CCNA Windows Security Settings Questions

30 questions · Windows Security Settings topic · All types, answers revealed

1
MCQhard

A user reports that their Windows 10 computer is displaying a 'Your IT department has limited access to some features of this app' message when trying to run a legacy application. The application worked before the latest Windows update. Which security feature is most likely causing this issue?

A.Windows Defender Firewall with Advanced Security
B.Windows Defender Application Guard
C.User Account Control (UAC)
D.BitLocker Drive Encryption
AnswerB

Application Guard uses container technology to isolate untrusted apps, and the message is typical when an app tries to access resources outside the container.

Why this answer

This question tests knowledge of Windows Defender Application Guard and Windows Sandbox features. The message indicates that Application Guard is blocking the app from accessing certain resources. Application Guard uses hardware isolation to run untrusted applications in a container, and updates may change its default behavior or policies.

2
MCQhard

A security administrator needs to prevent users from running unauthorized software on Windows 10 Enterprise workstations. They want to allow only applications that are signed by approved publishers. Which Windows security feature should be configured?

A.Windows Defender Firewall with Advanced Security
B.BitLocker Drive Encryption
C.Windows Defender Application Control (WDAC)
D.User Account Control (UAC)
AnswerC

WDAC uses code integrity policies to allow only approved, signed applications to run, meeting the requirement exactly.

Why this answer

This question tests knowledge of Windows Defender Application Control (WDAC) and AppLocker. WDAC is a more modern and secure solution that can enforce code integrity policies based on publisher signatures, while AppLocker is a legacy feature. WDAC can be configured to allow only signed apps from trusted publishers, providing strong application control.

3
MCQhard

After a security incident, a forensic analyst needs to review the event logs on a Windows 10 system to determine when a specific user account was created. The logs are intact. Which Windows security setting must be enabled to ensure that account creation events are recorded?

A.Enable 'Audit Logon Events' in Local Security Policy.
B.Enable 'Audit Account Management' in Advanced Audit Policy.
C.Turn on 'File and Printer Sharing' in Network and Sharing Center.
D.Configure Windows Defender to scan for new accounts.
AnswerB

This setting specifically logs account creation, modification, and deletion events.

Why this answer

Audit Account Management policy must be enabled to log events like user account creation. This is configured in Local Security Policy or Group Policy under Advanced Audit Policy Configuration. Without this audit setting, account creation events are not recorded in the Security log.

4
MCQmedium

A technician is configuring a Windows 10 kiosk machine that will run a single web application in full-screen mode. The machine must not allow users to access the desktop, taskbar, or other apps. Which Windows security feature should be used to accomplish this?

A.Local Group Policy to hide the taskbar.
B.User Account Control set to 'Always notify.'
C.Windows Defender Application Guard
D.Assigned Access (Kiosk Mode)
AnswerD

This feature locks the device to a single app, providing the required security and restriction.

Why this answer

Assigned Access (formerly Kiosk Mode) in Windows 10/11 allows a device to run a single app in full-screen, locking down the system. It can be configured via Settings > Accounts > Other users > Set up a kiosk. This ensures users cannot exit the app or access other parts of the OS.

5
MCQmedium

During a security audit, you discover that a Windows 10 workstation has a weak local administrator password. The company policy requires all local admin passwords to be at least 12 characters with complexity. Which tool can enforce this policy for all future password changes on that workstation?

A.Local Users and Groups (lusrmgr.msc)
B.Local Security Policy (secpol.msc)
C.Registry Editor (regedit)
D.Windows Defender Firewall with Advanced Security
AnswerB

This tool provides granular control over security policies, including password requirements.

Why this answer

Local Security Policy (secpol.msc) allows configuring password policies like minimum length and complexity for local accounts. This is applied via Account Policies > Password Policy. It ensures that any new password meets the requirements.

6
MCQeasy

A company policy requires that all USB flash drives be automatically scanned for malware when inserted. Which Windows security setting should be configured to enforce this?

A.Enable Windows Defender Real-time Protection
B.Configure BitLocker To Go
C.Enable Windows Firewall
D.Set User Account Control to Always Notify
AnswerA

Real-time protection monitors file activity, including when a USB drive is inserted, and automatically scans for malware.

Why this answer

Windows Defender Antivirus can be configured to scan removable drives upon insertion via Group Policy or the Windows Security app. This ensures automatic malware scanning without user intervention.

7
MCQmedium

A small business wants to ensure that all employees use strong passwords that include uppercase, lowercase, numbers, and special characters, and that passwords expire every 60 days. Which tool should be used to enforce these settings on a standalone Windows 10 workstation?

A.Local Users and Groups (lusrmgr.msc)
B.Local Security Policy (secpol.msc)
C.Windows Defender Firewall with Advanced Security
D.Device Manager
AnswerB

This tool provides access to Account Policies, including password complexity and expiration settings.

Why this answer

Local Group Policy Editor (gpedit.msc) allows configuration of password policies on standalone systems. Password must meet complexity requirements and maximum password age can be set to 60 days.

8
MCQeasy

A small business owner wants to prevent employees from changing system time, installing printers, and modifying power settings on their Windows 10 workstations. They do not want to remove local admin rights entirely. Which Windows security tool should be used to apply these restrictions?

A.Windows Defender Security Center
B.Local Users and Groups (lusrmgr.msc)
C.Local Group Policy Editor (gpedit.msc)
D.Registry Editor (regedit)
AnswerC

Group Policy can enforce specific restrictions on user actions without removing admin rights.

Why this answer

Local Group Policy Editor (gpedit.msc) allows granular control over user permissions and system settings without removing admin rights. It can restrict specific actions like changing time or installing printers via Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

9
MCQeasy

A user reports that their Windows 10 computer is displaying a message that 'Windows Defender Antivirus is turned off' even though they have not disabled it. They have also noticed that they cannot open the Windows Security app. What is the most likely cause?

A.Windows Defender is disabled via Group Policy
B.The computer is infected with malware
C.Windows needs a critical update
D.User Account Control is blocking the app
AnswerB

Malware often disables security software and blocks access to security tools to prevent removal.

Why this answer

Malware often disables antivirus software and blocks access to security tools to avoid detection. This is a common sign of infection, and a boot-time scan or offline scan should be performed.

10
MCQeasy

A user reports that after a recent Windows update, their standard user account can no longer install certain applications that previously installed without issue. The update changed the default User Account Control (UAC) behavior. Which UAC setting would most likely restore the previous behavior while still prompting for consent?

A.Always notify me (dim my desktop)
B.Notify me only when apps try to make changes to my computer (do not dim my desktop)
C.Notify me only when apps try to make changes to my computer (dim my desktop)
D.Never notify me
AnswerB

This is the default setting for standard users and allows prompts without the secure desktop, which matches the described previous behavior.

Why this answer

This question tests knowledge of User Account Control (UAC) levels and their impact on standard users. The 'Notify me only when apps try to make changes to my computer (do not dim my desktop)' setting allows standard users to be prompted for credentials without the secure desktop, which is the default behavior that was likely changed. Understanding the four UAC notification levels is essential for troubleshooting permission-related issues after updates.

11
MCQmedium

A technician is configuring a Windows 10 kiosk system that will run a single application in a public library. The kiosk must automatically log on and start the app without any user interaction. Which security setting combination is required?

A.Enable 'Sticky Keys' and configure the 'Ease of Access' settings
B.Configure 'Automatic logon' in the registry and enable 'Assigned Access' for the kiosk account
C.Set the 'Shutdown: Allow system to be shut down without having to log on' policy
D.Enable 'User Account Control: Run all administrators in Admin Approval Mode'
AnswerB

Automatic logon allows the system to boot directly to the desktop, and Assigned Access restricts the user to a single app, creating a proper kiosk environment.

Why this answer

This question tests knowledge of kiosk mode configuration. Windows 10 supports 'Assigned Access' which can be configured to automatically log on a specified user account and launch a single app. This requires enabling the 'Automatic logon' setting in the registry or via the 'netplwiz' tool, and then configuring Assigned Access for that account.

12
MCQmedium

A company uses AppLocker to control which applications can run on Windows 10 workstations. A user needs to run a portable application from a USB drive for a presentation, but it is blocked by AppLocker. The user has local admin rights. What is the best way to allow this specific application while maintaining security?

A.Temporarily disable AppLocker service.
B.Add the user to the 'Power Users' group.
C.Create a new AppLocker path rule for the USB drive.
D.Run the application as Administrator.
AnswerC

This allows the specific app while keeping other restrictions in place.

Why this answer

AppLocker can be configured with rules based on file path, publisher, or hash. Creating a path rule for the USB drive or a hash rule for the specific executable allows the app while still blocking others. This is more secure than disabling AppLocker or giving the user permanent exceptions.

13
MCQhard

A company's security policy requires that all Windows 10 workstations automatically lock the screen after 5 minutes of inactivity. However, users in the sales department often leave their desks for extended periods. A technician configures the 'Interactive logon: Machine inactivity limit' policy to 300 seconds. Despite this, the screensaver does not activate. What is the most likely reason?

A.The 'Screen saver timeout' policy is set to a longer duration
B.The 'Password protect the screensaver' setting is disabled
C.The screensaver is not enabled or configured on the workstations
D.The 'Turn off the display' power setting is set to 'Never'
AnswerC

The 'Machine inactivity limit' policy locks the workstation but does not automatically start a screensaver; the screensaver must be enabled separately via Group Policy or local settings.

Why this answer

This question tests understanding of the relationship between the 'Interactive logon: Machine inactivity limit' policy and screensaver settings. The policy locks the workstation after the specified idle time, but it does not automatically enable the screensaver. The screensaver must be separately configured and enabled, or the lock screen will appear without a screensaver.

14
MCQmedium

A user reports that their Windows 10 laptop shows a blue screen with an error message about 'Driver IRQL not less or equal' after connecting a new external hard drive. They need to use the drive for work. Which security setting should you check to ensure driver installation is not blocked?

A.Check if Secure Boot is enabled in UEFI.
B.Verify that User Account Control is set to 'Notify me only when apps try to make changes.'
C.Disable Driver Signature Enforcement temporarily.
D.Run Windows Update to find a signed driver.
AnswerC

This allows unsigned drivers to load, which can resolve the blue screen if the driver is the cause.

Why this answer

Driver Signature Enforcement ensures that only drivers with a valid digital signature can be installed. If a driver is unsigned or has an invalid signature, Windows may block it, causing errors. This setting is part of Windows security and can be temporarily disabled for troubleshooting.

15
MCQmedium

A technician is configuring a new Windows 10 kiosk computer that will run a single application for public use. They need to prevent users from accessing the desktop, taskbar, or other system functions. Which Windows security feature should be used?

A.User Account Control (UAC) set to highest level
B.Local Group Policy – Software Restriction Policies
C.Windows Defender Application Guard
D.Assigned Access (Kiosk Mode)
AnswerD

Assigned Access restricts the user to a single app and hides system interfaces.

Why this answer

Assigned Access (Kiosk Mode) locks down the device to run only one app and restricts access to other system features. It is designed for public or kiosk scenarios.

16
MCQhard

A company laptop was stolen, and the IT department needs to ensure that the data on the device cannot be accessed. The laptop had BitLocker enabled, but the drive was unlocked when stolen. What additional security measure could have prevented data access in this scenario?

A.Enable Windows Defender Firewall
B.Configure BitLocker with a startup PIN
C.Use a strong user password
D.Enable System Restore
AnswerB

A startup PIN requires authentication before the OS loads, protecting data even if the device is powered on.

Why this answer

BitLocker protects data when the system is off. If the laptop was unlocked, data is accessible. A pre-boot authentication PIN or password ensures that even if the device is powered on, the drive remains locked until the PIN is entered.

17
MCQmedium

A user reports that after a recent Windows update, they can no longer install a legacy application that requires write access to the Program Files folder. The user is a local administrator. What Windows security setting is most likely blocking the installation?

A.BitLocker Drive Encryption
B.User Account Control (UAC)
C.Windows Defender Firewall
D.Group Policy Software Restrictions
AnswerB

UAC protects system integrity by prompting for elevated permissions, even for administrators, when changes affect protected areas like Program Files.

Why this answer

User Account Control (UAC) prompts for consent or credentials even for administrators when changes require elevated permissions, such as writing to protected folders like Program Files. Disabling UAC or running the installer as administrator can resolve this.

18
MCQhard

A user complains that their Windows 10 computer is running slowly and they see frequent pop-ups from an unknown program. After running a full antivirus scan, nothing is detected. Which Windows security feature should you use to investigate and remove potentially unwanted software?

A.Windows Defender Firewall
B.Windows Defender Offline Scan
C.System Restore
D.User Account Control (UAC)
AnswerB

This runs outside of Windows to catch deeply hidden malware that standard scans cannot detect.

Why this answer

Windows Defender Offline Scan boots from a trusted environment to detect and remove persistent malware that standard scans miss. It is ideal for rootkits or stubborn infections that hide from a live OS.

19
MCQhard

A Windows 11 workstation is infected with ransomware that encrypted user files. The IT security team wants to prevent future infections by restricting which processes can modify files in user profile folders. Which Windows security feature can enforce such restrictions without third-party software?

A.NTFS permissions set to 'Read-only' for all users.
B.AppLocker with a deny rule for unknown executables.
C.Controlled Folder Access
D.BitLocker with TPM protection
AnswerC

This feature specifically protects folders from unauthorized apps, including ransomware.

Why this answer

Controlled Folder Access (part of Windows Defender Exploit Guard) allows only trusted apps to access protected folders like Documents, Pictures, etc. It can be configured via Windows Security > Virus & threat protection > Ransomware protection. This effectively blocks ransomware from encrypting files.

20
MCQhard

An organization uses Windows 10 and wants to prevent users from installing unauthorized software. They have configured Software Restriction Policies via Group Policy. However, a user bypassed the policy by renaming the executable. What additional measure should be taken to enforce the restriction?

A.Enable Windows Defender Real-time Protection
B.Use AppLocker with publisher rules
C.Set User Account Control to Always Notify
D.Enable BitLocker
AnswerB

AppLocker publisher rules validate software by digital signature, making renaming ineffective.

Why this answer

Software Restriction Policies can be bypassed by renaming executables. Using AppLocker with publisher rules (based on digital signatures) prevents this because it identifies software by its certificate, not file name.

21
MCQeasy

A small business owner wants to ensure that only authorized USB storage devices can be used on company laptops running Windows 10 Pro. They have a list of approved device hardware IDs. Which security policy should be configured to enforce this restriction?

A.Enable the 'Removable Storage Access' policy under Windows Components
B.Configure the 'Devices: Restrict CD-ROM access to locally logged-on user only' policy
C.Set the 'Deny all devices' policy under Device Installation Restrictions
D.Configure the 'Allow installation of devices that match any of these device IDs' policy under Device Installation Restrictions
AnswerD

This policy allows specifying approved hardware IDs, effectively blocking all other USB storage devices while permitting the authorized ones.

Why this answer

This question covers device installation restrictions via Group Policy or Local Security Policy. The 'Allow installation of devices that match any of these device IDs' policy can be configured with a list of approved hardware IDs, blocking all others. This is a common method for controlling USB device usage in enterprise environments.

22
MCQmedium

A user reports that they cannot access a shared folder on the network, but other users can. The folder is on a Windows 10 Pro workstation. What should you check first to resolve this issue?

A.Check the Windows Defender Firewall settings
B.Check the NTFS permissions on the folder
C.Check the user’s password expiration status
D.Check the User Account Control settings
AnswerB

NTFS permissions can explicitly deny a user, causing access issues for that individual.

Why this answer

NTFS permissions control access at the file system level, while share permissions control network access. A user-specific deny entry on the NTFS permissions can block an individual user while allowing others.

23
MCQmedium

After a security incident, a forensic analyst needs to ensure that Windows 10 audit logs capture all successful and failed attempts to access the 'Confidential' folder on a file server. Which audit policy configuration is required?

A.Enable 'Audit account logon events' for success and failure
B.Enable 'Audit object access' and configure the SACL on the folder
C.Enable 'Audit privilege use' for success and failure
D.Enable 'Audit process tracking' for success and failure
AnswerB

Audit object access must be enabled, and a System Access Control List (SACL) must be configured on the folder to specify which access attempts (success/failure) to log.

Why this answer

This question tests understanding of advanced audit policies. To log file access, you need to enable 'Audit File Share' or 'Audit Detailed File Share' under Advanced Audit Policy. The 'Object Access' subcategory must be configured to log both success and failure events for file share access.

24
MCQmedium

A user calls the help desk complaining that they cannot change their Windows 10 password even though they know the current password. The user is a member of the 'Users' group on a domain-joined computer. What is the most likely cause?

A.The user does not have 'Change Password' permission on their own account.
B.The 'User must change password at next logon' flag is set.
C.The 'Password must meet complexity requirements' policy is preventing the new password from being accepted.
D.The local Security Accounts Manager (SAM) database is corrupted.
AnswerC

If the new password does not meet complexity requirements (e.g., length, character types), the system will reject the change even if the user knows the current password.

Why this answer

This question tests knowledge of password policies and user permissions. In a domain environment, password policies are typically enforced by the domain controller, not the local machine. The 'Password must meet complexity requirements' policy may be enabled, and the user's new password might not meet those requirements, even though they know the current password.

25
MCQmedium

A company is migrating from Workgroup to Domain. After joining a Windows 10 computer to the domain, users report that they can no longer log on using their local user accounts. What setting in Local Security Policy is most likely causing this behavior?

A.The 'Network access: Do not allow anonymous enumeration of SAM accounts' policy
B.The 'Deny log on locally' user rights assignment includes the 'Guests' group
C.The 'Deny log on locally' user rights assignment includes the 'Users' group
D.The 'Interactive logon: Do not display last user name' policy is enabled
AnswerC

If the domain policy adds the 'Users' group to this setting, it will block all local user accounts (which are members of the local Users group) from logging on interactively.

Why this answer

This question tests understanding of the 'Deny log on locally' user rights assignment. When a computer joins a domain, domain policies may override local settings, and the 'Deny log on locally' policy can be configured to block local accounts. This is a common security measure to enforce domain-only authentication.

26
MCQeasy

A user wants to encrypt a USB flash drive so that if it is lost, the data cannot be read on another computer. The USB drive will be used on both Windows 10 and Windows 11 devices. Which Windows feature should be used?

A.EFS (Encrypting File System)
B.BitLocker To Go
C.Windows Defender Encryption
D.Secure Boot
AnswerB

BitLocker To Go is designed for encrypting removable drives and works across Windows 10/11.

Why this answer

BitLocker To Go allows encryption of removable drives like USB flash drives. It is available in Pro and Enterprise editions of Windows and provides strong protection. The encrypted drive can be accessed on other Windows systems with the password or recovery key.

27
MCQeasy

During a security audit, you discover that a Windows 10 workstation has the 'Store passwords and credentials using reversible encryption' policy enabled. What is the primary security risk associated with this setting?

A.It increases the time required to log on to the system.
B.It allows users to bypass the password complexity requirement.
C.It stores passwords in a format that can be easily decrypted, making them vulnerable if the database is compromised.
D.It prevents the use of biometric authentication methods.
AnswerC

This is the core risk: reversible encryption allows passwords to be recovered as plaintext, which is a major security vulnerability.

Why this answer

This question tests understanding of password storage policies. Reversible encryption means passwords are stored in a format that can be decrypted back to plaintext, which is a significant security risk if an attacker gains access to the SAM database. This setting should only be enabled when required by specific applications, such as those using CHAP authentication.

28
MCQeasy

After deploying a new Windows 11 update, several users complain that they can no longer access shared folders on the network. You verify that network discovery and file sharing are enabled. Which Windows security setting should you check first to resolve this issue?

A.Check if the users are in the 'Remote Desktop Users' group.
B.Verify that the 'Password Protected Sharing' option is turned off.
C.Review Windows Defender Firewall rules for 'File and Printer Sharing.'
D.Run Windows Update to install additional patches.
AnswerC

The firewall controls network traffic; if the rule is blocked, file sharing will fail.

Why this answer

Windows Defender Firewall can block file and printer sharing even if sharing settings are enabled. The 'File and Printer Sharing' inbound rule must be allowed for the appropriate network profile (e.g., Private). This is a common issue after updates that reset firewall rules.

29
MCQmedium

During a security audit, you discover that a user’s Windows 10 device has allowed multiple failed login attempts without locking the account. Which policy should you adjust to enforce account lockout after 5 failed attempts?

A.Password Policy – Minimum password length
B.Account Lockout Policy – Account lockout threshold
C.User Rights Assignment – Deny log on locally
D.Security Options – Interactive logon: Message text for users attempting to log on
AnswerB

This setting defines the number of failed logins allowed before the account is locked.

Why this answer

Account lockout policies are configured in the Local Security Policy under Account Policies. Setting 'Account lockout threshold' to 5 will lock the account after that many failed attempts, preventing brute-force attacks.

30
MCQeasy

A user reports that after a recent Windows update, they can no longer install software on their company-issued laptop. When they try to run an installer, they get a message: 'Your system administrator has blocked this program.' The user has local administrator rights on the laptop. Which Windows security setting is most likely causing this issue?

A.Windows Defender Firewall is blocking the installer.
B.User Account Control (UAC) is set to 'Always notify.'
C.BitLocker Drive Encryption is preventing write access.
D.The user's account is not part of the local Administrators group.
AnswerB

UAC with 'Always notify' prompts for consent for any installation, even for local admins, and can block if not approved.

Why this answer

Windows User Account Control (UAC) can be configured to prompt for consent or credentials when software installation is attempted, even for local admins. If UAC is set to 'Always notify,' it will block installations that don't receive explicit approval. The 'blocked by administrator' message often points to UAC or AppLocker, but with local admin rights, UAC is the primary control.

Ready to test yourself?

Try a timed practice session using only Windows Security Settings questions.