While it stops external access, it also prevents legitimate remote management connections, making it impractical for enterprise server administration. It does not provide selective secure communication or authentication.

C) Turning off Windows Firewall reduces security by allowing all network traffic to pass without restriction. This increases exposure to attacks, does not encrypt data, and provides no authentication for remote sessions. It is contrary to secure remote management practices.

D) Sticky Keys is an accessibility feature that assists users with mobility challenges. It does not provide encryption, authentication, or management capabilities. It cannot secure remote administration or protect credentials.

WinRM with HTTPS and certificate-based authentication is correct because it enforces encrypted communications, mutual authentication, and secure management access—meeting enterprise security requirements. None of the other actions provide encryption or identity verification.

Question 47

A company wants to enforce two-factor authentication (2FA) for all users logging into Windows 10 devices. The 2FA solution must integrate with Active Directory, support mobile authenticator apps, and be centrally manageable. Which technology BEST fulfills this requirement?

A) Multi-factor Authentication (MFA)
B) Paint
C) Windows Calculator
D) Character Map

Answer: A) Multi-factor Authentication (MFA)

Explanation:

A) Multi-factor authentication requires users to provide two or more forms of verification when signing in, such as a password and a mobile authenticator code, smart card, or biometric factor. Integration with Active Directory allows centralized policy management and ensures that all users comply with corporate 2FA requirements. MFA reduces the risk of unauthorized access if passwords are compromised, protects sensitive data, and supports mobile app-based token generation, which is increasingly common in enterprise environments. Centrally managed MFA policies can be applied uniformly across all Windows devices, ensuring consistent enforcement and compliance.

B) Paint is a graphics program and has no authentication or security functionality. It cannot enforce 2FA or integrate with Active Directory. Its use is unrelated to identity verification.

C) Windows Calculator performs mathematical operations. It provides no authentication mechanism, policy enforcement, or directory integration. It cannot implement MFA.

D) Character Map displays special characters and symbols. It cannot verify user identity or provide secure authentication. It has no enterprise security role.

Multi-factor Authentication is correct because it integrates with Active Directory, enforces additional verification beyond passwords, supports mobile authenticator apps, and enables centralized management—fully satisfying enterprise requirements for secure logins.

Question 48

A Windows administrator needs to prevent the accidental or malicious execution of PowerShell scripts downloaded from the Internet unless they are digitally signed. Scripts should be allowed only if approved by the organization’s internal certificate authority. Which configuration BEST accomplishes this goal?

A) Set the PowerShell execution policy to AllSigned
B) Enable Windows Movie Maker
C) Enable Magnifier
D) Turn on Windows Fax and Scan

Answer: A) Set the PowerShell execution policy to AllSigned

Explanation:

A) Setting the PowerShell execution policy to AllSigned ensures that all scripts require a valid digital signature before they can be executed. This policy prevents unauthorized or potentially malicious scripts from running, even if a user has administrative privileges. By enforcing signature verification from a trusted certificate authority, the organization ensures that only approved scripts are executed, maintaining system integrity and preventing malware spread. This is particularly important in enterprise environments where PowerShell automation is widely used for administrative tasks, and unsigned scripts could pose significant security risks.

B) Windows Movie Maker is a multimedia application and has no capability to enforce script execution policies, verify digital signatures, or prevent unauthorized scripts. It does not provide security functionality.

C) Magnifier is an accessibility tool for enlarging screen content. It cannot control PowerShell execution or enforce script signing. It is unrelated to security or script management.

D) Windows Fax and Scan manages document scanning and faxing. It has no capability to enforce execution policies or protect systems from malicious scripts. It is unrelated to administrative security.

Setting the execution policy to AllSigned is correct because it directly enforces signature validation for all scripts, blocking unsigned or unapproved code. None of the other choices provide execution control or signature enforcement.

Question 49

A systems administrator needs to deploy Windows updates and security patches to all enterprise endpoints while minimizing user disruption. Updates must be centrally managed, selectively approved, and verifiable for compliance reporting. Which technology BEST achieves this goal?

A) Windows Server Update Services (WSUS)
B) WordPad
C) Windows Snipping Tool
D) Character Map

Answer: A) Windows Server Update Services (WSUS)

Explanation:

A) WSUS enables centralized management of Windows updates across enterprise endpoints. Administrators can approve or decline specific updates, schedule deployments to minimize disruption, and monitor installation status across all devices. WSUS integrates with Active Directory for targeting updates to organizational units or device groups. It provides detailed reporting to verify compliance, making it suitable for regulatory environments and large-scale deployments. By controlling when and which updates are applied, WSUS ensures stability, reduces downtime, and enforces consistent security patching across the enterprise.

B) WordPad is a simple text editor. It cannot deploy updates, enforce patching policies, or generate compliance reports. Its functionality is unrelated to system management.

C) Windows Snipping Tool captures screenshots and cannot manage updates, schedule patches, or enforce compliance. It has no administrative capabilities.

D) Character Map displays characters and symbols. It cannot deploy updates or provide enterprise patch management. It is unrelated to Windows update management.

WSUS is correct because it enables centralized control of patch deployment, selective approval, compliance reporting, and minimal disruption, meeting enterprise security and operational requirements.

Question 50

A security team wants to detect unauthorized software installation attempts on Windows clients, monitor execution of scripts, and log all administrative actions for forensic review. The solution must be auditable and centrally manageable across the domain. Which technology BEST satisfies these requirements?

A) Advanced Security Auditing
B) Paint
C) Windows Media Player
D) Calculator

Answer: A) Advanced Security Auditing

Explanation:

A) Advanced Security Auditing enables granular monitoring of Windows systems for security-relevant events. It can track software installation attempts, execution of scripts, privilege elevation, and other administrative actions. Each event is recorded in the Windows Security Event Log with detailed information, including the user identity, time of action, and process involved. These logs can be forwarded to a centralized log management system or SIEM for real-time correlation, alerting, and forensic analysis. By configuring audit policies through Group Policy, administrators can enforce consistent auditing across all domain-joined devices. This capability is essential for regulatory compliance, incident investigation, and detecting unauthorized activity in enterprise environments.

B) Paint is a graphics program and cannot log system activity, monitor installations, or track administrative actions. It has no security auditing functionality.

C) Windows Media Player plays multimedia content. It cannot monitor software execution, audit administrative actions, or provide forensic logs. It is not a security tool.

D) Calculator performs arithmetic calculations and cannot monitor system events, track privilege use, or generate audit records. It has no enterprise security functionality.

Advanced Security Auditing is correct because it provides centralized, auditable tracking of administrative actions, script execution, and software installations, enabling forensic investigation and compliance monitoring. None of the other options can perform these critical security functions.

Question 51

An organization requires that all Windows endpoints enforce strong password policies, including minimum length, complexity, and expiration intervals. Additionally, failed login attempts must be tracked, and accounts should be locked out after repeated failures. Which Windows feature BEST fulfills these requirements?

A) Group Policy
B) Notepad
C) Calculator
D) Paint

Answer: A) Group Policy

Explanation:

A) Group Policy is the centralized management framework for Windows domains, enabling administrators to enforce password policies, account lockout policies, and security settings across all domain-joined devices. Password policies can include minimum length requirements, complexity enforcement (requiring uppercase, lowercase, numbers, and special characters), and expiration intervals to force regular updates. Account lockout policies track failed login attempts and automatically lock accounts when thresholds are exceeded, preventing brute-force attacks. Group Policy allows administrators to implement these policies consistently and monitor compliance. Additionally, audit policies can be configured to log failed login attempts, enabling forensic review and early detection of credential-guessing attempts. By applying Group Policy to organizational units, enterprises can ensure all users adhere to security standards, reducing the risk of unauthorized access.

B) Notepad is a text editor and cannot enforce security policies or track login attempts. It provides no functionality for password management, account lockouts, or policy enforcement.

C) Calculator performs arithmetic operations and cannot implement password complexity, account lockout, or security policy management. It has no enterprise security functionality.

D) Paint is a graphics program with no ability to enforce user authentication policies or track failed login attempts. It cannot provide centralized security controls.

Group Policy is correct because it allows administrators to enforce strong password and account lockout policies consistently across the domain. It also supports logging for failed attempts, meeting enterprise security compliance requirements.

Question 52

A systems administrator wants to ensure that Windows client devices only allow network communication over authorized VPN connections and block all other external traffic. The configuration must support automated enforcement and integrate with Active Directory policies. Which solution BEST achieves this goal?

A) Always On VPN with network policy enforcement
B) Sticky Notes
C) Paint
D) Character Map

Answer: A) Always On VPN with network policy enforcement

Explanation:

A) Always On VPN establishes a persistent, automated VPN connection that launches when a device starts or a user logs in. By integrating with network policies and Active Directory, administrators can enforce that all corporate traffic passes through the VPN tunnel and block unauthorized external connections. This ensures secure communication, compliance with corporate network policies, and centralized management of access. The Always On VPN feature supports both device tunnels (for machine-level connections) and user tunnels (for user-level sessions), enabling secure access even before users authenticate. It is scalable across enterprise environments and provides logging and policy enforcement to ensure devices cannot bypass security controls.

B) Sticky Notes is a note-taking utility that cannot enforce network policies or secure communications. It cannot manage VPN connections or block unauthorized traffic.

C) Paint is a graphics application with no capability to enforce networking policies or secure connections. It cannot integrate with Active Directory to enforce security requirements.

D) Character Map is a typographic tool and cannot manage network access, VPN connections, or policy enforcement. It has no security functionality.

Always On VPN with network policy enforcement is correct because it automatically secures enterprise communications, enforces policy adherence, and integrates with centralized management, meeting the organization’s strict network security requirements.

Question 53

A Windows administrator must investigate whether a workstation has been compromised by malware that persists via scheduled tasks. The administrator wants to view task history, triggers, and executable paths without modifying system state. Which tool BEST supports this investigation?

A) Task Scheduler
B) WordPad
C) Windows Calculator
D) Paint

Answer: A) Task Scheduler

Explanation:

A) Task Scheduler allows administrators to view and manage all scheduled tasks on a Windows system, including hidden or automatically executed tasks that could be used by malware for persistence. It displays triggers (such as time-based, logon, or system event triggers), actions (including paths to scripts or executables), and history of execution. By examining this information, administrators can identify tasks created without authorization, determine the origin of persistent malware, and plan remediation steps. Importantly, viewing task configurations through Task Scheduler does not modify the system state, preserving forensic integrity while enabling analysis. It also allows filtering of tasks by user or execution context, providing detailed insights for security investigations.

B) WordPad is a text-editing tool and cannot display scheduled tasks, monitor triggers, or provide executable paths. It is unrelated to malware persistence analysis.

C) Windows Calculator performs arithmetic calculations and cannot reveal system tasks or analyze malware persistence. It has no forensic or administrative functionality.

D) Paint is a graphics application and provides no insight into scheduled tasks, triggers, or executable paths. It cannot support forensic investigation.

Task Scheduler is correct because it provides visibility into all scheduled tasks, including those used for persistence by malware, without modifying system state. It is essential for administrators performing security investigations or root cause analysis.

Question 54

A company requires that all sensitive Windows system files be protected against unauthorized modification or deletion, including kernel drivers and DLLs. The solution must automatically restore any altered files to maintain system integrity. Which Windows feature BEST accomplishes this?

A) Windows Resource Protection (WRP)
B) Sticky Keys
C) Paint
D) Windows Media Player

Answer: A) Windows Resource Protection (WRP)

Explanation:

A) Windows Resource Protection (WRP) monitors critical system files, folders, and registry keys, ensuring that only trusted, authorized processes can modify them. If an attempt is made to replace or delete a protected file, WRP automatically restores the original version from a cached copy, maintaining system integrity. WRP prevents malware, unauthorized users, or misconfigured software from corrupting essential operating system components, including DLLs and kernel drivers. This ensures system stability, protects against kernel-level attacks, and maintains compliance with enterprise security policies. WRP is integral to Windows systems, safeguarding core files without requiring constant manual oversight.

B) Sticky Keys is an accessibility feature that assists users with keyboard input. It cannot protect system files, monitor integrity, or restore altered files. It provides no security functionality.

C) Paint is a graphics application with no system-level protection capabilities. It cannot monitor or restore critical system files.

D) Windows Media Player is a multimedia application and cannot enforce system file integrity. It provides no protection against file tampering or kernel modification.

Windows Resource Protection is correct because it automatically safeguards critical system files, prevents unauthorized modifications, and restores any altered components to preserve system integrity.

Question 55

A security administrator wants to enforce software inventory compliance by monitoring which applications are installed on Windows endpoints, ensuring that only authorized software is present. The solution must also provide reporting for audits and regulatory requirements. Which technology BEST meets these needs?

A) Microsoft Endpoint Configuration Manager (SCCM) Inventory and Compliance
B) Notepad
C) Windows Calculator
D) Paint

Answer: A) Microsoft Endpoint Configuration Manager (SCCM) Inventory and Compliance

Explanation:

A) Microsoft Endpoint Configuration Manager includes comprehensive inventory and compliance features that track installed applications on Windows endpoints. Administrators can define which software is authorized and generate reports identifying noncompliant devices. SCCM collects hardware and software inventory, supports automated remediation, and integrates with compliance reporting dashboards. This enables organizations to enforce software policies consistently, detect unauthorized installations, and maintain audit-ready documentation for regulatory purposes. SCCM’s reporting and automation capabilities make it ideal for enterprise environments requiring detailed software inventory management and proactive compliance enforcement.

B) Notepad is a text editor and cannot inventory software, track compliance, or generate reports. It has no administrative or security capabilities.

C) Windows Calculator performs arithmetic calculations and cannot monitor installed applications or enforce software compliance. It provides no management or reporting functions.

D) Paint is a graphics application and cannot track software installations, enforce compliance, or provide audit reports. It does not meet enterprise requirements for software governance.

Microsoft Endpoint Configuration Manager is correct because it allows administrators to inventory software, enforce compliance policies, remediate unauthorized installations, and generate audit-ready reports, fully meeting the organization’s needs for software governance.

Question 56

An enterprise requires that all Windows endpoints enforce encryption for all stored data, including temporary files, user directories, and removable media. Encryption must be tied to hardware-based security features such as TPM and provide centralized recovery options. Which solution BEST fulfills this requirement?

A) BitLocker with TPM integration and Active Directory recovery
B) Paint
C) WordPad
D) Calculator

Answer: A) BitLocker with TPM integration and Active Directory recovery

Explanation:

A) BitLocker provides full-disk encryption for Windows endpoints, ensuring that all data at rest, including system files, temporary files, and user directories, is protected. By integrating with a Trusted Platform Module (TPM), BitLocker enforces hardware-based security, ensuring that encryption keys are stored securely and inaccessible to attackers even if the hard drive is removed. This hardware integration also prevents tampering with the boot process, protecting against rootkits and other pre-boot malware. In addition, BitLocker supports centralized recovery management via Active Directory, allowing administrators to escrow recovery keys for enterprise-wide management. This ensures that encrypted devices can be recovered in cases of lost credentials or failed TPM authentication. By combining full-disk encryption, TPM enforcement, and centralized recovery, BitLocker meets stringent enterprise requirements for confidentiality, integrity, and operational continuity.

B) Paint is a graphics application and does not provide any encryption, key management, or hardware integration. It cannot protect sensitive files or enforce recovery policies. It is entirely unrelated to enterprise security requirements.

C) WordPad is a word-processing application and provides no encryption capabilities, key escrow, or hardware integration. It cannot secure temporary files, user directories, or removable media. Its functionality is unrelated to data protection.

D) Calculator performs arithmetic calculations and has no security or encryption capabilities. It cannot enforce policies, encrypt disks, or manage recovery. It provides no enterprise-level data protection.

BitLocker with TPM integration and Active Directory recovery is correct because it encrypts all stored data, leverages hardware security, and allows centralized key management for recovery. It is the only option that ensures both security and enterprise manageability for Windows endpoints.

Question 57

A security administrator must monitor all remote PowerShell sessions, track executed commands, and log administrative actions for compliance purposes. The administrator also wants these logs forwarded to a central SIEM system. Which configuration BEST achieves this goal?

A) Enable PowerShell Script Block Logging and Module Logging with Event Forwarding
B) Sticky Keys
C) Paint
D) Calculator

Answer: A) Enable PowerShell Script Block Logging and Module Logging with Event Forwarding

Explanation:

A) PowerShell Script Block Logging records all executed script content, including dynamically generated code and scripts executed via remote sessions. Module Logging tracks commands executed within specific modules, providing visibility into administrative actions. When combined with Windows Event Forwarding (WEF), these logs can be securely transmitted to a central SIEM system for correlation, alerting, and forensic investigation. This configuration enables administrators to detect unauthorized or malicious scripts, maintain detailed audit trails, and ensure compliance with internal policies and regulatory requirements. It is especially valuable in large enterprises where hundreds of endpoints are managed remotely and visibility into administrative actions is critical for security and accountability. Centralized log aggregation ensures real-time monitoring, reduces the risk of missed events, and provides a robust foundation for incident response and forensic analysis.

B) Sticky Keys is an accessibility feature that assists users with keyboard input. It cannot track script execution, monitor administrative activity, or forward logs to a SIEM. It provides no enterprise security functionality.

C) Paint is a graphics application and has no logging, script monitoring, or event-forwarding capabilities. It cannot provide insight into administrative actions or compliance.

D) Calculator performs arithmetic operations and does not track PowerShell activity or forward logs. It cannot generate audit trails or support SIEM integration.

Enabling PowerShell Script Block Logging and Module Logging with Event Forwarding is correct because it provides comprehensive tracking of administrative commands, remote session monitoring, and secure log forwarding to a SIEM system. This configuration ensures auditability, compliance, and forensic readiness.

Question 58

A company wants to prevent malware propagation via removable drives but allow authorized USB devices to function. Enforcement must be centrally managed, and policies should be applied automatically to all domain-joined Windows devices. Which solution BEST satisfies this requirement?

A) Group Policy Device Installation Restrictions
B) Notepad
C) Windows Calculator
D) Paint

Answer: A) Group Policy Device Installation Restrictions

Explanation:

A) Group Policy Device Installation Restrictions allow administrators to define which removable devices are authorized based on hardware IDs, device classes, or vendor IDs. Unauthorized devices are blocked automatically, preventing malware from spreading through removable media. This centralized management ensures consistent enforcement across all domain-joined devices, reducing security risks and maintaining compliance. Administrators can also specify exceptions for approved devices, ensuring business operations are not disrupted. By leveraging Active Directory, policies are automatically applied at login or system startup, providing scalable security in enterprise environments. This approach is widely used in high-security deployments to enforce removable device control while maintaining operational efficiency.

B) Notepad is a text editor and cannot enforce device policies, prevent malware propagation, or manage USB access. It provides no enterprise security functionality.

C) Windows Calculator performs arithmetic calculations and cannot block unauthorized devices or enforce security policies. It cannot integrate with Active Directory for centralized control.

D) Paint is a graphics application and does not manage device installation, security policy, or malware mitigation. It is unrelated to enterprise security enforcement.

Group Policy Device Installation Restrictions is correct because it enables centralized control over removable devices, blocks unauthorized hardware, and supports scalable policy enforcement across all domain-joined systems. This provides both security and operational flexibility.

Question 59

An enterprise requires that all Windows client devices forward their security and application event logs to a centralized server for monitoring and compliance. The logs must be transmitted securely, compatible with SIEM solutions, and support filtering for specific event types. Which technology BEST fulfills this requirement?

A) Windows Event Forwarding (WEF)
B) Paint
C) Windows Calculator
D) Sticky Keys

Answer: A) Windows Event Forwarding (WEF)

Explanation:

A) Windows Event Forwarding enables domain-joined clients to send security, system, and application event logs to a centralized collector server. WEF supports secure transmission over HTTPS or Kerberos, ensuring that logs are protected during transit. Administrators can define subscriptions and filters to select specific event types for forwarding, reducing noise and focusing on critical security events. The centralized logs can then be ingested by SIEM solutions for real-time monitoring, correlation, and alerting. WEF simplifies enterprise log management by providing a scalable, automated method for collecting and analyzing logs across hundreds or thousands of endpoints. It ensures auditability, supports compliance with regulatory requirements, and enables rapid detection of security incidents, policy violations, or anomalous behavior across the organization.

B) Paint is a graphics application and cannot forward logs, filter events, or integrate with SIEM systems. It provides no enterprise monitoring capabilities.

C) Windows Calculator performs arithmetic operations and cannot manage event logs, forward logs, or support compliance monitoring. It has no role in security event management.

D) Sticky Keys is an accessibility feature and cannot provide centralized log collection, filtering, or secure transmission. It is unrelated to enterprise monitoring or auditing.

Windows Event Forwarding is correct because it enables centralized, secure, and filtered log collection, supports integration with SIEM systems, and facilitates compliance reporting. It is the enterprise-standard method for real-time event aggregation.

Question 60

 A Windows administrator needs to centrally enforce and monitor application whitelisting across all corporate devices. Only approved software should be allowed to execute, and any attempts to run unauthorized programs must be logged and reported. Which technology BEST satisfies this requirement?

A) AppLocker with Group Policy integration
B) WordPad
C) Paint
D) Windows Calculator

Answer: A) AppLocker with Group Policy integration

Explanation:

A) AppLocker is a Microsoft Windows feature that provides robust application whitelisting and control capabilities. It allows administrators to define which applications, scripts, installers, and executable files are permitted to run on domain-joined endpoints, effectively preventing unauthorized software from executing. AppLocker works by creating rules that specify allowed applications based on attributes such as file path, file hash, or digital signature (publisher rules). This ensures that only trusted and verified software can run, reducing the risk of malware, ransomware, or other unauthorized programs compromising the system.

AppLocker rules can be applied to multiple categories of applications:

Executable files (.exe and .com) – Ensures only approved executables can run.

Windows Installer files (.msi and .msp) – Prevents unauthorized installation of software packages.

Scripts (.ps1, .bat, .cmd, .vbs, .js) – Controls execution of automation or administrative scripts, reducing attack vectors.

Packaged apps and packaged app installers (AppX) – Supports modern Windows Store apps, ensuring consistent control in contemporary environments.

A key strength of AppLocker is its integration with Group Policy (GPOs), which allows centralized management of policies across all domain-joined devices. Administrators can define rules once and deploy them to organizational units (OUs), groups, or individual machines. This ensures that application control policies are consistently enforced across the enterprise, eliminating gaps in security coverage and reducing the likelihood of policy circumvention. Group Policy integration also simplifies updates to rules, enabling administrators to adjust whitelisting policies dynamically as new applications are approved or deprecated.

Another critical feature of AppLocker is auditing and reporting. When an unauthorized application attempts to execute, AppLocker can log the event in the Windows Event Log. Administrators can then review these logs to identify policy violations, attempted breaches, or misconfigured endpoints. This capability is essential for compliance reporting, forensic investigations, and proactive security monitoring. Organizations subject to regulatory frameworks such as HIPAA, PCI DSS, or GDPR can use AppLocker auditing to demonstrate adherence to software control policies and maintain a clear record of enforcement actions.

AppLocker supports several types of rules for flexibility and precision:

Publisher rules: Allow applications based on the software publisher’s digital signature. These rules are ideal for managing software from trusted vendors and automatically account for updates without requiring new rules for each version.

Path rules: Allow applications located in specific directories. This is useful in controlled environments where trusted software is stored in predefined locations.

Hash rules: Allow applications based on a cryptographic hash of the file. Hash rules provide precise control but must be updated whenever an application is patched or replaced.

By using a combination of these rule types, administrators can enforce a comprehensive, layered approach to application control, ensuring security without compromising operational flexibility.

AppLocker is particularly valuable in enterprise environments where security, compliance, and controlled application usage are critical. It mitigates risks associated with malware, unapproved software, and unauthorized scripts. For example, ransomware that attempts to execute malicious files on endpoints will be blocked if it does not match an approved rule. Similarly, employees will be unable to run unauthorized tools or utilities that could inadvertently introduce vulnerabilities or non-compliant configurations.

B) WordPad is a basic text editor included in Windows for creating and editing text documents. While it serves general productivity purposes, it cannot enforce application whitelisting, control software execution, or log unauthorized attempts. It lacks any integration with Group Policy or centralized management capabilities, making it entirely unsuitable for enterprise security enforcement. WordPad simply does not provide the mechanisms required to monitor or restrict application execution on corporate endpoints.

C) Paint is a graphics editing application included with Windows. Although it can be used for creating or editing images, Paint does not have any capabilities for restricting software execution, defining whitelists, or auditing application behavior. It cannot integrate with enterprise policies or provide logging for compliance purposes. Like WordPad, it is irrelevant to the scenario of centrally managing application control and security enforcement.

D) Windows Calculator is a utility for performing arithmetic operations. It has no capability to control the execution of other applications, enforce rules, or generate audit reports. While useful for end users, it cannot be leveraged to secure enterprise environments or ensure compliance with software whitelisting policies.

By contrast, AppLocker with Group Policy integration is explicitly designed to enforce application whitelisting across enterprise environments. It ensures that only approved software is allowed to run, provides detailed logging and reporting for auditing and compliance, and integrates seamlessly with Active Directory for centralized policy management. This combination of capabilities allows administrators to maintain a secure and controlled application environment while minimizing the risk of malware, unauthorized software, and policy violations.

Furthermore, AppLocker can be configured to operate in Audit-only mode initially, allowing administrators to monitor potential policy violations without immediately blocking applications. This mode is useful for testing and refining rules before enforcing them strictly, ensuring minimal disruption to business operations. Once policies are verified, enforcement can be applied to block unauthorized software while continuing to log any violations for reporting and analysis.

In  AppLocker with Group Policy integration is the only solution among the options that meets the requirements for:

Centralized, enforceable application control across all corporate devices.

Detailed auditing and reporting of blocked or unauthorized software attempts.

Integration with enterprise policy management through Group Policy and Active Directory.

Enhanced security and compliance by reducing malware risk and unauthorized application execution.

WordPad, Paint, and Windows Calculator, while useful as individual utilities, offer no functionality related to application whitelisting, centralized enforcement, or reporting. Therefore, AppLocker with Group Policy integration is the correct choice because it fulfills all enterprise requirements for controlled, auditable application execution and security compliance.