A company wants to stop employees from running unauthorized tools downloaded from the internet on managed Windows laptops, but still allow approved internal apps and vendor-updated software. Which control is best?

Full-disk encryption on every laptop before deployment.

Encryption protects data at rest, but it does not prevent users from launching unauthorized programs.

A stronger screen-lock timeout and automatic logoff policy.

Session controls help reduce exposure, but they do not control which applications can execute on the endpoint.

A firmware password for the BIOS without any other endpoint restrictions.

Firmware passwords help protect boot settings, but they do not stop users from running unwanted software inside the OS.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Application control using an allowlist for approved executables and publishers. — Application control with an allowlist is the best fit because the company wants to permit only approved internal software and trusted vendor-updated applications. That approach blocks arbitrary internet-downloaded executables, which reduces malware risk and shadow IT. It is also more precise than broad restrictions because it supports business-approved tools instead of simply locking down the device indiscriminately. Why others are wrong: B protects data if a laptop is lost or stolen, but it does nothing to control software execution. C improves session security but does not address the main problem of unapproved app installation. D can help protect firmware settings, yet it does not enforce application execution policy inside the operating system.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.