Download New Updated (Spring 2015) Microsoft 70-687 Actual Tests 171-180




A company has a Windows 8.1 client computer with secure boot enabled. You install a third-party adapter with an Option ROM in the computer.


When you start the computer, it starts in the Windows Recovery Environment (Windows RE).


You need to ensure that the computer starts normally.

What should you do?



Configure a system boot password from the system BIOS.


Disable C-State configuration from the system BIOS.


Replace the third-party adapter with an adapter that is signed by a trusted Certificate Authority (CA).


Enable hardware virtualization from the system BIOS.


Activate the Trusted Platform Module (TPM).


Answer: C



Secure Boot Overview

Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.


When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.


Frequently asked questions:


Q: What happens if my new hardware isn’t trusted?

A: Your PC may not be able to boot. There are two kinds of problems that can occur:

The firmware may not trust the operating system, option ROM, driver, or app because it is not trusted by the Secure Boot database.

Some hardware requires kernel-mode drivers that must be signed. Note: many older 32-bit (x86) drivers are not signed, because kernel-mode driver signing is a recent requirement for Secure Boot.


Q: How can I add hardware or run software or operating systems that haven’t been trusted by my manufacturer?

A: You can check for software updates from Microsoft and/or the PC manufacturer. You can contact your manufacturer to request new hardware or software to be added to the Secure Boot database.

For most PCs, you can disable Secure Boot through the PC’s BIOS.


Q: How do I edit my PC’s Secure Boot database?

A: This can only be done by the PC manufacturer.










A company has a Microsoft Software Assurance with Volume Licensing agreement. All client computers run Windows 8.1.


An employee updates a device driver on his computer and then restarts the computer. Windows does not start successfully. You establish that the updated driver is the cause of the problem.


You need to prevent the updated driver from running on startup, without impacting other drivers or personal data.


What should you do?



Use the Windows 8.1 PC Reset feature.


Reset the computer to the manufacturer’s system image.


Start the computer with the Diagnostic and Recovery Toolset and configure the driver options.


Use the File History feature.


Answer: C


Getting Started with DaRT 8.0


How to Get DaRT 8.0

DaRT 8.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance.

Overview of the Tools in DaRT 8.0


From the Diagnostics and Recovery Toolset window in Microsoft Diagnostics and Recovery Toolset (DaRT) 8.0, you can start any of the individual tools that you include when you create the DaRT 8.0 recovery image.


Exploring the DaRT tools


Hotfix Uninstall

The Hotfix Uninstall Wizard lets you remove hotfixes or service packs from the Windows operating system on the computer that you are repairing. Use this tool when a hotfix or service pack is suspected in preventing the operating system from starting.




You administer an installation of Windows 8.1 that runs as a virtual machine. The virtual machine has one 60-GB fixed size virtual hard disk with a single partition assigned as Volume C.


The virtual machine runs out of disk space. You increase the size of the virtual hard disk file to 200 GB to support an application demand for increased storage on Volume C.


You discover that Volume C is still 60 GB in File Explorer of the virtual machine.


You need to ensure that Volume C is configured to use 200 GB.


What should you do?



Configure the Virtual Disk type from fixed size to dynamic disk.


From Disk Management of the virtual hard disk, run the Extend the volume action task.


From Disk Management of the host computer, extend the Volume



Create a new storage space of Simple (no resiliency) type.


Answer: B



Online Virtual Hard Disk Resizing Overview


Expanding a virtual hard disk

Expanding a virtual hard disk increases the disk capacity of the virtual hard disk. However, to make the additional disk space available to the virtual machine requires some extra configuration. From the perspective of the virtual machine, the virtual hard disk expansion is reflected under Disk Manager as an unallocated disk volume. The size of this


unallocated volume is the difference between the original virtual hard disk and the nominated size of the expanded virtual hard disk.


To make the full virtual hard disk capacity available to the virtual machine, you need to use Disk Manager to expand the volume within the virtual machine. You can do this by using the Extend Volume Wizard within Disk Manager. After this is complete, you will be able to view the expanded disk capacity in the operating system of the virtual machine.




You administer client computers in your company network. The network includes an Active Directory Domain Services (AD DS) domain.


Employees in the human resources (HR) department are getting new Windows 8.1 Enterprise computers. The HR department uses a line of business (LOB) Windows Store app named Timesheet that is not available in Windows Store.


You need to ensure that all employees in the HR department can use Timesheet on their new computers.


What should you do?



Set the Allow all trusted applications to install group policy to Enabled.


Set the Turn off the Store application group policy to Enabled.


Install and run the Microsoft Deployment Toolkit.


Install and run the Windows App Certification Kit.


Answer: A


Currently, the Consumer Preview and Windows Server 8 Beta are classified as “enterprise sideloading enabled.” This means that when a PC is domain joined, it can be configured to accept non-Windows Store apps from their IT admin. Moving forward, this functionality to install non-Windows Store Metro style apps will be available for Windows 8.1 Enterprise Edition and Windows 8.1 Server editions.


On an enterprise sideloading enabled edition, the IT admins needs to verify:

The PC is domain joined.

The group policy is set to “Allow all trusted apps to install”.

The app is signed by a CA that is trusted on the target PCs


Note: While the Windows Store will be a great way to deploy apps to business customers, there are apps that IT admins will want to distribute directly to the end-users. This option makes sense for custom and proprietary line-of-business (LOB) apps, or enterprise software purchased directly from an ISV.




You are troubleshooting a Windows 8.1 computer. The computer is not joined to a domain.


You are unable to change any of the advanced Internet options, which are shown in the Advanced Internet Options exhibit. (Click the Exhibit button.)




You need to ensure that you can change the advanced Internet options.


What should you do?


Use the Group Policy Object Editor.


Use the Internet Explorer Administration Kit (IEAK).


Run Internet Explorer and use the Settings charm to change options.


Run the iexplore -k command.


Answer: A



Open the Local Group Policy Editor

To open the Local Group Policy Editor from the command line Click Start , type gpedit.msc in the Start Search box, and then press ENTER .


Group Policies in Internet Explorer 9

Group Policy provides a secure way to control Microsoft?Windows?Internet Explorer?9 configurations.


Further Information:


IE Command-Line Options

 k Starts Internet Explorer in kiosk mode. The browser opens in a maximized window that does not display the address bar, the navigation buttons, or the status bar.

Internet Explorer Administration Kit (IEAK) Information and Downloads


The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment and management of customized Internet Explorer packages.




You administer Windows 8.1 Enterprise client computers in your company network.


You need to prevent users from installing applications published by a specific publisher in Windows Store.


Which type of AppLocker rule should you create?



Packaged app


Windows Installer






Answer: A



Packaged Apps and Packaged App Installer Rules in AppLocker

Commonly known as Windows apps, packaged apps can be installed through the Microsoft AppStore or can be side loaded using the Windows PowerShell cmdlets if you have an Enterprise license. Packaged apps can be installed by a standard user unlike some desktop applications that sometimes require administrative privileges for installation. In this topic, desktop applications refer to Win32 apps that run on the classic user desktop.


In Windows Server 2012 and Windows 8, AppLocker enforces rules for packaged apps separately from desktop applications. A single AppLocker rule for a packaged app can control both the installation and the running of an app. Because all packaged apps are signed, AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following attributes of the app:


Publisher name

Package name

Package version 8-using-group-policy/


How manage Published (a.k.a Metro) Apps in Windows 8 using Group Policy

Windows 8 is coming REALLY SOON and of course one of the big new things to computer with that is the new (Metro) Packaged Apps that run in the start screen. However these apps are very different and do not install like traditional apps to a path or have a true “executable” file to launch the program. Of course enterprises need a way to control these packaged apps and therefore Microsoft has added a new feature Packaged Apps option to the AppLocker feature.




An administrator can use this feature to only allow certain apps to download from the Windows App Store and/or use it to control what inbuilt Packaged Apps are allowed to run.





A company has client computers that run Windows 7. Each employee has two client computers: one at work and one at home.


The company plans to deploy Windows 8.1 to all client computers. You are planning a deployment strategy.


You have the following requirements:


Minimize deployment time.

Ensure that the PC Reset and PC Refresh features can be utilized on all work computers.


You need to plan a deployment strategy that meets the requirements.


What should you do? (To answer, drag the appropriate installation method or methods to the correct location or locations in the answer area. Methods may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.)









A company has an Active Directory Domain Services (AD DS) domain. All company employees work on their personally owned computers, which are not members of the domain. The computers are running Windows XP Home, Windows Vista Business, Windows 7 Home Premium, or Windows 8.1. The company is a volume license subscriber.


The company plans to deploy Group Policies to all computers.


You need to ensure that every employee’s computer is subject to the Group Policies.


What should you do first?



Join all the computers to the same homegroup.


Start each computer from a USB flash drive on which you have installed Windows To Go.


Start each computer from a USB flash drive on which you have installed BitLocker To Go.


Join all the computers to the domain.


Answer: B



Deployment Considerations for Windows To Go

From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs.


Management of Windows To Go using Group Policy

In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at \\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\ in the Local Group Policy Editor.


The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at \\Computer Configuration\Administrative Templates\Windows Components\Store\ in the Local Group Policy Editor.




A company has Windows 8.1 client computers. The company uses Windows BitLocker Drive Encryption and BitLocker Network Unlock on all client computers.


Your need to collect information about BitLocker Network Unlock status.


Which command should you run?



Run the BitLockerWizard command.


Run the bitsadmin command.


Run the manage-bde command.


Run the BdeHdCfg command.


Answer: C



BitLocker: How to enable Network Unlock

Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.


Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.


Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.


Files to gather when troubleshooting BitLocker Network Unlock include:


1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft- Windows-Deployment-Services-Diagnostics-Debug log

2. The DHCP subnet configuration file (if one exists).

3. The output of the BitLocker status on the volume, this can be gathered into a text file using manage-bde -status or Get-BitLockerVolume in Windows PowerShell

4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address


Further Information:

There’s no such thing as a BitLockerWizard command.



Prepares a hard drive with the partitions necessary for BitLocker Drive Encryption.


BITSAdmin Tool

BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.




You connect a portable Windows 8.1 computer to a corporate network by using a VPN connection.


You are unable to access websites on the Internet only when you are using the VPN connection.


You need to ensure that you can access websites when connected to the corporate network.


What should you do?



Configure the VPN connection to use only L2TP/IPSec.


In the TCP/IPv4 properties of the VPN connection, disable the Use default gateway on remote network setting.


Configure the VPN connection to use only PPTP.


In the TCP/IPv4 properties of the VPN connection, enable the Use default gateway on remote network setting.


In the TCP/IPv4 properties of the local area connection, disable the Automatic metric setting.


Answer: B


You Cannot Connect to the Internet After You Connect to a VPN Server


After you use a Virtual Private Network (VPN) connection to log on to a server that is running Routing and Remote Access, you may be unable to connect to the Internet.


This issue may occur if you configure the VPN connection to use the default gateway on


the remote network. This setting overrides the default gateway settings that you specify in your Transmission Control Protocol/Internet Protocol (TCP/IP) settings.


To resolve this issue, configure the client computers to use the default gateway setting on the local network for Internet traffic and a static route on the remote network for VPN-based traffic.

To disable the Use Default Gateway on Remote Network setting in the VPN dial-up connection item on the client computer:

Double-click My Computer, and then click the Network and Dial-up Connections link.

Right-click the VPN connection that you want to change, and then click Properties. Click the Networking tab, click Internet Protocol (TCP/IP) in the Components checked are used by this connection list, and then click Properties. Click Advanced, and then click to clear the Use default gateway on remote network check box.

Click OK, click OK, and then click OK.


Further information:



Disable Windows TCP/IP Routing Automatic Metric Calculation Feature


TCP/IP, which Internet depending on, is a packet switching network that relies on routing to get data packets forward and transmit to the destination address. Routing, or routeing, is a process of selecting paths in the network along intermediate nodes such as routers, bridges, gateways, firewalls, switches, or hubs, which to send network traffic.


During routing, the selection of path is based on a routing metric, if there are more that one routes to the destination, such as in computers with multiple network cards. Path selection selects or predicts the best and optimized route metric wihch is computed by a routing

algorithm which takes into account information such as bandwidth, network delay, hop count, path cost, load, MTU, reliability, and communication cost.


In Windows, metric calculation is automatically been done for each network interface or connection available. In the automatic metric calculation does not result in best network performance and routing cost, user can disable the automatic metric calculation feature and manually set a metric value.


Free VCE & PDF File for Microsoft 70-687 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…