Lesson 1

Lesson 5

Understanding Enterprise Mobility

Multiple Choice
1. Which of the following allows an SSO when deploying an application for another organization
on your network?

a. Active Directory Domain Services (AD DS)

b. Active Directory Federation Services (AD FS)

c. Windows Rights Management Services (RMS)

d. Active Directory Lightweight Directory Services (AD LDS)

Answer: B

Difficulty: Medium

Section Reference: Understanding Federation Services

Explanation: The Active Directory Federation Services (AD FS) role allows administrators to
configure SSO for web-based applications across a single organization or multiple organizations
without requiring users to remember multiple usernames and passwords, although it is not
required. This enables you to configure Internet-facing business-to-business (B2B) applications
between organizations. For example, a user from contoso.com can use contoso.com credentials
to access a web-based application hosted by adatum.com.

2. Which of the following is a statement made by a trusted entity for a user that includes key
information to identity the user?

a. claims

b. store

c. delegated party

d. proxy

Answer: A

Difficulty: Medium

Section Reference: Understanding Federation Services

Explanation: A claims statement is a statement made by a trusted entity about an object, such
as a user, that includes key information identifying the object.

3. Which of the following is the application that accepts claims from a claim provider?

1-1
Lesson 1

a. claims provider

b. attribute store

c. relying party

d. federation server proxy

Answer: C

Difficulty: Medium

Section Reference: Understanding Federation Services

Explanation: With a relying party trust, configuration data is used to provide claims about a user
or client to a relying party.

4. Which of the following is the server that issues claims and authenticates users?

a. relying party

b. attribute store

c. claims provider

d. federation server proxy

Answer: C

Difficulty: Medium

Section Reference: Understanding Federation Services

Explanation: The claims provider is the server that issues claims and authenticates users.

5. Which task cannot be performed when using the Windows Intune Company Portal?

a. Installing Windows applications made available to other users by the Windows Intune
Administrator

b. Adding a computer to Windows Intune

c. Removing a computer from Windows Intune

d. Contacting Technical Support

Answer: A

Difficulty: Medium

Section Reference: Configuring the Company Portal

Explanation: The Microsoft Intune Company Portal provides self-service connection point for
users to request help and select apps to install. It gives users the access they need to perform
self-service tasks, such as adding or removing their computers from Microsoft Intune, selecting

1-2
Lesson 1

applications to install (made available to them by the Administrator), and contacting the
technical support administrator

6. Which of the following allows you to store and access work files from a sync share, which can
then be accessed from multiple devices (including BYODs)?

a. Offline folders

b. Work Folders

c. Folder redirection

d. Central Placement

Answer: B

Difficulty: Medium

Section Reference: Using Work Folders

Explanation: Work Folders allow users to store and access work files on a sync share from
multiple devices, including personal computers and devices (including BYODs). Work Folders are
for only individual data and do not support sharing files between users.

7. Which of the following is not a method used to connect to a Work Folder?

a. Group Policy

b. URL entry

c. Auto Discovery

d. ActiveSync Policy

Answer: D

Difficulty: Medium

Section Reference: Connecting to a Work Folder

Explanation: To connect to a Work Folder, the computer or device would use one of the
following methods: Auto Discovery, URL Entry, or Group Policy.

8. Which group scope is meant to be used to assign permissions to a local resource?

a. Distribution group

b. Global

c. Domain local

d. Captured

Answer: C

1-3
Lesson 1

Difficulty: Medium

Section Reference: Understanding Groups

Explanation: A domain local group contains global groups and universal groups, even though it
can also contain user accounts and other domain local groups. It is usually in the domain with
the resource to which you want to assign permissions or rights.

9. Which of the following allows you to connect to the Azure cloud using Remote Desktop
Services from your corporation on-premises?

a. Remote Desktop Connections

b. RD Web Access

c. Azure RemoteApp

d. RD Gateway

Answer: C

Difficulty: Medium

Section Reference: Understanding Azure RemoteApp

Explanation: Azure RemoteApp allows you to connect to Azure cloud services using Remote
Desktop Services (RDS) from your corporation on-premises. With Azure RemoteApp, users can
securely access applications from different devices.

10. Which of the following should be developed before you allow users to use their own smart
phones to access company email?

a. A BYOD policy

b. A DRS policy

c. A Share policy

d. A LOB policy

Answer: A

Difficulty: Medium

Section Reference: Understanding Bring Your Own Device (BYOD)

Explanation: A BYOD policy defines the standards, restrictions and procedures for end users
who have authorized access to company data from their personal devices (tablets, laptops, or
smartphones). The policy also includes hardware and any related software that is not approved,
owned, or supplied by the company. In either case, as the administrator, you will need to make
sure your strategy for accessing the Windows Store aligns with your companys policies.

1-4
Lesson 1

Fill in the Blank

1. To simplify administration when assigning rights and permissions to multiple users, you
should always use _____.

Answer: groups

Difficulty: Medium

Section Reference: Introducing Organizational Units

Explanation: By delegating administration, you can assign a range of administrative tasks to the
appropriate users and groups. For example, you can assign basic administrative tasks to regular
users or groups and leave domain-wide and forest-wide administration to members of the
Domain Admins and Enterprise Admins groups. By delegating administration, you allow groups
within your organization to take more control of their local network resources. You also help
secure your network from accidental or malicious damage by limiting the membership of
administrator groups.

2. To use SSO for a web-based application that is hosted by partner company and your company
Active Directory, you should use _____.

Answer: Active Directory Federation Services (AD FS)

Difficulty: Medium

Section Reference: Understanding Federation Services

Explanation: Active Directory Federation Services (AD FS) is deployed onsite and provides SSO
for applications and services that reside onsite or in Microsoft Azure.

3. When you use Active Directory Federation Services (AD FS), the organization that contains the
user accounts that access the resources is known as the _____.

Answer: account organization

Difficulty: Medium

Section Reference: Understanding Federation Services

Explanation: Account organizations contain the user accounts that access the resources
controlled by resource organizations.

4. The easiest way for a user with a smartphone running Windows 10 to access your Microsoft
Intune Company Portal is to install the _____ from the Windows Store.

Answer: Company Portal app

Difficulty: Medium

Section Reference: Configuring the Company Portal

1-5
Lesson 1

Explanation: When the user clicks the Apps tile, he is prompted to visit the Windows Store to
install the Company Portal app. After completing the installation, a new Company Portal tile is
placed on the Windows 10 Start screen. The user can then access the portal through this app.

5. _____ allow a user to use his personal computer from home to access company documents
from a sync share.

Answer: Work folders

Difficulty: Medium

Section Reference: Using Work Folders

Explanation: Work Folders allow users to store and access work files on a sync share from
multiple devices, including personal computers and devices (including bring-your-own devices).

6. _____ is the process for installing Windows Store applications through Microsoft Intune
instead of the Windows Store.

Answer: Sideloading

Difficulty: Medium

Section Reference: Sideloading Applications by Using Microsoft Intune

Explanation: Sideloading is a process for installing Windows Store applications without using the
Windows Store. If you have access to the app installation files, you can sideload with Microsoft
Intune. However, the application can only be deployed after the operating system is deployed.
When you sideload an application, you can deploy an app to all Windows accounts on a device,
or to a specific Windows account on a device.

7. Although sideloading can be used to install the application using Microsoft Intune, you can
provide a link to install the application by using _____.

Answer: deeplinking

Difficulty: Medium

Section Reference: Deeplinking Applications by Using Microsoft Intune

Explanation: With deeplinking, you can identify an application in the Windows store that you
want to deploy to Windows 10 and a link will be provided to the user that will take him directly
to the app in the Windows store. By deeplinking, the user will not have to search for the specific
app and potentially load the wrong app.

8. When creating a Central Access Policy for Dynamic Access Control, you have to define _____
that grant permissions to objects for a defined group of resources.

Answer: Central Access Rules

Difficulty: Medium

Section Reference: Implementing a Central Access Policy

1-6
Lesson 1

Explanation: A Central Access Policy is a policy that contains Central Access Rules that grant
permissions to objects for a defined group of resources. By default, the rules apply to all
resources, but you can limit the resources to which the rule will apply. Once the rule is defined,
you can choose to apply it live or you can choose to use a staging mode.

9. When using RMS, a _____ includes user domains that can access RMS.

Answer: trusted user domain (TUD)

Difficulty: Medium

Section Reference: Understanding Windows Rights Management

Explanation: A TUD is a trust between RMS infrastructures that allows one environment to
accept identities from another environment as valid subjects. By using TUDs, RMS can process
requests for use licenses from users whose rights account certificates were issued by an RMS
installation in a different Active Directory forest.

Short Answer
1. Describe a domain controller.

Answer: A domain controller is a Windows server that stores a replica of the account and
security information for the domain and defines the domain boundaries.

Difficulty: Medium

Section Reference: Introducing Sites and Domain Controllers

2. Define the term "Kerberos."

Answer: Kerberos is a computer network authentication protocol that allows hosts to prove
their identity over a nonsecure network in a secure manner. It can also provide mutual
authentication so that both the user and server verify each others identity.

Difficulty: Difficult

Section Reference: Understanding Windows Server Active Directory

1-7