CCNA Windows Security Settings Questions

30 questions · Windows Security Settings · All types, answers revealed

1
MCQhard

A user reports that their Windows 10 computer is displaying a 'Your IT department has limited access to some features of this app' message when trying to run a legacy application. The application worked before the latest Windows update. Which security feature is most likely causing this issue?

A.Windows Defender Firewall with Advanced Security
B.Windows Defender Application Guard
C.User Account Control (UAC)
D.BitLocker Drive Encryption
AnswerB

Application Guard uses container technology to isolate untrusted apps, and the message is typical when an app tries to access resources outside the container.

Why this answer

Windows Defender Application Guard (WDAG) is a security feature that isolates untrusted applications in a Hyper-V container, restricting their access to system resources. The 'Your IT department has limited access to some features of this app' message indicates that WDAG is blocking the legacy application, likely because the app is not trusted or is being treated as untrusted after a Windows update that tightened WDAG policies.

Exam trap

The common mistake is confusing User Account Control (UAC) with Windows Defender Application Guard. UAC prompts for elevation when an app requires administrator privileges, while Application Guard restricts app features in an isolated container. The message 'Your IT department has limited access to some features of this app' indicates Application Guard is blocking the legacy app.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall with Advanced Security controls network traffic based on rules, not application-level feature access within the OS, and would not produce this specific message. Option C is wrong because User Account Control (UAC) prompts for elevation or blocks changes requiring admin rights, but it does not limit access to app features with this message; UAC uses consent prompts, not feature restriction messages. Option D is wrong because BitLocker Drive Encryption encrypts the entire drive to protect data at rest, and does not interact with running applications to limit their features.

2
MCQhard

A security administrator needs to prevent users from running unauthorized software on Windows 10 Enterprise workstations. They want to allow only applications that are signed by approved publishers. Which Windows security feature should be configured?

A.Windows Defender Firewall with Advanced Security
B.BitLocker Drive Encryption
C.Windows Defender Application Control (WDAC)
D.User Account Control (UAC)
AnswerC

WDAC uses code integrity policies to allow only approved, signed applications to run, meeting the requirement exactly.

Why this answer

Windows Defender Application Control (WDAC) is the correct feature because it enforces an application control policy that allows only executables, scripts, and installers signed by approved publishers to run. Unlike AppLocker, WDAC operates at the kernel level and can be configured via Group Policy or MDM to create a trust chain based on the publisher's digital signature, effectively blocking all unauthorized software.

Exam trap

CompTIA often tests the distinction between application control (WDAC/AppLocker) and privilege elevation (UAC), so candidates mistakenly choose UAC because they associate it with blocking software, but UAC only prompts for admin approval, not publisher-based whitelisting.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall with Advanced Security controls network traffic based on port, protocol, and IP address rules, not application execution or code signing. Option B is wrong because BitLocker Drive Encryption provides full-disk encryption to protect data at rest but does not enforce any application whitelisting or publisher signing policies. Option D is wrong because User Account Control (UAC) prompts for elevation of privileges but does not restrict which applications can run based on their digital signature or publisher; it only controls administrative consent.

3
MCQhard

After a security incident, a forensic analyst needs to review the event logs on a Windows 10 system to determine when a specific user account was created. The logs are intact. Which Windows security setting must be enabled to ensure that account creation events are recorded?

A.Enable 'Audit Logon Events' in Local Security Policy.
B.Enable 'Audit Account Management' in Advanced Audit Policy.
C.Turn on 'File and Printer Sharing' in Network and Sharing Center.
D.Configure Windows Defender to scan for new accounts.
AnswerB

This setting specifically logs account creation, modification, and deletion events.

Why this answer

Option B is correct because user account creation is an account management event, not a logon event. In Windows 10, the 'Audit Account Management' policy under Advanced Audit Policy Configuration must be enabled to record Security Event ID 4720 (a user account was created). This setting logs all changes to user and group accounts, including creation, modification, and deletion.

Exam trap

The trap here is that candidates confuse 'Audit Logon Events' (which deals with authentication) with 'Audit Account Management' (which deals with account creation and modification), leading them to select the wrong policy for recording account creation.

How to eliminate wrong answers

Option A is wrong because 'Audit Logon Events' records logon/logoff attempts (Event IDs 4624, 4625), not account creation events; account creation falls under account management auditing. Option C is wrong because 'File and Printer Sharing' is a network discovery and sharing feature that has no impact on security event logging or auditing. Option D is wrong because Windows Defender is an antivirus/antimalware solution that does not audit account creation events; it does not generate or record security event logs for user account operations.

4
MCQmedium

A technician is configuring a Windows 10 kiosk machine that will run a single web application in full-screen mode. The machine must not allow users to access the desktop, taskbar, or other apps. Which Windows security feature should be used to accomplish this?

A.Local Group Policy to hide the taskbar.
B.User Account Control set to 'Always notify.'
C.Windows Defender Application Guard
D.Assigned Access (Kiosk Mode)
AnswerD

This feature locks the device to a single app, providing the required security and restriction.

Why this answer

Assigned Access (Kiosk Mode) is the correct Windows security feature because it locks down the device to run a single Universal Windows Platform (UWP) app or a web browser in full-screen mode, preventing users from accessing the desktop, taskbar, or other applications. This feature is specifically designed for kiosk scenarios and enforces a restricted user experience by configuring a local or domain user account to launch only the designated app upon sign-in.

Exam trap

CompTIA A+ often tests the distinction between features that merely hide UI elements (like Group Policy) versus those that enforce a locked-down user experience (like Assigned Access), leading candidates to choose a partial solution like hiding the taskbar instead of the full kiosk mode.

How to eliminate wrong answers

Option A is wrong because Local Group Policy to hide the taskbar only hides the taskbar visually but does not prevent users from accessing the desktop or launching other apps via keyboard shortcuts (e.g., Ctrl+Alt+Del, Alt+Tab, or Win+D). Option B is wrong because User Account Control set to 'Always notify' only prompts for consent or credentials when changes are made to the system; it does not restrict access to the desktop, taskbar, or other applications. Option C is wrong because Windows Defender Application Guard is a hardware-isolated browser container for Microsoft Edge that protects against malicious websites, but it does not enforce a single-app kiosk experience or block access to the desktop or other apps.

5
MCQmedium

During a security audit, you discover that a Windows 10 workstation has a weak local administrator password. The company policy requires all local admin passwords to be at least 12 characters with complexity. Which tool can enforce this policy for all future password changes on that workstation?

A.Local Users and Groups (lusrmgr.msc)
B.Local Security Policy (secpol.msc)
C.Registry Editor (regedit)
D.Windows Defender Firewall with Advanced Security
AnswerB

This tool provides granular control over security policies, including password requirements.

Why this answer

B is correct because the Local Security Policy (secpol.msc) includes the 'Password Policy' settings under Account Policies, where you can configure minimum password length (12 characters) and password complexity requirements. These settings are enforced by the Local Security Authority (LSA) for all future password changes on the workstation, directly aligning with the company policy.

Exam trap

The trap here is that candidates often confuse user account management tools (like lusrmgr.msc) with security policy enforcement tools, thinking they can set password requirements directly in the user properties, when in fact password policies are enforced system-wide via the Local Security Policy.

How to eliminate wrong answers

Option A is wrong because Local Users and Groups (lusrmgr.msc) is used to manage user accounts and groups, not to enforce password policies; it cannot set minimum length or complexity requirements. Option C is wrong because Registry Editor (regedit) can modify password policy values indirectly via registry keys (e.g., under HKLM\SAM), but it is not the intended tool for policy enforcement and lacks the structured interface and validation provided by secpol.msc. Option D is wrong because Windows Defender Firewall with Advanced Security manages network traffic filtering and firewall rules, not local password policies.

6
MCQeasy

A company policy requires that all USB flash drives be automatically scanned for malware when inserted. Which Windows security setting should be configured to enforce this?

A.Enable Windows Defender Real-time Protection
B.Configure BitLocker To Go
C.Enable Windows Firewall
D.Set User Account Control to Always Notify
AnswerA

Real-time protection monitors file activity, including when a USB drive is inserted, and automatically scans for malware.

Why this answer

Windows Defender Real-time Protection (now part of Microsoft Defender Antivirus) automatically scans removable media, including USB flash drives, for malware upon insertion. This setting enforces the company policy by ensuring that any file accessed or executed from the drive is checked against known threat signatures in real time, without requiring manual scans.

Exam trap

The trap here is that candidates confuse encryption (BitLocker To Go) with malware scanning, or assume that network firewalls or UAC can protect against threats introduced via removable media, when only real-time antimalware scanning directly addresses the policy requirement.

How to eliminate wrong answers

Option B is wrong because BitLocker To Go provides encryption for USB drives to protect data at rest, not malware scanning. Option C is wrong because Windows Firewall controls network traffic based on rules and does not scan local storage devices for malware. Option D is wrong because User Account Control (UAC) prompts for administrative consent before system changes but does not perform any malware detection or scanning of inserted media.

7
MCQmedium

A small business wants to ensure that all employees use strong passwords that include uppercase, lowercase, numbers, and special characters, and that passwords expire every 60 days. Which tool should be used to enforce these settings on a standalone Windows 10 workstation?

A.Local Users and Groups (lusrmgr.msc)
B.Local Security Policy (secpol.msc)
C.Windows Defender Firewall with Advanced Security
D.Device Manager
AnswerB

This tool provides access to Account Policies, including password complexity and expiration settings.

Why this answer

The Local Security Policy (secpol.msc) is the correct tool because it provides a centralized interface to configure password policies, such as minimum password length, complexity requirements (uppercase, lowercase, numbers, special characters), and maximum password age (e.g., 60 days). These settings are enforced locally on a standalone Windows 10 workstation through the Security Settings node under Account Policies.

Exam trap

CompTIA A+ often tests the distinction between user account management tools (lusrmgr.msc) and security policy enforcement tools (secpol.msc), leading candidates to mistakenly choose Local Users and Groups for password policy configuration.

How to eliminate wrong answers

Option A is wrong because Local Users and Groups (lusrmgr.msc) is used to manage user accounts and group memberships, not to enforce password complexity or expiration policies. Option C is wrong because Windows Defender Firewall with Advanced Security is designed to control inbound and outbound network traffic rules, not to configure password policies. Option D is wrong because Device Manager is used to manage hardware devices and drivers, not to enforce security settings like password policies.

8
MCQeasy

A small business owner wants to prevent employees from changing system time, installing printers, and modifying power settings on their Windows 10 workstations. They do not want to remove local admin rights entirely. Which Windows security tool should be used to apply these restrictions?

A.Windows Defender Security Center
B.Local Users and Groups (lusrmgr.msc)
C.Local Group Policy Editor (gpedit.msc)
D.Registry Editor (regedit)
AnswerC

Group Policy can enforce specific restrictions on user actions without removing admin rights.

Why this answer

The Local Group Policy Editor (gpedit.msc) allows administrators to configure granular security settings for users and computers without removing local admin rights. Specifically, it can enforce restrictions on system time changes (via 'Change the system time' user right), printer installation (via 'Device Installation Restrictions'), and power settings (via 'Power Management' policies) through Computer Configuration or User Configuration nodes. This tool applies these settings via Group Policy objects that are processed locally, making it the correct choice for non-domain workstations.

Exam trap

A common misconception tested in this exam is that Local Users and Groups (lusrmgr.msc) can enforce granular restrictions like printer installation or power settings, when in reality it only manages group membership and cannot apply detailed policy-based controls.

How to eliminate wrong answers

Option A is wrong because Windows Defender Security Center focuses on antivirus, firewall, and device security features (e.g., exploit protection, app & browser control), not on user permission restrictions like system time or printer installation. Option B is wrong because Local Users and Groups (lusrmgr.msc) manages user accounts and group memberships, but it cannot apply granular policy restrictions such as preventing printer installation or modifying power settings; it only controls membership in groups like Administrators or Users. Option D is wrong because Registry Editor (regedit) directly edits the Windows Registry, which is error-prone, unsupported for policy enforcement, and lacks the structured, auditable interface of Group Policy; it is not a security tool designed for applying consistent restrictions across multiple users.

9
MCQeasy

A user reports that their Windows 10 computer is displaying a message that 'Windows Defender Antivirus is turned off' even though they have not disabled it. They have also noticed that they cannot open the Windows Security app. What is the most likely cause?

A.Windows Defender is disabled via Group Policy
B.The computer is infected with malware
C.Windows needs a critical update
D.User Account Control is blocking the app
AnswerB

Malware often disables security software and blocks access to security tools to prevent removal.

Why this answer

When a user sees 'Windows Defender Antivirus is turned off' and cannot open the Windows Security app, the most likely cause is malware that has disabled the antivirus and blocked access to security settings to prevent removal. Malware often modifies registry keys or terminates Windows Defender services (e.g., WinDefend) to evade detection, and it may also corrupt or block the Windows Security Center UI (SecurityHealthService.exe). This is a common symptom of ransomware or trojans that specifically target Windows Defender.

Exam trap

Candidates may incorrectly attribute this to Group Policy (Option A) because the symptom resembles a managed environment, but malware can achieve the same effect locally. The inability to open the Windows Security app is a key differentiator that points to infection rather than policy.

How to eliminate wrong answers

Option A is wrong because Group Policy disabling Windows Defender would typically prevent it from running, but the user would still be able to open the Windows Security app (it would show a 'managed by your organization' message). Option C is wrong because a critical update might cause temporary issues, but it would not independently disable Defender and block the Security app; updates do not intentionally break security features. Option D is wrong because User Account Control (UAC) prompts for elevation but does not block the Windows Security app from launching; if UAC were the issue, the user would see a prompt, not a complete inability to open the app.

10
MCQeasy

A user reports that after a recent Windows update, their standard user account can no longer install certain applications that previously installed without issue. The update changed the default User Account Control (UAC) behavior. Which UAC setting would most likely restore the previous behavior while still prompting for consent?

A.Always notify me (dim my desktop)
B.Notify me only when apps try to make changes to my computer (do not dim my desktop)
C.Notify me only when apps try to make changes to my computer (dim my desktop)
D.Never notify me
AnswerB

This is the default setting for standard users and allows prompts without the secure desktop, which matches the described previous behavior.

Why this answer

The default UAC behavior in Windows is 'Notify me only when apps try to make changes to my computer (dim my desktop)' — this prompts for consent when an app requests administrative privileges, but does not prompt for standard user account changes that are handled by the system. The update changed the behavior to a more restrictive setting, likely 'Always notify me (dim my desktop)', which prompts for any system change, including those that previously installed without issue. Option B, 'Notify me only when apps try to make changes to my computer (do not dim my desktop)', restores the previous behavior by prompting for consent only when an app attempts to make a change, but without dimming the desktop, which is a less intrusive prompt that still maintains security.

Exam trap

CompTIA often tests the distinction between the 'dim my desktop' and 'do not dim my desktop' variants of the same notification level, where candidates mistakenly think the dimming behavior is tied to the notification frequency rather than the Secure Desktop switch.

How to eliminate wrong answers

Option A is wrong because 'Always notify me (dim my desktop)' is the most restrictive UAC setting, prompting for any change to Windows settings or app installations, which would cause the exact issue the user is experiencing — it does not restore the previous behavior. Option C is wrong because 'Notify me only when apps try to make changes to my computer (dim my desktop)' is the default UAC setting that dims the desktop, but the user's previous behavior was that apps installed without issue, implying the setting was less restrictive (do not dim), so this would still prompt for consent and dim the desktop, not restoring the exact previous behavior. Option D is wrong because 'Never notify me' disables UAC entirely, which would allow any app to install without prompting, but this removes all security prompts and is not a recommended practice — it also does not 'prompt for consent' as the question requires.

11
MCQmedium

A technician is configuring a Windows 10 kiosk system that will run a single application in a public library. The kiosk must automatically log on and start the app without any user interaction. Which security setting combination is required?

A.Enable 'Sticky Keys' and configure the 'Ease of Access' settings
B.Configure 'Automatic logon' in the registry and enable 'Assigned Access' for the kiosk account
C.Set the 'Shutdown: Allow system to be shut down without having to log on' policy
D.Enable 'User Account Control: Run all administrators in Admin Approval Mode'
AnswerB

Automatic logon allows the system to boot directly to the desktop, and Assigned Access restricts the user to a single app, creating a proper kiosk environment.

Why this answer

Option B is correct because configuring 'Automatic logon' in the registry (via the WinLogon key) allows the kiosk to boot directly to the desktop without user interaction, while enabling 'Assigned Access' restricts the kiosk account to running only a single specified Universal Windows Platform (UWP) app, preventing access to the rest of the system. This combination meets the requirement for an unattended, single-application kiosk in a public library.

Exam trap

The trap here is that candidates may confuse 'Automatic logon' with general security policies like shutdown permissions or UAC, or mistakenly think accessibility features can automate logon, when in fact only the registry-based autologon combined with Assigned Access satisfies the unattended single-app requirement.

How to eliminate wrong answers

Option A is wrong because 'Sticky Keys' and 'Ease of Access' settings are accessibility features that modify keyboard input behavior, not security or autologon mechanisms; they cannot automatically log on a user or launch a single app. Option C is wrong because the 'Shutdown: Allow system to be shut down without having to log on' policy (a local security policy) only controls whether the shutdown command is available on the logon screen, not autologon or application restriction. Option D is wrong because 'User Account Control: Run all administrators in Admin Approval Mode' is a UAC setting that affects how administrative privileges are elevated, but it does not enable automatic logon or enforce a single-app kiosk environment.

12
MCQmedium

A company uses AppLocker to control which applications can run on Windows 10 workstations. A user needs to run a portable application from a USB drive for a presentation, but it is blocked by AppLocker. The user has local admin rights. What is the best way to allow this specific application while maintaining security?

A.Temporarily disable AppLocker service.
B.Add the user to the 'Power Users' group.
C.Create a new AppLocker path rule for the USB drive.
D.Run the application as Administrator.
AnswerC

This allows the specific app while keeping other restrictions in place.

Why this answer

AppLocker enforces application control policies regardless of user privileges, including local admin rights. Creating a new path rule for the USB drive allows the specific portable application to run while keeping AppLocker active and maintaining security for other executables. This is the correct approach because it grants a targeted exception without disabling the entire control mechanism.

Exam trap

The trap here is that candidates assume local admin rights can override AppLocker restrictions, but AppLocker operates at a lower security layer that applies to all users, including administrators.

How to eliminate wrong answers

Option A is wrong because temporarily disabling the AppLocker service removes all application control, exposing the system to unauthorized software and violating security policy. Option B is wrong because the 'Power Users' group does not bypass AppLocker rules; AppLocker evaluates rules based on file path, publisher, or hash, not group membership. Option D is wrong because running the application as Administrator does not override AppLocker; AppLocker blocks execution before the process starts, regardless of the user's privilege level.

13
MCQhard

A company's security policy requires that all Windows 10 workstations automatically lock the screen after 5 minutes of inactivity. However, users in the sales department often leave their desks for extended periods. A technician configures the 'Interactive logon: Machine inactivity limit' policy to 300 seconds. Despite this, the screensaver does not activate. What is the most likely reason?

A.The 'Screen saver timeout' policy is set to a longer duration
B.The 'Password protect the screensaver' setting is disabled
C.The screensaver is not enabled or configured on the workstations
D.The 'Turn off the display' power setting is set to 'Never'
AnswerC

The 'Machine inactivity limit' policy locks the workstation but does not automatically start a screensaver; the screensaver must be enabled separately via Group Policy or local settings.

Why this answer

This question tests understanding of the relationship between the 'Interactive logon: Machine inactivity limit' policy and screensaver settings. The policy locks the workstation after the specified idle time, but it does not automatically enable the screensaver. The screensaver must be separately configured and enabled, or the lock screen will appear without a screensaver.

14
MCQmedium

A user reports that their Windows 10 laptop shows a blue screen with an error message about 'Driver IRQL not less or equal' after connecting a new external hard drive. They need to use the drive for work. Which security setting should you check to ensure driver installation is not blocked?

A.Check if Secure Boot is enabled in UEFI.
B.Verify that User Account Control is set to 'Notify me only when apps try to make changes.'
C.Disable Driver Signature Enforcement temporarily.
D.Run Windows Update to find a signed driver.
AnswerC

This allows unsigned drivers to load, which can resolve the blue screen if the driver is the cause.

Why this answer

The 'Driver IRQL not less or equal' blue screen error typically indicates a faulty or unsigned driver. Disabling Driver Signature Enforcement (Option C) allows the installation of an unsigned driver, which is often necessary for older or third-party hardware like an external hard drive. This directly addresses the driver installation being blocked by Windows' driver signature requirements.

Exam trap

CompTIA A+ often tests the confusion between Secure Boot and Driver Signature Enforcement, as both involve driver integrity but operate at different stages (boot-time vs. runtime) and serve distinct purposes.

How to eliminate wrong answers

Option A is wrong because Secure Boot ensures that only trusted bootloaders and drivers are loaded during startup, but it does not block the installation of a driver after the OS is running; the error occurs post-boot. Option B is wrong because User Account Control (UAC) controls administrative consent for software changes, not driver signature enforcement; UAC prompts for elevation but does not block unsigned drivers specifically. Option D is wrong because running Windows Update to find a signed driver assumes a signed driver exists for the device, but the user needs to use the drive immediately, and the error indicates the current driver is problematic; this is a long-term fix, not a direct solution to the installation block.

15
MCQmedium

A technician is configuring a new Windows 10 kiosk computer that will run a single application for public use. They need to prevent users from accessing the desktop, taskbar, or other system functions. Which Windows security feature should be used?

A.User Account Control (UAC) set to highest level
B.Local Group Policy – Software Restriction Policies
C.Windows Defender Application Guard
D.Assigned Access (Kiosk Mode)
AnswerD

Assigned Access restricts the user to a single app and hides system interfaces.

Why this answer

Assigned Access (Kiosk Mode) is the correct feature because it locks down the Windows 10 device to run only a single Universal Windows Platform (UWP) app or a classic Win32 app in full-screen mode, completely hiding the desktop, taskbar, Start menu, and other system interfaces. This is specifically designed for public-facing kiosk scenarios where users must not be able to exit the application or access any other system functions.

Exam trap

A common misconception is that UAC or Software Restriction Policies can provide a full kiosk lockdown, but these features lack the ability to hide the desktop and taskbar or prevent users from launching other applications via keyboard shortcuts or the Start menu.

How to eliminate wrong answers

Option A is wrong because User Account Control (UAC) set to highest level only prompts for consent or credentials when system-level changes are attempted; it does not restrict access to the desktop, taskbar, or other system functions, nor does it enforce a single-app environment. Option B is wrong because Local Group Policy – Software Restriction Policies can block or allow specific executables but does not prevent users from accessing the desktop, taskbar, or system UI; it is a software execution control, not a kiosk lockdown mechanism. Option C is wrong because Windows Defender Application Guard is a hardware-isolated container for running untrusted applications (typically Microsoft Edge) to protect the host OS from malware; it does not restrict user access to the desktop or taskbar and is not designed for kiosk single-app scenarios.

16
MCQhard

A company laptop was stolen, and the IT department needs to ensure that the data on the device cannot be accessed. The laptop had BitLocker enabled, but the drive was unlocked when stolen. What additional security measure could have prevented data access in this scenario?

A.Enable Windows Defender Firewall
B.Configure BitLocker with a startup PIN
C.Use a strong user password
D.Enable System Restore
AnswerB

A startup PIN requires authentication before the OS loads, protecting data even if the device is powered on.

Why this answer

BitLocker with a startup PIN requires the user to enter a PIN before the OS loads, even if the drive was previously unlocked. Since the laptop was stolen while unlocked, the PIN would have prevented the drive from being decrypted after a reboot or power loss, protecting the data from unauthorized access.

Exam trap

CompTIA often tests the misconception that a strong user password or firewall is sufficient to protect data on a stolen device, but the key point is that BitLocker's pre-boot authentication (like a startup PIN) is the only measure that protects data when the drive is unlocked at the time of theft.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall controls network traffic and does not encrypt or protect data at rest on the drive; it cannot prevent access to data if the drive is physically stolen. Option C is wrong because a strong user password protects the user account at the OS level, but if the drive is already unlocked (as in this scenario), the password does not encrypt the data—an attacker could bypass the login screen by booting from external media or accessing the drive directly. Option D is wrong because System Restore creates restore points for system files and settings, not encryption; it has no mechanism to prevent data access from a stolen, unlocked drive.

17
MCQmedium

A user reports that after a recent Windows update, they can no longer install a legacy application that requires write access to the Program Files folder. The user is a local administrator. What Windows security setting is most likely blocking the installation?

A.BitLocker Drive Encryption
B.User Account Control (UAC)
C.Windows Defender Firewall
D.Group Policy Software Restrictions
AnswerB

UAC protects system integrity by prompting for elevated permissions, even for administrators, when changes affect protected areas like Program Files.

Why this answer

User Account Control (UAC) is the Windows security feature that prompts for consent or credentials before allowing actions that require administrative privileges, even for local administrators. By default, UAC virtualizes write attempts to protected system locations like Program Files, redirecting them to a per-user virtual store, which can cause legacy applications that expect direct write access to fail. Disabling UAC or running the installer with explicit administrative rights (e.g., right-click 'Run as administrator') typically resolves the issue.

Exam trap

CompTIA often tests the misconception that local administrators always run with full administrative privileges, but UAC's default behavior means even admins operate with a filtered token until they explicitly elevate, causing legacy installers to fail when they attempt to write to protected folders like Program Files.

How to eliminate wrong answers

Option A is wrong because BitLocker Drive Encryption provides full-disk encryption to protect data at rest and does not block write access to the Program Files folder; it operates at the disk level, not the file system permission level. Option C is wrong because Windows Defender Firewall controls network traffic based on rules and does not restrict local file system write operations. Option D is wrong because Group Policy Software Restrictions can block installation of specific software based on path, hash, or certificate rules, but the scenario describes a generic inability to write to Program Files after an update, which is a classic symptom of UAC virtualization behavior, not a targeted restriction policy.

18
MCQhard

A user complains that their Windows 10 computer is running slowly and they see frequent pop-ups from an unknown program. After running a full antivirus scan, nothing is detected. Which Windows security feature should you use to investigate and remove potentially unwanted software?

A.Windows Defender Firewall
B.Windows Defender Offline Scan
C.System Restore
D.User Account Control (UAC)
AnswerB

This runs outside of Windows to catch deeply hidden malware that standard scans cannot detect.

Why this answer

Windows Defender Offline Scan boots from a trusted environment to detect and remove persistent malware that standard scans miss. It is ideal for rootkits or stubborn infections that hide from a live OS.

19
MCQhard

A Windows 11 workstation is infected with ransomware that encrypted user files. The IT security team wants to prevent future infections by restricting which processes can modify files in user profile folders. Which Windows security feature can enforce such restrictions without third-party software?

A.NTFS permissions set to 'Read-only' for all users.
B.AppLocker with a deny rule for unknown executables.
C.Controlled Folder Access
D.BitLocker with TPM protection
AnswerC

This feature specifically protects folders from unauthorized apps, including ransomware.

Why this answer

Controlled Folder Access (CFA) is a Windows Defender Exploit Guard feature that restricts which applications can modify files in protected folders, such as user profile directories. By default, CFA blocks untrusted or unknown processes from writing to or encrypting files in these folders, directly preventing ransomware from encrypting user data without requiring third-party software.

Exam trap

The trap here is that candidates confuse AppLocker's application control with file-level write restrictions, assuming that blocking unknown executables from running is equivalent to preventing file modification, but AppLocker does not control file system operations after execution.

How to eliminate wrong answers

Option A is wrong because setting NTFS permissions to 'Read-only' for all users would prevent legitimate user applications (like Microsoft Word or Notepad) from saving files, breaking normal workflow, and it does not selectively block only malicious processes. Option B is wrong because AppLocker controls which executables can run, not which processes can modify files; it can block unknown executables from launching, but it does not restrict file write operations by already-running trusted processes. Option D is wrong because BitLocker with TPM protection provides full-disk encryption to protect data at rest from offline attacks, but it does not enforce runtime restrictions on which processes can modify files after the system is booted.

20
MCQhard

An organization uses Windows 10 and wants to prevent users from installing unauthorized software. They have configured Software Restriction Policies via Group Policy. However, a user bypassed the policy by renaming the executable. What additional measure should be taken to enforce the restriction?

A.Enable Windows Defender Real-time Protection
B.Use AppLocker with publisher rules
C.Set User Account Control to Always Notify
D.Enable BitLocker
AnswerB

AppLocker publisher rules validate software by digital signature, making renaming ineffective.

Why this answer

AppLocker with publisher rules is the correct additional measure because Software Restriction Policies (SRP) can be bypassed by renaming executables, as SRP relies on file path or hash rules. AppLocker's publisher rules use digital signatures to identify software, making it immune to filename changes. This provides a more robust enforcement mechanism for preventing unauthorized software installation.

Exam trap

CompTIA often tests the distinction between Software Restriction Policies and AppLocker, where candidates mistakenly think SRP's hash rules are sufficient, but the trap is that renaming bypasses path rules, and hash rules require updates after each software update, whereas AppLocker publisher rules are more resilient.

How to eliminate wrong answers

Option A is wrong because Windows Defender Real-time Protection is an antimalware feature that detects and blocks malicious software, but it does not prevent users from installing or running unauthorized software based on policy rules. Option C is wrong because User Account Control (UAC) set to Always Notify prompts for administrative consent but does not block execution of unauthorized software if the user has administrative rights or bypasses the prompt. Option D is wrong because BitLocker is a full-disk encryption technology that protects data at rest, not a software restriction or execution control mechanism.

21
MCQeasy

A small business owner wants to ensure that only authorized USB storage devices can be used on company laptops running Windows 10 Pro. They have a list of approved device hardware IDs. Which security policy should be configured to enforce this restriction?

A.Enable the 'Removable Storage Access' policy under Windows Components
B.Configure the 'Devices: Restrict CD-ROM access to locally logged-on user only' policy
C.Set the 'Deny all devices' policy under Device Installation Restrictions
D.Configure the 'Allow installation of devices that match any of these device IDs' policy under Device Installation Restrictions
AnswerD

This policy allows specifying approved hardware IDs, effectively blocking all other USB storage devices while permitting the authorized ones.

Why this answer

Option D is correct because the 'Allow installation of devices that match any of these device IDs' policy under Device Installation Restrictions allows an administrator to specify a whitelist of approved hardware IDs. When configured, only USB storage devices whose hardware IDs match the list will be installed, effectively blocking all unauthorized devices. This directly enforces the requirement to restrict USB storage to approved devices only.

Exam trap

CompTIA often tests the distinction between access control policies (like Removable Storage Access) and device installation restriction policies, leading candidates to confuse permission-based controls with hardware-based whitelisting.

How to eliminate wrong answers

Option A is wrong because the 'Removable Storage Access' policy under Windows Components controls read/write permissions for removable media (e.g., deny write access) but does not filter by hardware ID or prevent installation of unauthorized devices. Option B is wrong because the 'Devices: Restrict CD-ROM access to locally logged-on user only' policy is a legacy setting that limits CD-ROM access to the interactive user, not USB storage devices, and does not enforce a hardware ID whitelist. Option C is wrong because the 'Deny all devices' policy under Device Installation Restrictions would block all device installations, including approved USB storage devices, which contradicts the requirement to allow authorized devices.

22
MCQmedium

A user reports that they cannot access a shared folder on the network, but other users can. The folder is on a Windows 10 Pro workstation. What should you check first to resolve this issue?

A.Check the Windows Defender Firewall settings
B.Check the NTFS permissions on the folder
C.Check the user’s password expiration status
D.Check the User Account Control settings
AnswerB

NTFS permissions can explicitly deny a user, causing access issues for that individual.

Why this answer

Since other users can access the shared folder, the network share and firewall are functioning correctly. The issue is specific to one user, which points to a permission problem at the file system level. NTFS permissions control user-level access to folders, and a misconfigured or missing ACE (Access Control Entry) for that user would prevent access while allowing others.

Checking NTFS permissions is the logical first step because it directly governs per-user access to the resource.

Exam trap

CompTIA A+ often tests the distinction between share-level permissions and NTFS permissions, trapping candidates who assume a firewall or password issue is the cause when the problem is user-specific and the resource is accessible to others.

How to eliminate wrong answers

Option A is wrong because the Windows Defender Firewall applies to all network traffic to the machine; if it were blocking access, no user would be able to reach the shared folder, contradicting the scenario where other users can access it. Option C is wrong because password expiration affects the ability to log into the domain or local account, not the ability to access a specific shared folder once the user is already authenticated and connected to the network. Option D is wrong because User Account Control (UAC) settings control administrative privilege elevation prompts and do not affect standard network file sharing access for authenticated users.

23
MCQmedium

After a security incident, a forensic analyst needs to ensure that Windows 10 audit logs capture all successful and failed attempts to access the 'Confidential' folder on a file server. Which audit policy configuration is required?

A.Enable 'Audit account logon events' for success and failure
B.Enable 'Audit object access' and configure the SACL on the folder
C.Enable 'Audit privilege use' for success and failure
D.Enable 'Audit process tracking' for success and failure
AnswerB

Audit object access must be enabled, and a System Access Control List (SACL) must be configured on the folder to specify which access attempts (success/failure) to log.

Why this answer

To audit access attempts to a specific folder, you must enable the 'Audit object access' policy in the Advanced Audit Policy Configuration (or the legacy 'Audit object access' under Local Policies). This policy alone does not audit anything; you must also configure a System Access Control List (SACL) on the 'Confidential' folder itself, specifying which access types (e.g., Read, Write) for which users or groups to audit for success and failure. Without the SACL, no object access events are generated.

Exam trap

CompTIA often tests the misconception that enabling 'Audit object access' alone is sufficient, but candidates forget that a SACL must also be explicitly configured on the target object for any audit events to be generated.

How to eliminate wrong answers

Option A is wrong because 'Audit account logon events' audits authentication events (logon/logoff) on the domain controller or local machine, not file or folder access. Option C is wrong because 'Audit privilege use' tracks the exercise of user rights (e.g., 'SeBackupPrivilege'), not object-level access like reading a folder. Option D is wrong because 'Audit process tracking' monitors process creation and termination events, which is unrelated to auditing file system access.

24
MCQmedium

A user calls the help desk complaining that they cannot change their Windows 10 password even though they know the current password. The user is a member of the 'Users' group on a domain-joined computer. What is the most likely cause?

A.The user does not have 'Change Password' permission on their own account.
B.The 'User must change password at next logon' flag is set.
C.The 'Password must meet complexity requirements' policy is preventing the new password from being accepted.
D.The local Security Accounts Manager (SAM) database is corrupted.
AnswerC

If the new password does not meet complexity requirements (e.g., length, character types), the system will reject the change even if the user knows the current password.

Why this answer

Option C is correct because the user is a member of the 'Users' group on a domain-joined computer, which means password changes are subject to the domain's password policy, not local policies. The 'Password must meet complexity requirements' policy is enforced by the domain controller via Group Policy, and if the new password fails to meet those requirements (e.g., insufficient length, lack of uppercase/lowercase/digits/special characters), the change will be rejected even though the user knows the current password. This is the most likely cause given the user can authenticate but cannot set a compliant new password.

Exam trap

CompTIA often tests the misconception that password change failures are due to permission issues (Option A) or local account problems (Option D), when in fact domain-joined computers rely on domain policies that override local settings, making complexity requirements the primary culprit.

How to eliminate wrong answers

Option A is wrong because by default, all users have the 'Change Password' permission on their own Active Directory account; this permission is inherent and cannot be removed without explicit delegation changes, which are rare and not implied. Option B is wrong because the 'User must change password at next logon' flag forces a password change at next logon, but it does not prevent the user from changing their password when they know the current one; in fact, it prompts the change. Option D is wrong because the local SAM database is not used for authentication on a domain-joined computer; authentication is handled by the domain controller, and a corrupted SAM would affect local logon, not domain password changes.

25
MCQmedium

A company is migrating from Workgroup to Domain. After joining a Windows 10 computer to the domain, users report that they can no longer log on using their local user accounts. What setting in Local Security Policy is most likely causing this behavior?

A.The 'Network access: Do not allow anonymous enumeration of SAM accounts' policy
B.The 'Deny log on locally' user rights assignment includes the 'Guests' group
C.The 'Deny log on locally' user rights assignment includes the 'Users' group
D.The 'Interactive logon: Do not display last user name' policy is enabled
AnswerC

If the domain policy adds the 'Users' group to this setting, it will block all local user accounts (which are members of the local Users group) from logging on interactively.

Why this answer

When a Windows 10 computer is joined to a domain, the default Local Security Policy setting for 'Deny log on locally' includes the 'Users' group. This prevents local user accounts (which are members of the local Users group) from logging on interactively, forcing users to use domain accounts instead. The behavior stops after the computer is joined because the policy is applied by default to enforce domain authentication.

Exam trap

The exam often tests the misconception that local user accounts are denied logon due to network-level restrictions (like SAM enumeration) or display settings, rather than the specific user rights assignment that explicitly blocks interactive logon for the local Users group.

How to eliminate wrong answers

Option A is wrong because 'Network access: Do not allow anonymous enumeration of SAM accounts' controls anonymous access to SAM account names, not interactive logon rights for local users. Option B is wrong because the 'Guests' group is already denied logon by default, but local user accounts are not members of Guests; they are members of Users, so this setting does not affect them. Option D is wrong because 'Interactive logon: Do not display last user name' only controls whether the last logged-on username is shown on the login screen, not whether local accounts can log on at all.

26
MCQeasy

A user wants to encrypt a USB flash drive so that if it is lost, the data cannot be read on another computer. The USB drive will be used on both Windows 10 and Windows 11 devices. Which Windows feature should be used?

A.EFS (Encrypting File System)
B.BitLocker To Go
C.Windows Defender Encryption
D.Secure Boot
AnswerB

BitLocker To Go is designed for encrypting removable drives and works across Windows 10/11.

Why this answer

BitLocker To Go is the correct choice because it provides full-disk encryption specifically designed for removable drives like USB flash drives. It encrypts the entire drive using AES encryption, and when the drive is inserted into another Windows 10 or Windows 11 computer, the user must enter the password or use a smart card/recovery key to access the data. This ensures that if the drive is lost, the data remains unreadable on any other system.

Exam trap

CompTIA often tests the distinction between EFS and BitLocker To Go, where candidates mistakenly choose EFS because they think file-level encryption is sufficient for removable media, but EFS does not protect data when the drive is moved to another computer because the encryption certificate is not present on the target system.

How to eliminate wrong answers

Option A is wrong because EFS (Encrypting File System) encrypts individual files and folders on NTFS volumes, but it is tied to the user's account and certificate on the local machine; it does not protect data when the drive is moved to another computer, and it is not designed for removable drives. Option C is wrong because Windows Defender Encryption is not a real Windows feature; the correct name is Windows Device Encryption, which is a simplified version of BitLocker for system drives on supported hardware, not for removable USB drives. Option D is wrong because Secure Boot is a UEFI firmware security feature that ensures only trusted bootloaders and drivers are loaded during startup; it does not encrypt data on a USB drive or protect data at rest.

27
MCQeasy

During a security audit, you discover that a Windows 10 workstation has the 'Store passwords and credentials using reversible encryption' policy enabled. What is the primary security risk associated with this setting?

A.It increases the time required to log on to the system.
B.It allows users to bypass the password complexity requirement.
C.It stores passwords in a format that can be easily decrypted, making them vulnerable if the database is compromised.
D.It prevents the use of biometric authentication methods.
AnswerC

This is the core risk: reversible encryption allows passwords to be recovered as plaintext, which is a major security vulnerability.

Why this answer

The 'Store passwords using reversible encryption' policy (enabled via the 'Network access: Do not allow storage of passwords and credentials for network authentication' or directly in a Group Policy setting) causes Windows to store passwords in a format that can be decrypted back to plaintext. This directly violates the principle of storing only hashed credentials; if the SAM database or LSASS process memory is compromised, an attacker can recover the original password, enabling lateral movement or privilege escalation.

Exam trap

The trap here is that candidates often confuse 'reversible encryption' with 'password complexity' or 'account lockout' settings, but the core risk is the ability to decrypt stored passwords, not a performance or usability issue.

How to eliminate wrong answers

Option A is wrong because enabling reversible encryption does not affect logon time; it only changes how the password is stored, not the authentication process speed. Option B is wrong because password complexity requirements are enforced independently via the 'Password must meet complexity requirements' policy; reversible encryption does not bypass or weaken those rules. Option D is wrong because biometric authentication (e.g., Windows Hello) relies on a separate credential provider and is not disabled by reversible encryption; the setting only affects password-based credentials stored for network authentication.

28
MCQeasy

After deploying a new Windows 11 update, several users complain that they can no longer access shared folders on the network. You verify that network discovery and file sharing are enabled. Which Windows security setting should you check first to resolve this issue?

A.Check if the users are in the 'Remote Desktop Users' group.
B.Verify that the 'Password Protected Sharing' option is turned off.
C.Review Windows Defender Firewall rules for 'File and Printer Sharing.'
D.Run Windows Update to install additional patches.
AnswerC

The firewall controls network traffic; if the rule is blocked, file sharing will fail.

Why this answer

After a Windows 11 update, the most common cause for losing access to shared folders—even when network discovery and file sharing are enabled—is that the Windows Defender Firewall rules for 'File and Printer Sharing' have been reset or disabled. This update often modifies firewall profiles (e.g., switching from Private to Public) or resets custom rules, blocking the NetBIOS, SMB, and RPC ports (TCP 139, 445; UDP 137, 138) required for file sharing. Checking and re-enabling these inbound rules restores connectivity.

Exam trap

The trap here is that candidates confuse 'Password Protected Sharing' (a sharing-level setting) with network-level blocking, or assume that enabling network discovery and file sharing in the GUI automatically opens all necessary firewall ports, when in fact the firewall rules are separate and often reset by updates.

How to eliminate wrong answers

Option A is wrong because the 'Remote Desktop Users' group controls RDP access, not file sharing over SMB; shared folders use SMB/CIFS, not Remote Desktop Protocol. Option B is wrong because 'Password Protected Sharing' affects whether users must have local accounts on the host to access shares, but it does not block network traffic; if it were the issue, users would see the share but be prompted for credentials, not unable to access it entirely. Option D is wrong because running Windows Update again would not fix a firewall rule that was already altered by the previous update; the problem is a configuration change, not missing patches.

29
MCQmedium

During a security audit, you discover that a user’s Windows 10 device has allowed multiple failed login attempts without locking the account. Which policy should you adjust to enforce account lockout after 5 failed attempts?

A.Password Policy – Minimum password length
B.Account Lockout Policy – Account lockout threshold
C.User Rights Assignment – Deny log on locally
D.Security Options – Interactive logon: Message text for users attempting to log on
AnswerB

This setting defines the number of failed logins allowed before the account is locked.

Why this answer

The Account Lockout Policy – Account lockout threshold setting directly controls the number of failed logon attempts allowed before the account is locked. By setting this value to 5, the system will enforce a lockout after exactly five incorrect password entries, preventing further brute-force attempts until an administrator unlocks the account or the lockout duration expires.

Exam trap

The CompTIA A+ exam often tests the distinction between password policy settings (which govern password complexity and length) and account lockout policy settings (which govern failed attempt limits), leading candidates to mistakenly choose Password Policy options when the question is about lockout enforcement.

How to eliminate wrong answers

Option A is wrong because Minimum password length only enforces the number of characters required in a password, not the number of failed attempts before lockout. Option C is wrong because User Rights Assignment – Deny log on locally controls which users or groups are prohibited from logging on at the console, not the failed attempt count. Option D is wrong because Interactive logon: Message text for users attempting to log on sets a legal or informational banner displayed before logon, but does not affect account lockout behavior.

30
MCQeasy

A user reports that after a recent Windows update, they can no longer install software on their company-issued laptop. When they try to run an installer, they get a message: 'Your system administrator has blocked this program.' The user has local administrator rights on the laptop. Which Windows security setting is most likely causing this issue?

A.Windows Defender Firewall is blocking the installer.
B.User Account Control (UAC) is set to 'Always notify.'
C.BitLocker Drive Encryption is preventing write access.
D.The user's account is not part of the local Administrators group.
AnswerB

UAC with 'Always notify' prompts for consent for any installation, even for local admins, and can block if not approved.

Why this answer

User Account Control (UAC) with the 'Always notify' setting forces every installation attempt to prompt for administrator approval, even when the user has local admin rights. If the user clicks 'No' or the prompt is suppressed by Group Policy (e.g., via the 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' policy set to 'Elevate without prompting' or 'Prompt for consent'), the installer is blocked with the 'Your system administrator has blocked this program' message. This occurs because UAC treats the installer as requiring elevation, and the policy prevents the user from approving it.

Exam trap

CompTIA often tests the misconception that local administrator rights bypass all security controls, but UAC's Admin Approval Mode can still block installations based on Group Policy settings, even for users in the Administrators group.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall blocks network traffic, not local software installation; it does not generate a 'blocked this program' message for installers. Option C is wrong because BitLocker Drive Encryption encrypts the entire volume and prevents unauthorized read/write access at the disk level, but it does not intercept installer execution or produce a 'system administrator has blocked this program' error; it would instead show a BitLocker recovery or access-denied error. Option D is wrong because the question explicitly states the user has local administrator rights, so the account is already part of the local Administrators group; the issue is caused by UAC elevation policies, not group membership.

Ready to test yourself?

Try a timed practice session using only Windows Security Settings questions.