Retrieves and remounts orphaned images

Option is typically used with the /RevertPendingActions parameter to attempt a system recovery if you experience a boot failure. This operation reverts all pending actions from the previous servicing operations because these actions might be the cause of the boot failure. Note that /RevertPendingActions is not supported on a running operating system or a Windows PE or Windows Recovery Environment (Windows RE) image.

Apply only to Windows Installer applications (.msi files). You cannot, for example, use DISM to obtain information about .exe or .dll files. Also, remember that when you check the applicability of an MSP patch, only the Windows Installer applications for which the patch is applicable will be displayed. One patch can be applied to many installed applications and many patches can be applied to one application.

$OEM$ folders, Packages,

Out-of-box drivers, LangPacks

A. dism /image:c:\images /add-driver /driver:c:\drivers /recurse

B. dism /image:d:\mount /add-driver /driver:c:\drivers /recurse

C. dism /image:c:\images /add-driver /driver:c:\drivers\printer /driver:c:\drivers\scanner

D. dism /image:d:\mount /add-driver /driver:c:\drivers\printer /driver:c:\drivers\scanner

A. dism /image:d:\pemount /get-scratchspace

B. dism /image: d:\pemount /get-targetpath

C. dism /image: d:\pemount /get-profiling

D. dism /image: d:\pemount /enable-profiling

A. /set-syslocale

B. /set-userlocale

C. /set-inputlocale

D. /get-intl

A. dism /image:c:\textfiles\answer /apply-unattend:c:\ mount \unattend.xml

B. dism /image:c:\mount /apply-unattend:c:\textfiles\answer\unattend.xml

C. dism /image:c:\mount /apply:c:\textfiles\answer\unattend.xml

D. dism /image:c:\mount /apply-answer:c:\textfiles\answer\unattend.xml

A. dism /online /get-packageinfo

B. dism /image:c:\mount /get-featureinfo

C. dism /image:c:\mount /get-appinfo

D. dism /image:c:\mount /get-apppatchinfo

Hybrid images mix thin-image and thick-image strategies. In a hybrid image, the disk image is configured to install applications and language packs on first run but automatically installs the applications and language packs from a network source. Hybrid images present most of the advantages of thin images, but they are not complex to develop and do not require a software distribution infrastructure. They do, however, require longer installation times. Hybrid images store applications and language packs on the network but include the commands to install them when you deploy the disk image. This process differs from installing the applications and language packs in the disk image because the image deployment process installations that would typically occur during the disk imaging process is deferred.

Can you add an application to an image using DISM?

You cannot add an application to an image using DISM. You can, however, add an application to an image build in a distribution share in MDT 2010.

Deployment Point Types -

Lab or single-server deployment point

This enables you to use the distribution share to deploy task sequences.

Deployment Point Types -

Separate deployment share 

This creates a new local or remote deployment share that contains a subset of the files in the distribution share. You can choose the images,

device drivers, updates, and applications that are replicated to this type of deployment point.

Deployment Point Types -

Removable media

This creates directories and (optionally) an International

Organization for Standardization (ISO) image that can be installed on removable media such as DVD-ROM, universal serial bus (USB) disk, or USB flash memory so you can perform stand-alone, network-disconnected deployments.

What command-line utility enables you to prestage target computers for system image deployment?

Heartbeat Discovery

Network Discovery

Active Directory User Discovery

Active Directory System Group Discovery

Active Directory Security Group Discovery

Active Directory System Discovery

MDT 2010 enables you to manage and manipulate disk images and to create a distribution

share to distribute an operating system image to other computers on your network. You need to install Windows AIK before you can create or deploy WIM

image files.

WDS uses boot images that enable PXE-compliant computers to boot from the

network and obtain an install image. If a computer is not PXE-compliant, you can boot

it from a discover image on bootable media and WDS can then deploy an install image

to it. Discover images enable you to boot a reference computer and transfer its system

image to WDS, which can then deploy it to other computers.

MDT 2010 can work with WDS in an LTI scenario. To implement ZTI, MDT 2010 requires

that SCCM 2007 and SQL Server are available on the network. MDT 2010 requires that

Windows AIK is installed.

An image that boots a target computer

and enables deployment of the install image. Capture

and discover images are special types of boot image.

In the context of system images, you deploy

an image when you install it on one or more target

computers.

A shared network folder that

contains a system image to be deployed an all the

files, such as unattend answer files, that are part of that deployment.

WDS creates a boot menu that you can use from a PXE-compliant computer booted

from the network to install a system image to that computer. If a target computer is

not PXE-compliant, you can boot it from a discover image to access the boot menu.

A capture image is a type of boot image and appears on the boot menu. If you boot

a reference computer from a capture image, you can capture its system image and

copy it to a WDS server, which can in turn deploy it to other target computers.

The system image (typically a WIM file)

that you deploy to target computers.

In the context of system images you mount an

image by expanding it into a folder so you can obtain

information about it and add or remove features such

as drivers, updates, and language packs.

Fact: Device manager works in read-only mode on a remote computer

You can use Device Manager to manage devices and drivers only on a local computer. On a remote computer, Device Manager works in read-only mode, enabling you to view but not to change that computer’s hardware configuration.

Fact: The procedure to sign a device driver digitally has been deliberately given as a high- level procedure. You typically would do this in a domain, organizational unit, or site.

Fact: A non-administrator can install PnP devices with valid digital signatures linked to

certificates in the Trusted Publishers store. If the device driver is not in the device driver

store, or if it is unsigned, or if the signature is not trusted, administrator credentials are

required to install the device.

Fact: An administrator can prestage a device by placing its driver in the device driver store.

If the device driver is unsigned, the administrator can sign it with a certificate obtained

from an internal CA to allow it to be installed by standard users within an organization.

Fact: You can prevent drivers downloading from Windows Update and automatically

installing.

You can also remove Windows Update from the device driver search path.

You can disable or stop drivers to diagnose driver problems. If a new driver is giving

you problems, you can roll back to a previous driver.

Fact: The Defrag syntax has changed from Windows Vista. Traditionally, examiners have tended

to test things that have changed.

A striped volume uses the free space on more than one physical hard disk to create the

volume. It enables the operating system to write across all disks in small blocks, or stripes,

distributing the load across the disks in the volume. Data is written to a stripe on the first disk,

the next block of data is written to a stripe on the next disk, and so on. The data can be split

into stripe-sized blocks and written to all the disks in the stripe set simultaneously. A striped

(RAID-0) volume requires at least two disks.

A mirrored or RAID-1 volume provides availability and fault tolerance but does not improve

performance. It uses two disks (or two portions on separate disks) that are the same size. Any

changes made to the first disk of a mirror set are also made to its mirror disk. If the first disk

fails, the mirror is broken and the second disk is used until the first is repaired or replaced.

The mirror is then re-created, and the information on the working disk is mirrored on the

repaired disk. The disadvantage of RAID-1 is that you need (for example) two 200-GB disks

to hold 200 GB of data. The advantage is that you can mirror a system disk containing your

operating system.

A striped volume with parity offers high availability, failover protection, and performance

improvement. It requires at least three disks, or equally sized portions of unallocated space

on at least three separate disks. The volume is striped in a similar way to RAID-0, but on

each disk, some of the capacity is used to store parity information, which is compressed

information about the contents of the other disks in the set. Thus, if a disk fails, the data it contained is stored on the other disks in the set,

although there is a performance degradation because the parity information needs to be

decompressed whenever it is accessed. If a replacement disk is installed, its contents can be

regenerated from the parity information on the other disks.

You have selected a volume using the Diskpart tool. What command tells you the

maximum amount by which you can shrink it?

Fact: You can use the Disk Management console or the Diskpart command-line tool to

manage disks, partitions, and volumes on a computer running Windows 7.

Fact: Windows 7 supports basic disks, dynamic disks, the MBR partition type, and the GPT

partition type and allows you to convert from one to the other.

Fact: Windows 7 offers software RAID-0, RAID-1, and RAID-5 volumes. You can also create

simple and spanned volumes. You can shrink or expand a volume without needing to

use third-party tools.

Fact: If a device is not PnP, you need to supply administrator credentials to install it. You can

prestage a device driver and (if necessary) digitally sign it so non-administrators can

install it.

Fact: You can prevent drivers downloading from Windows Update and installing

automatically.

You can also remove the Windows Update site from the search path for

device drivers not in the device driver store. You can update, disable (or stop), uninstall,

or roll back device drivers.

Files on a hard disk can become

fragmented so that they are stored on noncontiguous

areas of the disk. Defragmentation addresses this

problem by rearranging the disk so files are stored in

contiguous areas.

A protected area on disk that contains the

drivers for PnP devices.

An administrator can stage a device driver by

placing it in the driver store. A non-administrator can

then install the device.

Volumes that use disk space on several disks to

implement volumes that offer increased performance, fault tolerance, or both. Windows 7 supports RAID-0,

RAID-1, and RAID-5.

A protected area of a

hard disk that contains the digital certificates that

authenticate signed device drivers.

How do you check the DirectX video card and discover whether the driver is not

WHQL-approved and if there are any other problems?

The Dxdiag tool diagnoses any problems with the video card and will tell you whether the

driver is WHQL approved.

If the problem is not the driver, what tool can you use to determine if there is a resource clash with other hardware?

The Msinfo32 tool lists the resources and tells you what driver uses what resources.

In particular, you should investigate Conflicts/Sharing under Hardware Resources.

The unsigned driver in question worked fine on your test network. You want to test it

again more thoroughly under stress conditions, such as low resources. What tool can

you use to do this?

Which compatibility option should you enable for a program that needs administrative

privileges but that triggers a User Account Control prompt?

You should enable the Run This Program As An Administrator option because this

allows the application to run using elevated privileges. The user is presented with

a User Account Control prompt prior to elevated privileges being granted.

The Application Compatibility Manager allows you to configure, collect, and analyze compatibility data so you can resolve issues prior to deploying Windows 7 in your organization.

The Compatibility Administrator, shown in Figure 5-4, allows you to resolve a large number

of application compatibility issues that might occur when you attempt to deploy an existing

application on Windows 7.

The Internet Explorer Compatibility test tool allows you to test existing Web sites to determine if they have compatibility problems that adversely influence how they will display on Internet Explorer 8, the version of Internet Explorer that ships with Windows 7.

The Setup Analysis Tool monitors the actions taken by application installers and can detect

the following compatibility issues:

n Installation of kernel mode drivers

n Installation of 16-bit components

n Installation of Graphical Identification and Authentication dynamic-link libraries (DLLs)

n Modification of files or registry keys that are guarded by Windows Resource Protection (WRP)

The Standard User Analyzer, shown in Figure 5-6, allows you to test applications to determine

if they might have compatibility issues caused by User Account Control. The Standard User

Analyzer provides data about problematic files and APIs, registry keys, .ini files, tokens,

privileges, namespaces, processes, and other related items that the application uses that

might cause problems when running on a computer with Windows 7 installed.

Fact: An application that functions well on a computer that has Windows XP SP3 installed, but

which does not run normally on Windows 7, might run without a problem if you configure it to use the Windows XP SP3 compatibility mode.

Fact: You can run the Program Compatibility troubleshooter to diagnose common

application compatibility issues.

Fact: Windows 7 has several compatibility modes that allow the majority of existing software

to execute on it.

Fact: The ACT contains several tools that allow you to analyze potential compatibility problems

prior to deploying Windows 7 in your organization.

Fact: You can use the Compatibility Administrator to search for existing compatibility fixes

and compatibility modes that have already been developed for popular applications.

Fact: You can use the Internet Explorer Compatibility Test Tool to check existing Web sites

and applications for compatibility problems that might exist when Internet Explorer 8

is used as a browser.

Windows XP Mode allows you to run applications through a virtualized instance of

Windows XP that runs on Windows 7 Professional, Ultimate, or Enterprise edition.

Software Restriction Policies is a technology available to clients running Windows 7 that is

available in Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.

You manage Software Restriction Policies through Group Policy. You can find Software

Restriction Policies in the Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies node of a group policy. When you use Software Restriction

Policies, you use the Unrestricted setting to allow an application to execute and the Disallowed

setting to block an application from executing.

Software Restriction Policies are applied in a particular order, with the more explicit rule

types overriding more general rule types. The order of precedence from most specific (hash)

to least specific (default) is as follows:

1. Hash rules

2. Certificate rules

3. Path rules

4. Zone rules

5. Default rules

Fact: In environments that use both Software Restriction Policies and AppLocker, AppLocker

policies take precedence. If you have an AppLocker policy that specifically allows an

application that is blocked by a Software Restriction Policy, the application executes.

Hash rules are like digital fingerprints that identify a unique file. A path rule only

works based on a file name and path, which means that malware can be inserted

into locations covered by path rules and executed.

Fact: Software Restriction Policies can be used on computers running Windows XP, Windows

Vista, Windows Server 2003, Windows Server 2008, and Windows 7.

Fact: You can choose a Software Restriction Policy default rule that blocks all applications

that are not allowed or choose a default rule that allows all applications that are not

subject to any other rules.

Fact: Software Restriction Policy rules that are more specific override rules that are less specific.

A hash rule that sets an application to unrestricted overrides a path rule that sets the same application to Disallowed.

Fact: Hash rules are analogous to digital fingerprints of specific files. You must create a new

hash rule if you apply a software update to a file.

Fact: AppLocker policies can be used only on computers running Windows 7 Enterprise and Ultimate editions.

Fact: AppLocker path and hash rules work in the same way that Software Restriction Policy

path and hash rules work.

Fact: AppLocker publisher rules allow you to create rules based on which vendor digitally

signed an application. You can allow all applications from that vendor, all versions of

a specific application, or just a specific version of a specific application using publisher rules.

Fact: Some AppLocker rule types allow exceptions. Exceptions allow you to exempt a specific

application from the scope of a general AppLocker rule.

Fact: An AppLocker block rule always overrides an AppLocker allow rule. The fallback rule

for AppLocker blocks the execution of any application not explicitly allowed by another

rule.

Fact: AppLocker overrides Software Restriction Policies when both are applied to the same

computer.

Fact: In AppLocker it is not possible to create

a publisher rule due to the lack of digital signature.

Fact: Software Restriction Policies can be used on all versions of Windows and allow you

to create rules based on a file hash, software path, publisher certificate, or network

zone. Software Restriction Policies are applied from the most specific rules to the least

specific. Rules that are more specific override rules that are less specific.

Fact: AppLocker policies can only be used on computers running Windows 7 Enterprise and

Ultimate editions. AppLocker policies can be applied on the basis of publisher identity,

file hash, or software path. AppLocker includes wizards that automatically generate

rules. AppLocker block rules override all other AppLocker rules.

A type of policy that can be used on

Windows 7 Enterprise and Ultimate editions to restrict the execution of applications based on application identity information.

Also known as shims, compatibility

fixes are collected together to create compatibility

modes.

A collection of compatibility fixes,

also known as shims, that allow programs written for

older versions of Windows to run on Windows 7.

A rule that uses a digital fingerprint based

on a file’s binary properties.

A rule that specifies an application or group

of applications by their file location.

A rule that specifies a file or a group of

files based on the digital signature the vendor used to

sign the file.

A type of policy that can be used on all versions of Windows to restrict the execution of applications based on application identity information.

You have purchased a secondhand computer and are connecting it to a hybrid

network that obtains its configuration from DHCP provided by a third-party WAP.

The computer is not wireless-enabled, so you plug it into the Ethernet switch on

the WAP and switch it on. It cannot access the Internet. You use the Ipconfig tool

and discover that the computer has an IP address of 10.1.10.231. You know the

WAP is working properly and the Ethernet connection is okay. What should you

check next?

Check that the computer is set to receive its IPv4 configuration dynamically. It has

not been reconfigured by DHCP on the WAP and its previous owner has probably

configured it statically with the 10.1.10.231 address. You need to reconfigure the

computer to receive its IPv4 settings dynamically.

Fact: IPv4 is responsible for ensuring that a packet sent across an IPv4 network reaches its

destination. DHCP automatically configures computers on a network with their IPv4

configurations. DNS resolves a host name or FQDN to an IP address.

Fact: An IPv4 address identifies a computer (or other network device) on a subnet. A subnet

mask defines the range of IP addresses on a subnet.

Fact: A wired small network that contains more than one computer typically implements

Transmission Control Protocol/Internet Protocol (TCP/IP) configuration through ICS.

Computers and other devices on a wireless or hybrid small network obtain their configurations from the WAP.

Fact: You use the Network And Sharing Center to view computers and devices on a network,

connect to a network, set up a connection or network, and manage network connections.

You can also use the Netsh interface ipv4 command to manage IPv4 networks.

Fact: You can access the Windows Network Diagnostics tool from the Network And Sharing

Center to troubleshoot a faulty network connection. If you fail to connect to a Web

site, you can access the same tool by clicking Diagnose Connection Problems.

Fact: You can use the Ping, Tracert, and Pathping commands to troubleshoot network

connectivity. The Netstat command returns network protocol statistics.

Identifies a single interface within the scope of the unicast address type. Packets addressed to a unicast address are delivered to a single interface.

RFC 2373 allows multiple interfaces to use the same address, provided that these

interfaces appear as a single interface to the IPv6 implementation on the host. This

accommodates load-balancing systems.

Identifies multiple interfaces. Packets addressed to a multicast address are delivered to all interfaces that are identified by the address.

Identifies multiple interfaces. Packets addressed to an anycast address are delivered to the nearest interface identified by the address. The nearest interface is the closest in terms of routing distance, or number of hops. An anycast address is used for

one-to-many communication, with delivery to a single interface.

Fact: IPv6 addresses identify interfaces rather than nodes. A node is identified by any unicast

address that is assigned to one of its interfaces.

Global unicast addresses are the IPv6 equivalent of IPv4 public addresses and are globally

routable and reachable on the IPv6 Internet. These addresses can be aggregated to produce

an efficient routing infrastructure and are therefore sometimes known as aggregatable global

unicast addresses. A global unicast address is unique across the entire IPv6 Internet. (The

region over which an IP address is unique is called the scope of the address.)

Fact: A global unicast address is the IPv6 equivalent of an IPv4 public unicast address, and it

typically starts with a 2. A link-local IPv6 address is equivalent to an IPv4 APIPA address

and it starts with fe8. A site-local IPv6 address is equivalent to an IPv4 private address and

it starts with fec0. The special IPv6 addresses :: and ::1 are equivalent to the IPv4 addresses

0.0.0.0 and 127.0.0.1. Multicast IPv6 addresses start with ff. Anycast addresses are assigned

only to routers and are beyond the scope of the 70-680 examination.

Fact: The 70-680 examination objectives specifically mention Teredo addresses, which are

supported by Microsoft. However the examination is unlikely to ask you to generate

a Teredo address. You might, however, be asked to identify such an address and work out

its included IPv4 address. Fortunately you have access to a scientific calculator during the

examination. You are more likely to be asked to identify a Teredo or a 6to4 address. Both

are public addresses. A Teredo address starts with 2001; a 6to4 address starts with 2002.

What Netsh command lists site IDs?

netsh interface ipv6 show address level=verbose

What Netsh command could you use to identify the IPv6 address of your default router interface?

netsh interface ipv6 show route

Fact: IPv6 supports unicast, multicast, and anycast addresses. Unicast addresses can be

global, site-local, link-local, or special.

Fact: IPv6 is fully supported in Windows 7 and addresses problems such as lack of address

space that are associated with IPv4.

Fact: IPv6 is designed to be backward-compatible, and you can specify IPV4-compatible

addresses such as Teredo and 6to4 addresses.

Tools to configure and troubleshoot IPv6 include Ping, Ipconfig, Tracert, Pathping, and Netsh.

Fact: You can configure IPv6 by using the TCP/IPv6 Properties GUI. You can also use Netsh

interface ipv6 commands to configure IPv6 settings.

Fact: Several 802.11 standards exist in addition to 802.11a, 802.11b, and 802.11c. However, the

standards described in this lesson are those in common use. If you see any other standard

(for example, 802.11d) given as a possible answer in the examination, that answer is almost

certainly wrong.

From which dialog box can you add a new protocol, server service, or client service?

Fact: Problems with wireless connectivity can occur if a computer is within range of two

preferred networks or two networks that have the same SSID. Interference from domestic

devices can also cause problems. You can change the channel that a WAP uses to reduce interference.

Fact: Using an unsecured wireless network can create significant security risks. If you

configure a wireless network, always ensure that it is secure.

You can connect to a wireless network, manage wireless networks, and enable or

disable a wireless adapter through the Network And Sharing Center. You can also use the Netsh wlan command-line utility to mange wireless networks.

Fact: Windows 7 configures the default printer that you specify on a particular network

to be the default whenever you connect to that network. Thus, when you switch networks,

you seamlessly shift default printers. You can configure location-aware printing

and specify default printers for specific networks.

Fact: IPv4 routes packets within a subnet and over an intranetwork. IPv6 performs the same

functions as IPv4 but also addresses the problems associated with the earlier protocol,

such as lack of address space.

The IP address to which a host on

a subnet sends a packet (or IP packet) when the packet’s destination IP address is not on the local subnet. The default gateway address is usually an interface belonging to the border router of LAN. In the case of a SOHO or small test network, the default gateway is the static IP address of the WAP or the ICS computer.

An IPv6 address that identifies a device

on the Internet. Global addresses must be unique on

the Internet.

(IPv4 or IPv6) A unique address on

a computer network that devices use in order to

identify and communicate with each other.

The fundamental unit of information passed

across any IP network. An IP packet contains source and destination addresses along with data and a number of fields that define such things as the length of the packet, the header checksum, and flags that indicate whether the packet can be (or has been) fragmented.

A wireless network

to which a wireless client attempts to connect and

authenticate. Typically, the list of preferred networks

contains networks to which the client has previously

connected listed in order of preference.

An IPv4 address that identifies a

device on the Internet (or is allocated to a LAN). Public addresses must be unique on the Internet.

An identifiably separate part of an

organization’s network. Typically, a subnet might

represent all the computers at one geographic location, in one building, or on the same LAN. An IPv4 address consists of the address of a subnet (subnet address) combined with the address of a device on the subnet (host address).

A number that defines what bits in an

IPv4 address represent the subnet address and what

bits represent the host address.

You can create rules for Windows Firewall only for programs and Windows 7 features. You cannot create rules for Windows Firewall based on port address or service.

Fact: Windows Firewall allows for the creation of basic rules that apply to programs and

Windows 7 features. You cannot configure rule scope or authentication settings for Windows Firewall rules.

Fact: Network profiles allow different sets of firewall rules to apply depending on the

properties of the network connection. The three network profiles are Domain, Public,

and Home Or Work (Private).

Fact: Windows Firewall rules can apply selectively to network profiles. Different network

profiles can apply to different network interfaces at the same time.

Fact: WFAS allows you to configure inbound and outbound firewall rules for ports, programs, and services.

What command do you need to execute on a computer if you want to configure

the Remote Management Service to allow remote management through Windows

PowerShell or WinRS?

You must run the command WinRM quickconfig from an elevated command prompt.

Fact: Remote Desktop allows you to make a connection to a remote computer and view its

desktop as though you were logged on directly.

Fact: When Remote Desktop with Network Level Authentication is enabled, only clients

running Windows Vista and Windows 7 can connect. It is possible to connect using a client running Windows XP with SP3, but it requires special configuration and is not supported by default.

Fact: Standard users must be members of the Remote Desktop Users group before they can

connect to a client running Windows 7 using Remote Desktop.

Fact: You need to run the command WinRM Quickconfig from an elevated command

prompt on a client that you want to manage remotely using either WinRS or Windows

PowerShell. WinRM Quickconfig configures the Windows Remote Management service

and appropriate firewall rules and enables the WinRM listener.

Fact: You can use the winrs –r:hostname command to run a command-line command

remotely on the host named hostname.

Fact: Only Windows PowerShell V2 and later support remote Windows PowerShell. Windows

PowerShell V2 is the default version of Windows PowerShell included with Windows 7.

Fact: You can use the icm hostname command to run PowerShell Command on computer hostname remotely.

A rule that determines connection authentication requirements.

A firewall rule that applies to traffic

directed at the host from an external source.

A firewall rule that applies to traffic

from the host addressed to an external location.

A tool that allows command-line commands to be executed on a remote computer.

Which tool can you use to determine which files and folders that users are accessing remotely on a client running Windows 7 configured with shared folders?

You can use the Shared Folders\Open Files node to determine which files and folders are being accessed remotely on a client running Windows 7.

Remember what permissions to assign a group to allow them to manage their own

documents, but not to manage other documents submitted to a shared printer.

Read Printer: This permission allows a user to print to the printer and rearrange the documents

that they have submitted to the printer.

Fact: HomeGroups can be used on networks that have the Home network location designation. They make it easier to share resources in environments without AD DS.

Fact: Shared folders allow individual folders to be shared. Sharing options for folders are

more detailed than for Libraries.

Fact: You can manage shared folders through the Computer Management console,

Windows Explorer, and the Net Share command. The Computer Management console allows for the centralized administration of shared folders.

Fact: The Read printer permission allows users to control their own documents. The Manage

Documents permission allows users to manage all documents submitted to the printer.

The Manage Printers printer permission allows users to control printer settings and

configure printer permissions.

If you move a folder to a new location on the same volume, do the folder and its contents retain their original NTFS permissions?

Yes. When files or folders are moved to a new location on the same volume, they retain all their original NTFS permissions.

Fact: The Icacls.exe utility can be used to manage NTFS permissions from the command line.

You can use this utility to back up and restore current permissions settings.

Fact: There are six basic NTFS permissions: Read, Write, List Folder Contents, Read & Execute,

Modify, and Full Control. A Deny permission always overrides an Allow permission.

Fact: You can use the Effective Permissions tool to calculate a user’s effective permissions to

a file or folder when she is a member of multiple groups that are assigned permission

to the same resource.

Fact: The most restrictive permission applies when attempting to determine the result of

Share and NTFS permissions.

Fact: When you encrypt a file, it generates an EFS certificate and private key. You can encrypt a file to another user’s account only if that user has an existing EFS certificate.

This command resets the current BranchCache

configuration, disabling and stopping the service, resetting the registry defaults, deleting any cache files, and setting the service start type to Manual. This command also disables any configured BranchCache firewall rules.

This command displays the current service mode,

including whether that service mode is configured using Group Policy, and displays the

current status of the BranchCache service.

This command sets the client to use the Distributed Cache mode, starts the BranchCache service, and changes thestartup type to Manual . It also enables the BranchCache - Content Retrieval (Uses HTTP) and BranchCache – Peer Discovery (Use WSD) firewall rules 

This command sets the client to use the local cache mode, starts the BranchCache service, and changes the startup type to Manual . It does not enable any firewall rules . When you set the local caching mode, the client stores files retrieved over the WAN in a local cache but does not share the contents of that cache with any other clients on the branch office network . It is only possible to set this mode using Netsh.

This command sets the client to use the Hosted Cache mode, specifies the location of the hosted cache server, starts the BranchCache service, and changes its startup type to Manual . It also enables the BranchCache - Content Retrieval (Uses HTTP) and BranchCache – Hosted Cache Client (Uses HTTPS) firewall rules 

A technology that allows files hosted on

remote Windows Server 2008 R2 servers to be cached on a branch office LAN.

A technology that allows the encryption of individual files and folders to specific user accounts.

A feature that allows resource sharing on

home networks.

A virtualized collection of folders that often

contains similar content.

A computer running Windows 7 Enterprise named Waverley has two NTFS-formatted

volumes, volume C and volume D. The folder C:\Share is shared and has 15 subfolders and

hundreds of files. Many of these folders have unique NTFS permissions. You want to move this

folder so that it is hosted on volume D because volume C is running out of space. One of the

users of computer Waverley will be changing to computer Warrandyte. This user has copied

a large number of EFS-encrypted files onto a NTFS-formatted USB flash device. What steps can you take so that the user is able to read the encrypted files on the USB flash device on computer Warrandyte?

You need to export the user’s private key from computer Waverley and import it to computer

Warrandyte.

A computer running Windows 7 Enterprise named Waverley has two NTFS-formatted

volumes, volume C and volume D. The folder C:\Share is shared and has 15 subfolders and

hundreds of files. Many of these folders have unique NTFS permissions. You want to move this

folder so that it is hosted on volume D because volume C is running out of space. One of the

users of computer Waverley will be changing to computer Warrandyte. This user has copied

a large number of EFS-encrypted files onto a NTFS-formatted USB flash device. What steps can you take to ensure that it is possible to recover all files that are encrypted in future?

Create a recovery agent certificate using Cipher.exe. Use the Local Group Policy Editor to assign this certificate as a recovery agent.

A computer running Windows 7 Enterprise named Waverley has two NTFS-formatted

volumes, volume C and volume D. The folder C:\Share is shared and has 15 subfolders and

hundreds of files. Many of these folders have unique NTFS permissions. You want to move this

folder so that it is hosted on volume D because volume C is running out of space. One of the

users of computer Waverley will be changing to computer Warrandyte. This user has copied

a large number of EFS-encrypted files onto a NTFS-formatted USB flash device. What steps can you take to move the shared folder to volume D?

You are trying to make the use of WAN bandwidth between Contoso’s head office in

Melbourne and branch offices in Wangaratta and Traralgon more efficient. All client

computers at Contoso have Windows 7 Enterprise installed. Users turn their computers

on and off during the day. If possible, you want to store any BranchCache data so that it

is always available. There is a Windows Server 2008 R2 RODC at the Traralgon site named

rodc.traralgon.contoso.internal, and there is a Windows Server 2008 RODC named rodc.

wangaratta.contoso.internal at the Wangaratta site. You do not plan on upgrading any server

operating systems in the near future. Which BranchCache mode should you use at the Wangaratta branch office?

You should use Distributed Caching mode in the Wangaratta branch office because you are

unable to deploy a server running Windows Server 2008 R2 to this location and Windows

Server 2008 does not support BranchCache.

You are trying to make the use of WAN bandwidth between Contoso’s head office in

Melbourne and branch offices in Wangaratta and Traralgon more efficient. All client

computers at Contoso have Windows 7 Enterprise installed. Users turn their computers

on and off during the day. If possible, you want to store any BranchCache data so that it

is always available. There is a Windows Server 2008 R2 RODC at the Traralgon site named

rodc.traralgon.contoso.internal, and there is a Windows Server 2008 RODC named rodc.

wangaratta.contoso.internal at the Wangaratta site. You do not plan on upgrading any server

operating systems in the near future. Which BranchCache mode should you use at the Traralgon branch office?

You should configure the Hosted Cache mode at the Traralgon office because this ensures

that a maximum number of files are available in the centralized cache. Hosted Cache allows

the cache to remain online, unlike Distributed Cache, which requires that all clients remain

online. A server running Windows Server 2008 R2 is present at the Traralgon branch office to

support Hosted Cache mode.

You are trying to make the use of WAN bandwidth between Contoso’s head office in

Melbourne and branch offices in Wangaratta and Traralgon more efficient. All client

computers at Contoso have Windows 7 Enterprise installed. Users turn their computers on and off during the day. If possible, you want to store any BranchCache data so that it is always available. There is a Windows Server 2008 R2 RODC at the Traralgon site named rodc.traralgon.contoso.internal, and there is a Windows Server 2008 RODC named rodc. wangaratta.contoso.internal at the Wangaratta site. You do not plan on upgrading any server operating systems in the near future. What steps do you need to take to prepare server rodc.traralgon.contoso.internal to support BranchCache?

Fact: The Runas utility allows you to run programs using alternate credentials. You can use

the /savecred option to store the password associated with these alternate credentials.

Fact: You can use Certmgr.msc, Cipher.exe, or the Manage File Encryption Certificates tool to back up EFS certificates

Fact: Users can create a password reset disk to assist them if they forget their password. Password reset disks must be created before the password is forgotten.

Fact: Members of the local administrators group can reset the passwords of users that have forgotten them.

Fact: Group policies can be configured to enforce multifactor authentication by requiring users to log on with smart cards.

Fact: You can assign rights to users by adding them to the appropriate built-in local group or by assigning them rights through Group Policy.

Two or more different forms of authentication. On Windows 7, this is usually achieved by requiring a smart card and a password.

Privilege Elevation

An increase in rights that allows a user to perform a task that require more rights than those assigned to a standard user.

A special desktop where a user is forced to respond to a UAC prompt before being able to continue using the computer. This works as a security measure to ensure that users are not tricked into providing UAC consent when they do not intend to do so.

You are developing UAC policies for the deployment of clients running Windows 7 at Coho

Vineyard. Administrators often have to help out standard users using remote assistance.

At times, it is necessary for administrators to perform actions that require elevation.

Administrators should have to provide their authentication credentials when performing an

act that triggers an elevation prompt. The administrators should be able to continue using

other parts of the operating system and should not have to respond to the elevation prompt

immediately. All approved applications at Coho Vineyard have been digitally signed by the

application publisher. Which policies do you need to configure to support the elevation requirements for

administrators?

You need to configure the UAC: Behavior Of The Elevation Prompt For Administrators In

Admin Approval Mode policy and set it to Prompt For Credentials. You also need to set

the UAC: Switch To The Secure Desktop When Prompting For Elevation policy to Disabled.

This ensures that administrators are prompted for credentials but do not have to respond

immediately to the prompt.

You are developing UAC policies for the deployment of clients running Windows 7 at Coho Vineyard. Administrators often have to help out standard users using remote assistance. At times, it is necessary for administrators to perform actions that require elevation. Administrators should have to provide their authentication credentials when performing an act that triggers an elevation prompt. The administrators should be able to continue using other parts of the operating system and should not have to respond to the elevation prompt immediately. All approved applications at Coho Vineyard have been digitally signed by the

application publisher. Which policies do you need to configure to support elevation during remote

assistance?

You need to configure the UAC: Behavior Of The Elevation Prompt For Standard Users policy

to ensure that standard users are prompted for credentials when they perform an act that

requires elevation. You also need to configure the UAC: Allow UIAccess Applications To

Prompt For Elevation Without Using Secure Desktop policy. Doing this allows remote user

interaction with the UAC prompt when connected through UIAccess applications.

You are developing UAC policies for the deployment of clients running Windows 7 at Coho

Vineyard. Administrators often have to help out standard users using remote assistance.

At times, it is necessary for administrators to perform actions that require elevation.

Administrators should have to provide their authentication credentials when performing an

act that triggers an elevation prompt. The administrators should be able to continue using

other parts of the operating system and should not have to respond to the elevation prompt

immediately. All approved applications at Coho Vineyard have been digitally signed by the

application publisher. Which policy do you need to configure to ensure that only approved applications can initiate elevation?

You need to configure the UAC: Only Elevate Executables That Are Signed And Validated

policy. You can use this policy because all applications that might require elevation at Coho

Vineyard have digital signatures.

Wingtip Toys has 20 people that have stand-alone computers running Windows 7. One of the

users recently had a problem where he forgot his password. You were able to reset this user’s

password, but the user lost access to several important encrypted documents as well as all

his stored Web site credentials. You are in the process of developing a policy to ensure that

this type of data loss does not happen again. You also want to ensure that users do not keep

the same passwords because several appear to have been using the same password for the

last few months without changing it, even though your company policy states that passwords

should be changed every month. What steps can you take to ensure that users do not lose access to encrypted documents or credentials if their password is reset?

Ensure that users back up their EFS key. This can be done using Cipher.exe, the Manage File Encryption Certificates tool, or through Certmgr.msc. The users should use Credential Manager to back up their stored Web site passwords.

Wingtip Toys has 20 people that have stand-alone computers running Windows 7. One of the

users recently had a problem where he forgot his password. You were able to reset this user’s

password, but the user lost access to several important encrypted documents as well as all

his stored Web site credentials. You are in the process of developing a policy to ensure that

this type of data loss does not happen again. You also want to ensure that users do not keep

the same passwords because several appear to have been using the same password for the

last few months without changing it, even though your company policy states that passwords

should be changed every month. What steps can you take to ensure that users are able to recover their own forgottenpasswords?

Create a password reset disk for each user

Wingtip Toys has 20 people that have stand-alone computers running Windows 7. One of the

users recently had a problem where he forgot his password. You were able to reset this user’s

password, but the user lost access to several important encrypted documents as well as all

his stored Web site credentials. You are in the process of developing a policy to ensure that

this type of data loss does not happen again. You also want to ensure that users do not keep

the same passwords because several appear to have been using the same password for the

last few months without changing it, even though your company policy states that passwords

should be changed every month. What steps can you take to ensure that users regularly change their passwords and do not use the same small number of passwords?

Fact: DirectAccess allows a client running Windows 7 Enterprise or Ultimate edition to connect automatically to a corporate intranet when an active Internet connection is established without requiring user intervention.

If a client running Windows 7 has a public IPv6 address, a direct IPv6 connection is

made. If the client has a public IPv4 address, a connection is made using the 6to4

transition technology. If the client has a private IPv4 address, a connection is made

using the Teredo transition technology. If the client has a private IPv4 address and is behind a firewall that restricts most forms of network traffic, a connection using IP-HTTPS is made.

Fact: DirectAccess clients require computer certificates from a CA that is trusted by the

DirectAccess server. The DirectAccess server requires a certificate from a CA trusted by

the DirectAccess client.

Fact: DirectAccess clients must be members of an AD DS domain. DirectAccess clients must

be members of a special domain security group which has been configured during the

setup of the DirectAccess server.

Fact: A DirectAccess server must run Windows Server 2008 R2. A domain controller running

Windows Server 2008 R2 and a DNS server must also be present on the internal network to support DirectAccess.

PPTP VPNs are the least secure form of VPN. Because PPTP VPNs do not require access to a public key infrastructure (PKI), they are also the most commonly deployed type of VPN. PPTP connections can use the MS-CHAP, MS-CHAPv2, EAP, and PEAP authentication protocols. PPTP connections use MPPE to encrypt PPTP data. PPTP connections provide data confidentiality but do not provide data integrity or data origin authentication. Some older NAT devices do not support PPTP. Windows 7 uses PPTP to support incoming VPN connections.

L2TP /IPsec L2TP/IPsec VPN connections are more secure than PPTP. L2TP/IPsec provides per-packet data origin authentication, data integrity, replay protection, and data confidentiality. L2TP/IPsec uses digital certificates, so it requires access to

a certificate services infrastructure. Most third-party VPN solutions support L2TP/IPsec. L2TP/IPsec cannot be used behind NAT unless the client and server support IPsec NAT Traversal (NAT-T). Windows 7, Windows Server 2003, and Windows

Server 2008 support NAT-T. You can configure L2TP to use either certificate-based authentication

or a pre-shared key by configuring the advanced properties.

SSTP VPN tunnels use port 443, meaning that SSTP VPN traffic can pass across almost all firewalls that allow Internet access, something that is not true of the PPTP, L2TP/IPsec, and IKEv2 VPN protocols. SSTP works by encapsulating PPP traffic over

the SSL channel of the HTTPS protocol. SSTP supports data origin authentication, data

integrity, replay protection, and data confidentiality. You cannot use SSTP through

a Web proxy that requires authentication.

IKEv2 is a VPN protocol new to Windows 7 and is not present in previous versions of Windows. IKEv2 supports IPv6 and the new VPN Reconnect feature. IKEv2 supports Extensible Application Protocol (EAP) and computer certificates for clientside

authentication. This includes Microsoft Protected EAP (PEAP), Microsoft Secured Password (EAP-MSCHAP v2), and Microsoft Smart Card or Other Certificate, as shown in Figure 10-12. IKEv2 does not support POP, CHAP, or MS-CHAPv2 (without EAP) as authentication protocols. IKEv2 supports data origin authentication, data integrity, replay protection, and data confidentiality. IKEv2 uses UDP port 500. When you configure a new Windows 7 VPN connection with the default settings, Windows 7 attempts to make an IKEv2 connection first.

Fact: VPN Reconnect uses the IKEv2 tunneling protocol with the MOBIKE extension. The MOBIKE

extension allows VPN clients to change their Internet addresses without having to renegotiate

authentication with the VPN server. Only VPN servers running Windows Server 2008 R2

support IKEv2. You cannot use IKEv2 if your organization has a routing and remote access

server running Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008.

Fact: The IKEv2 VPN protocol is required if you want to use the VPN Reconnect feature. VPN Reconnect also requires a VPN server running Windows Server 2008 R2.

Fact: The SSTP protocol allows users to access VPNs from behind most firewalls because it uses the same port as HTTPS traffic.

Fact: RD Gateways allow Remote Desktop Connection access to Remote Desktop hosts on

an organization’s internal network without requiring that the external client use a VPN connection. RD Gateway also allows RemoteApp applications to be published to clients on the Internet.

Fact: EAP-MS-CHAPv2 is the strongest password-based authentication protocol, and it is the only password-based authentication protocol that can be used with IKEv2.

Fact: You can create a VPN or dial-up connection using the Create New Connection Wizard, which is available from the Network And Sharing Center.

Fact: Windows 7 can function as a dial-up and VPN server if you configure incoming connections.

Fact: NAP can be used to block remote access connections made by clients running Windows 7

that do not meet designated health benchmarks. These clients can be redirected to remediation networks that contain resources that allow them to become compliant.

Technology that allows clients running

Windows 7 to establish an always-on remote IPv6

connection to an organization’s internal network.

A form of presentation virtualization, where the window of an application that runs on a server is displayed on a client.

Wingtip Toys currently has 40 laptop computers running Windows Vista Business. Wingtip Toys wants to deploy DirectAccess because many of the users of these computers would prefer an automatic connection to the company network when they are in remote locations,

rather than relying on a manual VPN connection. Wingtip Toys wants to replace their existing

server running Windows Server 2003 R2 x64 Routing and Remote Access with a DirectAccess server. This server has two network cards and is assigned two consecutive public IPv4 addresses on the Internet interface. This server is a member of the Wingtiptoys.internal domain. The server has already been assigned the appropriate computer certificates. What steps should Wingtip Toys take to create the DirectAccess server?

Upgrade the server to Windows Server 2008 R2. The rest of the server’s configuration supports DirectAccess because it is a member of the domain, has two consecutive public IP addresses assigned to its Internet interface, and has the appropriate computer certificates installed. You can install the DirectAccess feature on this server once it has been upgraded to the newer operating system.

Wingtip Toys currently has 40 laptop computers running Windows Vista Business. Wingtip

Toys wants to deploy DirectAccess because many of the users of these computers would

prefer an automatic connection to the company network when they are in remote locations,

rather than relying on a manual VPN connection. Wingtip Toys wants to replace their existing

server running Windows Server 2003 R2 x64 Routing and Remote Access with a DirectAccess

server. This server has two network cards and is assigned two consecutive public IPv4 addresses on the Internet interface. This server is a member of the Wingtiptoys.internal domain. The server has already been assigned the appropriate computer certificates. What steps should you take to prepare client computers to use DirectAccess?

Upgrade the client computers to Windows 7 Enterprise or Ultimate edition. Add them to the

security group that you have configured to support DirectAccess. Install computer certificates.

Tailspin Toys is deploying Windows 7 Professional to 300 laptop computers. You want to

ensure that future VPN users will be able to stay connected to their VPN sessions if they switch

from using a public Wi-Fi connection to using the cellular modem cards provided to them

by the company. Users should be able to authenticate with their user names and passwords.

Your existing VPN infrastructure uses NAP. The current Routing and Remote Access server is

running the Windows Server 2008 x64 operating system. This system blocks VPN access to

clients running Windows Vista Professional that do not have the most recent software updates

or antivirus definitions installed. Presently, NAP blocks noncompliant clients from accessing

the network. These clients cannot access the VPN until they connect to the corporate network

directly and are able to download antivirus and software updates. You want to upgrade your

quarantine network so that noncompliant clients can undergo remediation while connected

remotely. Tailspin Toys has an Active Directory Certificate Services deployment. What steps do you need to take to support VPN Reconnect at Tailspin Toys?

Windows 7 Enterprise supports IKEv2 VPNs, though Windows Server 2003 R2 x64 Routing

and Remote Access servers do not. It is necessary to upgrade the Routing and Remote Access

server to Windows Server 2008 R2 to support IKEv2 VPNs.

Tailspin Toys is deploying Windows 7 Professional to 300 laptop computers. You want to

ensure that future VPN users will be able to stay connected to their VPN sessions if they switch

from using a public Wi-Fi connection to using the cellular modem cards provided to them

by the company. Users should be able to authenticate with their user names and passwords.

Your existing VPN infrastructure uses NAP. The current Routing and Remote Access server is

running the Windows Server 2008 x64 operating system. This system blocks VPN access to

clients running Windows Vista Professional that do not have the most recent software updates

or antivirus definitions installed. Presently, NAP blocks noncompliant clients from accessing

the network. These clients cannot access the VPN until they connect to the corporate network

directly and are able to download antivirus and software updates. You want to upgrade your

quarantine network so that noncompliant clients can undergo remediation while connected

remotely. Tailspin Toys has an Active Directory Certificate Services deployment. What additions should you make to the quarantine network so that clients can become compliant?

Install an antivirus update server and a WSUS server on the quarantine network so that clients

can update themselves to become compliant.

Tailspin Toys is deploying Windows 7 Professional to 300 laptop computers. You want to

ensure that future VPN users will be able to stay connected to their VPN sessions if they switch

from using a public Wi-Fi connection to using the cellular modem cards provided to them

by the company. Users should be able to authenticate with their user names and passwords.

Your existing VPN infrastructure uses NAP. The current Routing and Remote Access server is

running the Windows Server 2008 x64 operating system. This system blocks VPN access to

clients running Windows Vista Professional that do not have the most recent software updates

or antivirus definitions installed. Presently, NAP blocks noncompliant clients from accessing

the network. These clients cannot access the VPN until they connect to the corporate network

directly and are able to download antivirus and software updates. You want to upgrade your

quarantine network so that noncompliant clients can undergo remediation while connected

remotely. Tailspin Toys has an Active Directory Certificate Services deployment. Which authentication protocol should you use for Tailspin Toys?

You should use the EAP-MS-CHAPv2 authentication protocol because this allows password

authentication.

Which policy must you configure to allow a computer that does not have a TPM chip (Trusted Platform Module) to use BitLocker with a startup key stored on a compatible USB device?

You must configure the Require Additional Authentication At Startup policy to allow a computer that does not have a TPM chip to use BitLocker with a startup key stored on a compatible USB device.

Fact: BitLocker offers full volume encryption and system protection for computers running

the Enterprise and Ultimate editions of Windows 7.

Fact: TPM chips are required for BitLocker boot integrity protection. TPM PINs can be backed up to AD DS.

Fact: BitLocker can use five different modes: TPM-only, TPM with PIN, TPM with startup key,

TPM with PIN and startup key, and startup key without TPM. The startup key without

TPM mode can be enabled only by configuring Require Additional Authentication At

Startup Group Policy.

Fact: BitLocker To Go provides BitLocker encryption to removable storage devices.

Computers running the Enterprise and Ultimate editions of Windows 7 can configure

removable devices. Computers running other editions of Windows 7 cannot configure

removable devices, but they can read and write data to BitLocker To Go–protected devices.

Fact: BitLocker To Go–protected removable storage devices can be protected with passwords.

Fact: BitLocker To Go storage devices can be accessed from computers running Windows

Vista and Windows XP through a utility named BitLocker To Go Reader if Group Policy

is configured to allow this.

What are some of the differences between transparent caching and BranchCache when it comes to shared folders on remote networks?

Transparent caching does not require file servers running Windows Server 2008 R2. Transparent caching does not use a shared file cache. Windows 7 Professional supports transparent caching. Transparent caching can be used with computers that are not members of a domain.

Fact: Offline Files is a feature of Windows 7 Professional, Enterprise, and Ultimate editions

that allows a user to manipulate a file that is hosted on a shared folder when he is not

connected to the network that hosts the shared folder.

Fact: Offline Files creates a cached copy of the file on the local computer that is synchronized automatically with the file server whenever connectivity to the file server is established.

Fact: Sync Center can be used to perform a manual synchronization of offline files. Sync Center can also be used to resolve synchronization conflicts that occur when an offline file and a shared file are modified during the same period.

Fact: Transparent caching provides automatic caching of files on shared folders that are on

remote networks. Transparently cached files are available only to the local computer

and are not synchronized as offline files are.

Fact: Power Plans control how a computer running Windows 7 uses energy. Normal users can select a power plan to meet their needs without having to elevate privileges.

Fact: The default Windows 7 Power Plan is Balanced. Other plans that ship with Windows 7

include Power Saver and High Performance.

Fact: Powercfg.exe can be used to import and export power policies, allowing you to migrate them between computers.

A data recovery agent is a user account and its associated enrolled certificate that is used for the purposes of data recovery.

The process where files retrieved from remote file servers that exceed a round-trip threshold are cached automatically on the client to speed up access.

Allows files on specially configured

shared folders to be accessed when the computer is not connected to the network.

A user with standard privileges is able to install updates. A user with standard privileges is unable to hide or uninstall updates. A user with standard privileges cannot change update settings.

This policy, shown in Figure 12-16,

allows you to specify the location of an internal update server, such as one running WSUS.

This policy is the only way that you can configure Windows Update to use an alternate

update server. Using this policy, you can specify the update server and the statistics

server. In most cases, these are the same servers. The updates server is where the updates

are downloaded from, and the statistics server is the server where clients report update

installation information.

Fact: Windows Update allows software updates to be downloaded automatically to clients running Windows 7 from the Microsoft Update servers or a local update source, such as a WSUS server.

Fact: You can configure Windows Update to automatically download and install updates,

download and notify the logged-on user that updates are available for installation, or notify the logged-on user that updates are available for download and installation.

Fact: Users with standard privileges are able to install and check for updates using Windows

Update. Only users with administrative privileges are able to change Windows Update settings or change the update source from Microsoft Update to a local WSUS server.

Fact: Users with administrative privileges are able to hide updates. A hidden update is not installed on the computer. A hidden update can be unhidden and installed at a later stage. Users with administrative privileges are able to uninstall previously installed

updates. An uninstalled update becomes available for installation again unless hidden by an administrator.

What steps can users of Internet Explorer take to ensure that there is no record of their browsing session available the next time they open the browser?

Browsing using InPrivate Browsing mode ensures that no record of a browsing session

is available from within Internet Explorer.

Fact: Compatibility View allows pages that do not render correctly in Internet Explorer 8, but which render correctly in Internet Explorer 7, to be displayed properly in Internet Explorer 8. You can configure Compatibility View manually, use a list of Web sites provided by Microsoft and updated through Windows Update, or manually configure

a list of sites that Internet Explorer should use Compatibility View with.

Fact: Security settings are configured primarily by assigning sites to zones. Sites that require

elevated privileges should be assigned to the Trusted Sites zone. Sites that are on the intranet are automatically assigned to the Local Intranet zone, though this may require manual configuration in some circumstances. All other sites are assigned to the Internet zone. The Restricted Sites zone is used only for Web sites that may present

security risks but must be visited.

Fact: Add-ons enhance the functionality of Internet Explorer. Users with standard permissions

can add, remove, and disable add-ons unless configured Group Policy dictates

otherwise. Accelerators allow users to select text on a Web page and then automatically

perform another function, such as translating the text or forwarding it to their blog.

Providers allow additional search providers to be added to the search window.

Fact: InPrivate Browsing stops Internet Explorer from storing information about a browsing session. InPrivate Filtering stops third-party Web sites from gaining data when browsing across multiple sites.

Fact: Internet Explorer provides warnings if a Web site’s address does not match the SSL certificate that it presents to the client, if the certificate has expired, if the certificate has been revoked, or if the certificate has become corrupt.