CompTIA 220-1102 A+ Certification Exam: Core 2 Dumps and Practice Test Questions Set 5 Q81-100

Visit here for our full CompTIA 220-1102 exam dumps and practice test questions.

Question 81

A company wants to enforce that all users accessing corporate resources from Windows endpoints use multi-factor authentication (MFA) tied to both a password and a mobile authenticator app. Authentication must integrate with Active Directory, allow centralized management, and produce logs for auditing access attempts. Which solution BEST meets this requirement?

A) Multi-factor Authentication (MFA) integrated with Active Directory
B) Paint
C) WordPad
D) Windows Calculator

Answer: A) Multi-factor Authentication (MFA) integrated with Active Directory

Explanation:

A) Multi-factor Authentication (MFA) provides enhanced security by requiring multiple verification methods, typically something the user knows (password) and something the user has (mobile authenticator app or hardware token). Integration with Active Directory allows administrators to centrally enforce MFA policies across all domain-joined devices, define conditional access rules based on user groups, device compliance, or network location, and ensure consistent application enterprise-wide. Centralized logging captures all successful and failed authentication attempts, providing a complete audit trail for regulatory compliance, forensic analysis, and internal security reviews. MFA also mitigates the risks associated with compromised credentials, phishing attacks, and unauthorized access, making it essential in enterprise security strategies. By leveraging mobile authenticator apps, organizations can implement time-based one-time passwords (TOTP) or push notifications, which provide additional verification and reduce the risk of account compromise. Administrators can configure conditional access policies to apply stricter MFA requirements for high-risk systems or sensitive data, ensuring both security and operational flexibility.

B) Paint is a graphics program and cannot enforce authentication policies, integrate with Active Directory, or provide auditing for login attempts. It is unrelated to authentication or security.

C) WordPad is a text editor and has no capability to enforce multi-factor authentication, generate logs, or integrate with enterprise directories. It cannot provide identity verification.

D) Windows Calculator performs arithmetic calculations and provides no security or authentication functionality. It cannot enforce MFA or produce access logs.

Multi-factor Authentication integrated with Active Directory is correct because it enforces strong authentication using multiple verification factors, allows centralized management of access policies, logs all authentication events, and mitigates risks associated with password compromise, phishing, and unauthorized access.

Question 82

A systems administrator wants to monitor CPU, memory, disk, and network usage in real-time, identify processes consuming excessive resources, view associated services, and correlate resource usage with network activity for troubleshooting and forensic purposes. Which tool BEST provides these capabilities?

A) Resource Monitor
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Resource Monitor

Explanation:

A) Resource Monitor is a built-in Windows tool that allows administrators to analyze system performance in real time. It displays detailed information about CPU, memory, disk, and network usage for individual processes. Administrators can view associated services, threads, and I/O activity, enabling deep insight into which applications are consuming excessive resources. Network tab monitoring shows active TCP connections, listening ports, and data throughput, allowing correlation between process activity and network usage. Resource Monitor can also filter processes by resource type, helping isolate bottlenecks or suspicious activity indicative of malware or misconfigured applications. By providing process-level granularity, administrators can perform root cause analysis, optimize performance, and detect anomalous behavior. Unlike Task Manager, Resource Monitor enables detailed investigation without third-party software, making it ideal for enterprise troubleshooting and forensic investigation. Additionally, its integration with Performance Monitor allows historical tracking and analysis of trends over time, supporting capacity planning and proactive system management.

B) Sticky Keys is an accessibility feature and cannot monitor system resources, correlate process activity with network usage, or provide insight into performance. It is not a monitoring tool.

C) Paint is a graphics program and provides no functionality for analyzing CPU, memory, disk, or network usage. It cannot correlate processes or detect resource-intensive applications.

D) Windows Calculator performs arithmetic calculations and cannot monitor system resources, analyze processes, or detect performance issues. It offers no administrative or forensic capability.

Resource Monitor is correct because it provides real-time monitoring of system resources, detailed process and service information, correlation with network activity, and granular insight for troubleshooting and forensic analysis, making it an essential enterprise tool for performance and security monitoring.

Question 83

A company requires that all PowerShell scripts executed on Windows endpoints be digitally signed by the organization’s internal certificate authority. Unsigned scripts must be blocked by default, and attempts to execute blocked scripts should be logged for auditing purposes. Which configuration BEST meets these requirements?

A) Set the PowerShell execution policy to AllSigned
B) WordPad
C) Paint
D) Windows Calculator

Answer: A) Set the PowerShell execution policy to AllSigned

Explanation:

A) The AllSigned execution policy in PowerShell enforces that all scripts, including locally created and downloaded scripts, must be digitally signed by a trusted certificate. Unsigned scripts are automatically blocked from execution, preventing malware or unauthorized automation from running. By using certificates issued by the organization’s internal certificate authority, administrators can ensure only approved scripts are executed, maintaining enterprise security and operational integrity. Audit logs capture all blocked attempts, enabling administrators to review policy violations, detect potential malicious activity, and generate reports for regulatory compliance. Integration with Group Policy allows centralized enforcement across all domain-joined devices, ensuring consistency and reducing the risk of misconfiguration. The AllSigned policy also supports controlled deployment scenarios where automation scripts are required but must remain secure, enabling secure management of administrative tasks and system automation.

B) WordPad is a text editor and cannot enforce script execution policies, verify signatures, or log blocked attempts. It provides no protection against unauthorized scripts.

C) Paint is a graphics application and cannot manage PowerShell execution policies or enforce script signing. It provides no auditing or compliance functionality.

D) Windows Calculator performs arithmetic operations and cannot enforce script execution, verify certificates, or block unsigned scripts. It does not support enterprise automation security.

Setting the PowerShell execution policy to AllSigned is correct because it blocks unauthorized scripts, ensures execution of trusted scripts only, supports centralized enforcement, provides audit logging, and enhances security for enterprise automation tasks.

Question 84

A security administrator wants to forward all Windows event logs, including security, system, and application events, to a centralized SIEM for real-time monitoring, correlation, and compliance reporting. Logs must be encrypted and allow filtering of specific event types to reduce noise. Which solution BEST achieves this requirement?

A) Windows Event Forwarding (WEF)
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Windows Event Forwarding (WEF)

Explanation:

A) Windows Event Forwarding enables Windows endpoints to send event logs securely to a centralized collector server. WEF supports encrypted communication using HTTPS or Kerberos, ensuring log integrity during transmission and protecting sensitive event data from tampering or interception. Administrators can define subscriptions and filters to collect only relevant events, such as security breaches, application errors, or critical system warnings, reducing unnecessary data collection and focusing on actionable events. Centralized logs can then be ingested into a SIEM solution for correlation, real-time alerting, and compliance reporting. WEF is scalable, allowing hundreds or thousands of domain-joined devices to be monitored in real time. By centralizing event collection and integrating with SIEM, organizations can detect suspicious activity, perform forensic investigations, maintain regulatory compliance, and enhance incident response. WEF also provides detailed audit logs of forwarded events, ensuring accountability and traceability across the enterprise.

B) Sticky Keys is an accessibility feature and cannot forward logs, filter events, or provide SIEM integration. It has no functionality for centralized monitoring or auditing.

C) Paint is a graphics application and cannot collect, encrypt, forward, or filter event logs. It provides no enterprise monitoring or security capabilities.

D) Windows Calculator performs arithmetic calculations and cannot monitor event logs, forward them, or integrate with centralized SIEM solutions. It does not provide auditing or security monitoring.

Windows Event Forwarding is correct because it securely centralizes event logs, allows filtering, integrates with SIEM, and supports real-time monitoring, alerting, and compliance reporting across all Windows endpoints.

Question 85

A company requires that all Windows laptops automatically encrypt their system and data partitions, leverage hardware-based security features to protect encryption keys, and allow centralized recovery of encrypted drives in case of lost credentials. Which solution BEST fulfills these requirements?

A) BitLocker with TPM integration and Active Directory recovery
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) BitLocker with TPM integration and Active Directory recovery

Explanation

A) BitLocker provides full-disk encryption for Windows laptops, protecting both system and data partitions against unauthorized access. Integration with the Trusted Platform Module (TPM) ensures encryption keys are securely stored in hardware, preventing access even if the drive is removed from the device. BitLocker can also require additional authentication mechanisms, such as PINs or USB startup keys, adding another layer of security. Active Directory recovery allows centralized key management, enabling IT administrators to unlock encrypted drives when users forget credentials or in case of system issues. Group Policy integration ensures automatic enforcement of encryption policies across all domain-joined devices, providing consistent enterprise-wide security. BitLocker also supports auditing and reporting on encryption compliance, enabling organizations to track protection status, remediate noncompliant devices, and satisfy regulatory requirements. By combining hardware-based key protection, full-disk encryption, and centralized recovery, BitLocker guarantees confidentiality, integrity, and operational continuity across all laptops in the organization.

B) Sticky Keys is an accessibility feature and cannot encrypt disks, store keys, or provide centralized recovery. It provides no enterprise security functionality.

C) Paint is a graphics application and cannot enforce disk encryption, manage TPM keys, or provide centralized recovery. It cannot prevent unauthorized access.

D) Windows Calculator performs arithmetic operations and cannot encrypt drives, store keys, or enforce enterprise-wide encryption policies. It offers no protection for sensitive data.

BitLocker with TPM integration and Active Directory recovery is correct because it encrypts all disk volumes, leverages hardware-based key protection, supports centralized recovery, enforces policies automatically, and provides reporting and compliance auditing.

Question 86

A company wants to enforce centralized control over which USB storage devices can be used on Windows endpoints. Only approved devices should be allowed, and all others must be blocked automatically. Enforcement must apply across all domain-joined devices with centralized reporting. Which solution BEST meets this requirement?

A) Group Policy Device Installation Restrictions
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Group Policy Device Installation Restrictions

Explanation:

A) Group Policy Device Installation Restrictions allows administrators to define which devices are permitted on Windows endpoints by specifying hardware IDs, device classes, or vendor IDs. This ensures that only authorized USB storage devices can be installed or accessed. All unauthorized devices are automatically blocked, reducing the risk of malware propagation, data exfiltration, or unintentional policy violations. Centralized management through Active Directory allows policies to be applied automatically across all domain-joined devices, ensuring consistent enforcement enterprise-wide. Reporting features or integration with monitoring solutions provide visibility into compliance and attempted device installations, enabling administrators to track potential security incidents or policy violations. By combining automatic enforcement, centralized configuration, and detailed reporting, Group Policy Device Installation Restrictions provides both operational control and security assurance.

B) Sticky Keys is an accessibility feature and cannot control device installation or enforce USB usage policies. It offers no enterprise security functionality.

C) Paint is a graphics application and cannot restrict devices, enforce policies, or provide reporting. It has no role in device management or security.

D) Windows Calculator performs arithmetic operations and cannot manage device installation, enforce restrictions, or monitor compliance. It does not contribute to security or policy enforcement.

Group Policy Device Installation Restrictions is correct because it enables centralized control over device usage, automatically blocks unauthorized devices, integrates with Active Directory, and provides compliance reporting, ensuring enterprise-wide security and operational consistency.

Question 87

An organization wants to prevent unauthorized software from running on Windows endpoints. The solution must allow administrators to define trusted applications based on publisher, path, or cryptographic hash, enforce rules across all devices, and log all blocked attempts for compliance auditing. Which technology BEST achieves this?

A) AppLocker with Group Policy integration
B) WordPad
C) Paint
D) Windows Calculator

Answer: A) AppLocker with Group Policy integration

Explanation

A) AppLocker enables administrators to define execution rules for applications, scripts, and installers based on digital signatures (publisher rules), file paths, or cryptographic hashes. By integrating with Group Policy, these rules are deployed centrally to all domain-joined devices, ensuring consistent enforcement enterprise-wide. AppLocker also supports audit logging, recording all attempts to execute unauthorized software. These logs can be forwarded to SIEM solutions or other monitoring systems to support compliance, forensic investigation, and security reporting. AppLocker reduces the risk of malware execution, unauthorized software installations, and noncompliant applications, ensuring that only approved and trusted programs run on Windows endpoints. Additionally, AppLocker can enforce rules for scripts, executable files, and packaged applications, providing a comprehensive solution for application control. The combination of centralized enforcement, granular control, and detailed auditing makes AppLocker a core component of enterprise security strategy.

B) WordPad is a text editor and cannot enforce application execution policies, verify signatures, or log blocked attempts. It provides no enterprise-level application control or compliance monitoring.

C) Paint is a graphics application and does not support application control, policy enforcement, or logging. It has no role in preventing unauthorized software execution.

D) Windows Calculator performs arithmetic operations and cannot enforce execution rules or monitor application activity. It cannot track compliance or prevent malware execution.

AppLocker with Group Policy integration is correct because it enforces application whitelisting, blocks unauthorized software, logs all attempts, and supports centralized enterprise management, ensuring security, operational control, and regulatory compliance.

Question 88

A security administrator needs to detect and investigate potential malware activity on Windows endpoints. The solution must allow detailed analysis of scheduled tasks, task history, triggers, and associated executable paths, without altering system state. Which tool BEST supports this investigation?

A) Task Scheduler
B) WordPad
C) Paint
D) Windows Calculator

Answer: A) Task Scheduler

Explanation:

A) Task Scheduler allows administrators to view all scheduled tasks on a Windows endpoint, including those created by malware for persistence. It provides detailed information about each task, including triggers (such as time or system events), actions (executables or scripts), task history, and the user context under which tasks run. Inspecting these tasks without executing or modifying them preserves the integrity of the system for forensic analysis. By analyzing scheduled tasks, administrators can detect unauthorized persistence mechanisms, identify malicious scripts or executables, and correlate activity with observed security incidents. Task Scheduler also allows filtering by user or task type, enabling focused investigation of suspicious activity. For enterprise environments, this tool provides crucial visibility into automated processes and is essential for post-compromise analysis, incident response, and forensic investigation.

B) WordPad is a text editor and cannot display scheduled tasks, triggers, or task history. It does not provide visibility into system automation or potential malware persistence.

C) Paint is a graphics application and cannot inspect scheduled tasks or track executable actions. It provides no investigative or forensic capabilities.

D) Windows Calculator performs arithmetic calculations and cannot monitor system automation, scheduled tasks, or malware persistence. It provides no security-related functionality.

Task Scheduler is correct because it allows administrators to safely view, analyze, and investigate scheduled tasks, triggers, and associated executables without altering the system, providing critical insight into malware persistence and unauthorized automation.

Question 89

A company requires that all Windows endpoints send security, system, and application logs to a centralized collector for real-time analysis, correlation, and alerting. Logs must be encrypted and allow filtering to forward only relevant events for compliance and incident response. Which solution BEST meets these requirements?

A) Windows Event Forwarding (WEF)
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Windows Event Forwarding (WEF)

Explanation:

A) Windows Event Forwarding enables Windows endpoints to securely transmit event logs to a centralized collector. WEF supports encryption using HTTPS or Kerberos to protect log integrity during transmission. Administrators can configure subscriptions and filters to forward only specific event types, such as security failures, application errors, or critical system warnings, reducing unnecessary data volume while focusing on actionable events. Centralized collection enables integration with SIEM systems for real-time correlation, alerting, compliance reporting, and forensic investigation. WEF scales to support thousands of endpoints in enterprise environments, providing a consolidated view of system and security events. By forwarding logs in real time, organizations can detect threats, respond quickly to incidents, ensure auditability, and maintain regulatory compliance. Additionally, WEF supports secure transport, event filtering, and logging verification, ensuring that critical security data is not lost or tampered with during collection.

B) Sticky Keys is an accessibility feature and cannot forward logs, filter events, or integrate with centralized monitoring. It provides no enterprise security functionality.

C) Paint is a graphics application and cannot collect, encrypt, or forward event logs. It provides no visibility into system or security activity.

D) Windows Calculator performs arithmetic operations and cannot monitor or transmit logs. It does not support compliance or enterprise monitoring.

Windows Event Forwarding is correct because it securely aggregates and forwards relevant event logs, enables filtering, integrates with SIEM systems, supports real-time alerting, and ensures centralized auditability across all endpoints.

Question 90

A company requires that all Windows client devices encrypt system and data partitions automatically, use hardware-based protection for encryption keys, and allow recovery of encrypted drives in the event of lost credentials or hardware failure. Which solution BEST meets these requirements?

A) BitLocker with TPM integration and Active Directory recovery
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) BitLocker with TPM integration and Active Directory recovery

Explanation:

A) BitLocker provides full-disk encryption for Windows client devices, protecting both system and data partitions. Integration with the Trusted Platform Module (TPM) ensures that encryption keys are stored securely in hardware, preventing unauthorized access even if the physical drive is removed. Additional authentication mechanisms, such as PINs or startup keys, can further enhance security. Active Directory recovery allows centralized key management, enabling IT administrators to recover encrypted drives if users forget passwords or encounter system failures. Group Policy integration ensures that encryption is automatically applied across all domain-joined devices, providing consistent enterprise-wide enforcement. BitLocker also supports auditing and reporting to track compliance, encryption status, and recovery key usage. By combining full-disk encryption, hardware-based key protection, centralized recovery, and enterprise policy enforcement, BitLocker ensures data confidentiality, operational continuity, and regulatory compliance.

B) Sticky Keys is an accessibility feature and cannot encrypt disks, store keys, or provide recovery options. It offers no enterprise security capability.

C) Paint is a graphics application and cannot enforce encryption, integrate with TPM, or manage recovery keys. It provides no protection against unauthorized access.

D) Windows Calculator performs arithmetic calculations and cannot encrypt drives, protect keys, or manage recovery. It provides no functionality for enterprise data protection.

BitLocker with TPM integration and Active Directory recovery is correct because it automatically encrypts all partitions, leverages hardware-based security, provides centralized recovery, and enforces enterprise-wide encryption policies, ensuring security, compliance, and operational continuity.

Question 91

A company wants to enforce conditional access for all Windows endpoints, requiring multi-factor authentication (MFA) when users access sensitive resources from untrusted networks. The solution must integrate with Active Directory, allow centralized policy management, and log all access attempts for compliance reporting. Which solution BEST meets this requirement?

A) Conditional Access Policies with MFA integrated into Active Directory
B) Paint
C) WordPad
D) Windows Calculator

Answer: A) Conditional Access Policies with MFA integrated into Active Directory

Explanation:

A) Conditional Access Policies provide enterprise control over how and when users can access corporate resources. By requiring MFA when endpoints connect from untrusted networks, administrators can reduce the risk of unauthorized access due to compromised credentials or phishing attacks. Integration with Active Directory allows these policies to be applied consistently across all domain-joined devices and users, ensuring centralized management and enforcement. Policies can be tailored based on user group, device compliance, network location, or resource sensitivity. Logging and auditing capture every access attempt, successful or failed, enabling compliance with regulatory frameworks such as HIPAA, PCI DSS, or GDPR. Centralized reporting allows IT security teams to monitor access patterns, detect anomalies, and generate evidence for audits or investigations. Conditional Access also supports adaptive policies, adjusting security requirements based on risk level or device health, which balances security with operational flexibility.

B) Paint is a graphics application and cannot enforce authentication policies, monitor access, or integrate with Active Directory. It provides no conditional access functionality.

C) WordPad is a text editor and does not manage MFA, enforce conditional access, or produce audit logs. It offers no security or compliance features.

D) Windows Calculator performs arithmetic operations and cannot enforce authentication or network-based access policies. It provides no centralized policy management.

Conditional Access Policies with MFA integrated into Active Directory is correct because it enforces security dynamically based on risk, requires multiple verification factors, integrates centrally with enterprise directories, and provides audit-ready logging for compliance and monitoring purposes.

Question 92

An organization wants to ensure that all PowerShell activity on Windows endpoints is logged for forensic analysis. Logs must include executed commands, scripts, modules, and user context, and should be forwarded to a centralized SIEM for correlation and alerting. Which configuration BEST meets these requirements?

A) Enable PowerShell Script Block Logging and Module Logging with Event Forwarding
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Enable PowerShell Script Block Logging and Module Logging with Event Forwarding

Explanation:

A) PowerShell Script Block Logging captures the full content of all executed scripts, including inline and dynamically generated code, while Module Logging records commands executed within specific modules. These logs provide detailed insight into user actions, administrative activity, and potential malicious behavior. Event Forwarding securely transmits logs to a centralized SIEM solution, enabling real-time correlation, alerting, and compliance reporting. This configuration ensures enterprise visibility into PowerShell activity, allowing detection of suspicious scripts, unauthorized automation, or lateral movement by attackers. By combining local detailed logging with centralized aggregation, organizations can investigate incidents, audit administrative activity, and generate reports for regulatory compliance. Centralized monitoring ensures that even in large-scale environments, all relevant PowerShell activity is tracked, stored securely, and available for forensic investigation, mitigating risk from automation-based attacks.

B) Sticky Keys is an accessibility feature and cannot monitor PowerShell activity, log scripts, or forward events to a SIEM. It provides no security or auditing functionality.

C) Paint is a graphics program and cannot capture PowerShell execution, user context, or module activity. It cannot forward events or support compliance monitoring.

D) Windows Calculator performs arithmetic operations and cannot track commands, modules, or scripts, and cannot forward logs for forensic analysis or alerting.

Enabling PowerShell Script Block Logging and Module Logging with Event Forwarding is correct because it provides comprehensive capture of executed commands, records user context, integrates with centralized SIEM solutions, and supports enterprise-wide auditing and forensic readiness.

Question 93

A security administrator wants to centrally enforce software inventory compliance on Windows endpoints, automatically detect unauthorized applications, generate audit reports, and support remediation actions across the enterprise. Which technology BEST fulfills this requirement?

A) Microsoft Endpoint Configuration Manager (SCCM) Inventory and Compliance
B) Paint
C) WordPad
D) Windows Calculator

Answer: A) Microsoft Endpoint Configuration Manager (SCCM) Inventory and Compliance

Explanation:

A) Microsoft Endpoint Configuration Manager provides enterprise-grade inventory and compliance management. It automatically collects detailed information about installed applications, system configuration, and hardware from all domain-joined devices. Administrators can define approved software lists and detect unauthorized installations. Centralized reporting allows generation of audit-ready documentation for compliance with internal policies and regulatory standards. SCCM supports remediation actions, including uninstalling unauthorized software, notifying users, or blocking noncompliant installations. Integration with Active Directory ensures consistent enforcement of compliance policies across all devices, while real-time monitoring enables detection of deviations and potential security risks. SCCM’s detailed reporting, automated remediation, and centralized management make it the most effective solution for maintaining software compliance and enterprise security.

B) Paint is a graphics program and cannot inventory software, enforce compliance, or generate reports. It has no enterprise-level management capabilities.

C) WordPad is a text editor and does not provide inventory, monitoring, or compliance features. It cannot track unauthorized applications or support remediation.

D) Windows Calculator performs arithmetic operations and cannot manage software compliance, detect unauthorized applications, or generate enterprise reports.

Microsoft Endpoint Configuration Manager is correct because it enables centralized software inventory, detects unauthorized applications, generates audit reports, supports remediation, and enforces enterprise-wide compliance policies, ensuring operational control and security.

Question 94

A company wants to ensure all Windows client devices automatically encrypt all disks, leverage TPM hardware for key protection, and allow administrators to recover drives if credentials are lost. Encryption policies must be applied consistently across all domain-joined endpoints. Which solution BEST meets these requirements?

A) BitLocker with TPM integration and Active Directory recovery
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) BitLocker with TPM integration and Active Directory recovery

Explanation:

A) BitLocker provides full-disk encryption for system and data volumes, protecting sensitive information from unauthorized access. TPM integration ensures that encryption keys are stored securely in hardware, making it impossible to access data if the physical drive is removed. Additional authentication methods, such as PINs or USB keys, can strengthen security. Active Directory recovery allows centralized management of recovery keys, enabling administrators to unlock encrypted drives if users forget passwords or encounter hardware failures. Group Policy integration ensures that encryption policies are automatically applied across all domain-joined devices, ensuring consistent enforcement and compliance with enterprise security standards. BitLocker also provides audit logs and reporting to monitor compliance status, enabling IT teams to detect noncompliant devices, remediate issues, and satisfy regulatory requirements. By combining full-disk encryption, TPM-based key protection, centralized recovery, and automated policy enforcement, BitLocker ensures both data confidentiality and operational continuity across the enterprise.

B) Sticky Keys is an accessibility tool and cannot encrypt disks, store keys, or enforce enterprise-wide encryption policies. It provides no protection for sensitive data.

C) Paint is a graphics application and cannot manage disk encryption, hardware key storage, or recovery mechanisms. It provides no enterprise security functionality.

D) Windows Calculator performs arithmetic calculations and cannot encrypt drives or manage keys. It provides no enterprise-level security or policy enforcement.

BitLocker with TPM integration and Active Directory recovery is correct because it enforces full-disk encryption, leverages hardware-based security, provides centralized recovery, and ensures enterprise-wide policy compliance for all Windows endpoints.

Question 95

A security administrator wants to prevent malware from spreading through removable storage while allowing approved USB devices to function. Enforcement must be automatic across all Windows endpoints, with centralized reporting and auditing of blocked attempts. Which solution BEST achieves this requirement?

A) Group Policy Device Installation Restrictions
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Group Policy Device Installation Restrictions

Explanation:

A) Group Policy Device Installation Restrictions allow administrators to control which removable devices are authorized for use on Windows endpoints. Devices not explicitly approved are automatically blocked, preventing malware propagation through USB drives and other removable media. Integration with Active Directory ensures that these policies are applied automatically across all domain-joined devices, enforcing enterprise-wide compliance without requiring user intervention. Centralized reporting and auditing provide visibility into attempted unauthorized device connections, enabling IT teams to monitor compliance, investigate incidents, and generate regulatory audit reports. This approach provides a balance between operational flexibility and security, allowing approved USB devices to function while blocking potentially harmful devices. It mitigates common attack vectors such as malware, ransomware, and data exfiltration through removable media, which are frequent sources of security breaches in enterprise environments.

B) Sticky Keys is an accessibility feature and cannot restrict device usage, enforce USB policies, or generate audit reports. It provides no security enforcement.

C) Paint is a graphics application and cannot manage removable devices, enforce policy, or provide compliance monitoring. It has no role in preventing malware propagation.

D) Windows Calculator performs arithmetic operations and cannot control device access or provide enterprise-level security enforcement. It provides no reporting or auditing.

Group Policy Device Installation Restrictions is correct because it enforces authorized device usage, automatically blocks unauthorized media, integrates centrally with Active Directory, provides auditing, and ensures enterprise-wide protection against malware and data exfiltration.

Question 96

A company wants to ensure that all PowerShell scripts executed on Windows endpoints are logged, digitally signed, and blocked if unsigned. The solution must provide centralized logging to a SIEM for compliance and forensic analysis. Which configuration BEST meets these requirements?

A) Set PowerShell execution policy to AllSigned with Script Block Logging and Event Forwarding
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Set PowerShell execution policy to AllSigned with Script Block Logging and Event Forwarding

Explanation:

A) Setting the PowerShell execution policy to AllSigned ensures that all scripts, whether locally created or downloaded, must be digitally signed by a trusted certificate. Unsigned scripts are automatically blocked, preventing unauthorized or malicious automation from executing on endpoints. Script Block Logging captures the full content of executed scripts, including dynamically generated code, providing visibility into all commands run on the system. Event Forwarding securely transmits these logs to a centralized SIEM solution, allowing correlation, alerting, and compliance reporting. This combination ensures that only trusted scripts execute while providing full auditability of administrative and automation activity. Integration with Group Policy ensures enterprise-wide enforcement across all domain-joined devices. By combining signature enforcement, detailed logging, and centralized aggregation, administrators maintain both operational security and regulatory compliance. This approach mitigates risks from malicious scripts, insider threats, or accidental misconfigurations while supporting enterprise-wide forensic readiness.

B) Sticky Keys is an accessibility feature and cannot enforce script execution policies, capture script activity, or forward logs. It provides no security or compliance functionality.

C) Paint is a graphics application and cannot control PowerShell execution, verify signatures, or forward event logs. It provides no monitoring or auditing capability.

D) Windows Calculator performs arithmetic operations and cannot enforce script policies, capture activity, or integrate with SIEM systems. It provides no visibility into administrative or automation activity.

The correct solution enforces AllSigned scripts, logs script activity comprehensively, forwards logs to a SIEM, and enables enterprise-wide enforcement, ensuring secure automation, compliance, and forensic readiness.

Question 97

A company wants to centrally enforce disk encryption on all Windows laptops. Encryption keys must be stored in hardware, recovery must be possible via centralized management, and policies must automatically apply to all devices. Which solution BEST meets these requirements?

A) BitLocker with TPM integration and Active Directory recovery
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) BitLocker with TPM integration and Active Directory recovery

Explanation:

A) BitLocker provides full-disk encryption for both system and data partitions, protecting sensitive information from unauthorized access. Integration with the Trusted Platform Module (TPM) ensures encryption keys are stored securely in hardware, preventing access even if the physical drive is removed. Active Directory recovery allows centralized management of recovery keys, enabling administrators to unlock drives if users forget credentials or encounter hardware failure. Group Policy integration ensures that encryption is automatically applied to all domain-joined devices, enforcing consistency and compliance across the enterprise. BitLocker also provides auditing and reporting to track compliance, detect noncompliant devices, and generate documentation for regulatory purposes. By combining full-disk encryption, hardware-based key protection, centralized recovery, and automated policy enforcement, BitLocker ensures data confidentiality, operational continuity, and compliance with organizational and regulatory requirements. This solution mitigates the risk of data loss due to theft or misplaced devices and supports enterprise-wide security standards.

B) Sticky Keys is an accessibility feature and cannot encrypt disks, store keys, or provide centralized recovery. It offers no enterprise security capabilities.

C) Paint is a graphics program and cannot manage disk encryption, integrate with TPM, or provide recovery options. It provides no security or compliance functionality.

D) Windows Calculator performs arithmetic calculations and cannot enforce encryption, store keys, or manage recovery. It cannot protect enterprise data.

BitLocker with TPM integration and Active Directory recovery is correct because it automatically encrypts disks, leverages hardware security, provides centralized recovery, and ensures policy enforcement across all Windows endpoints.

Question 98

A security administrator wants to monitor system resource usage on Windows endpoints in real time, including CPU, memory, disk I/O, and network activity. The solution must allow identification of processes consuming excessive resources, correlate resource usage with network connections, and provide granular insight for troubleshooting and forensic analysis. Which tool BEST fulfills this requirement?

A) Resource Monitor
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Resource Monitor

Explanation:

A) Resource Monitor is a built-in Windows tool that provides real-time monitoring of CPU, memory, disk, and network usage. It allows administrators to see which processes are consuming resources, view associated services, monitor thread activity, and analyze I/O operations. Network monitoring enables correlation of resource usage with active TCP connections, listening ports, and bandwidth utilization, allowing detection of abnormal or suspicious activity that may indicate malware or misconfigured applications. Resource Monitor also allows filtering by process, resource type, or network connection, supporting detailed troubleshooting and forensic analysis without third-party tools. Unlike Task Manager, it provides deeper visibility, including process dependencies, disk queue length, memory usage trends, and network endpoint associations. This capability supports root cause analysis, performance optimization, and identification of anomalous behavior in enterprise environments. Integration with Performance Monitor enables historical trend analysis for capacity planning and proactive system management.

B) Sticky Keys is an accessibility tool and cannot monitor system resources, identify processes, or analyze network activity. It provides no troubleshooting or forensic functionality.

C) Paint is a graphics application and does not provide CPU, memory, disk, or network monitoring. It cannot correlate processes with resource usage or network activity.

D) Windows Calculator performs arithmetic operations and cannot provide system monitoring, troubleshooting, or forensic analysis. It provides no visibility into enterprise performance or security issues.

Resource Monitor is correct because it provides granular, real-time visibility into system resource usage, process-level insights, network correlation, and detailed performance analysis, supporting both troubleshooting and security investigations.

Question 99

A company requires that all Windows endpoints forward security, system, and application logs to a centralized SIEM for real-time analysis. Logs must be encrypted in transit, allow filtering for relevant events, and support compliance reporting and forensic investigation. Which solution BEST achieves this requirement?

A) Windows Event Forwarding (WEF)
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Windows Event Forwarding (WEF)

Explanation:

A) Windows Event Forwarding enables Windows endpoints to send event logs securely to a centralized collector. WEF supports encryption using HTTPS or Kerberos to ensure log integrity and confidentiality during transmission. Administrators can configure subscriptions and filters to forward only relevant events, such as security violations, critical system errors, or application failures, reducing noise and focusing on actionable data. Centralized collection allows integration with SIEM systems for real-time correlation, alerting, and compliance reporting. WEF scales to enterprise environments with thousands of devices, providing consolidated visibility of security and operational events. By using WEF, organizations can monitor for suspicious activity, detect threats, perform forensic investigations, and maintain regulatory compliance. It also supports audit trails of forwarded events, ensuring accountability and traceability across all endpoints. Combined with encryption, filtering, and SIEM integration, WEF provides a comprehensive solution for centralized log management, monitoring, and compliance.

B) Sticky Keys is an accessibility feature and cannot forward logs, filter events, or provide centralized reporting. It does not support compliance or forensic monitoring.

C) Paint is a graphics application and cannot capture, encrypt, or forward logs. It provides no centralized monitoring or auditing capability.

D) Windows Calculator performs arithmetic calculations and cannot manage logs, forward events, or integrate with SIEM. It does not support security monitoring or compliance reporting.

Windows Event Forwarding is correct because it securely forwards relevant logs, integrates with SIEM, supports filtering, enables real-time alerting, and ensures compliance and forensic readiness across all endpoints.

Question 100

A security administrator wants to prevent malware propagation through removable storage while allowing only approved USB devices to function. Enforcement must be automatic, policies centrally managed, and all blocked attempts logged for auditing and compliance purposes. Which solution BEST meets this requirement?

A) Group Policy Device Installation Restrictions
B) Sticky Keys
C) Paint
D) Windows Calculator

Answer: A) Group Policy Device Installation Restrictions

Explanation:

A) Group Policy Device Installation Restrictions allows administrators to control which removable devices are authorized on Windows endpoints. Unauthorized devices are automatically blocked, preventing malware propagation and potential data exfiltration. Integration with Active Directory ensures centralized enforcement across all domain-joined endpoints, eliminating the need for manual configuration. Administrators can generate logs and reports to track blocked attempts, providing audit trails for regulatory compliance and incident investigation. Policies can be applied based on hardware ID, device type, or vendor ID, offering granular control over removable media. This approach allows operational flexibility, enabling approved USB devices while mitigating risks associated with malware infections introduced via external drives. Centralized enforcement, combined with detailed logging, supports enterprise security, reduces attack surfaces, and ensures adherence to internal policies and regulatory standards.

B) Sticky Keys is an accessibility feature and cannot manage USB device access or enforce policies. It provides no malware prevention functionality.

C) Paint is a graphics application and cannot enforce device restrictions, block unauthorized media, or provide audit logging. It provides no enterprise security functionality.

D) Windows Calculator performs arithmetic calculations and cannot control removable storage or enforce policies. It offers no protection against malware propagation.

Group Policy Device Installation Restrictions is correct because it blocks unauthorized removable devices, enforces centralized policies, logs attempted access, and ensures enterprise-wide protection against malware and data exfiltration.