Exam MS-500 topic 2 question 47 discussion

Agree with jayze. The answer is correct. What is BitLocker To Go? BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using BitLocker Drive Encryption in Control Panel. Source: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-to-go-faq BitLockerAutoUnlock: You can configure BitLocker to automatically unlock volumes that do not host an operating system. After a user unlocks the operating system volume, BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking. Source: https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlockerautounlock?view=win10-ps

complement Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. The auto-unlock feature allows users to access data and removable data drives without having to enter a password each time. It is only valid when using BitLocker to encrypt OS drives.

so it's correct because device 1 can use auto-unlock for D drive only after you unlock C drive with a password or other method,,,,, The computer requires a form of unlock but the data drive does not, and i am writing this comment to remember this because these people at microsoft are the worst kind of psychopaths

Valid on28/01/23

100% valid on exam july 27,2022

I admit, this one had me stumped. I think I have it figured out. Bitlocker To Go (BTG) can be used on all four devices because they are all Windows 10. At first I was thinking "if there isn't a TPM and we don't know what the BIOS or UEFI firmware is, how do we know?" Well, I think it has to do with the fact that BTG doesn't require a TPM or a certain BIOS/UEFI version. You are encrypting REMOVABLE disks. That's why all of the devices can use BTG. Auto Unlock requires a Bitlocker'ed system disk. Those we know have compatible TPM/BIOS/UEFI. The D: drive in this question is NOT removeable. It is a secondary disk. So, the systems that have an encrypted system drive, can use Auto-Unlock. Given all my research and asking "WTF!?", I think the given answers are correct.

1st: 1,2,3,4 2nd: 1,3 -- OS

On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732774(v=ws.11)?redirectedfrom=MSDN

Bitlocker to go is a Windows 10 feature that, it has no other resuirements Bitlocker auto-unlock, will unlock data-drives automatically when you unlock the OS drive. The given answers are correct

Auto-unlock feature here is talking about data volumes. It requires bitlocker enabled for OS volume. The answer is correct.

The answer is correct. For the device without a TPM to have been encrypted, an Azure key vault or something else must have been used to store the encryption keys. if the device storing the keys can be read during boot, the decryption can take place automatically

Network Unlock clients must have a TPM chip and at least one TPM protector. Please See:https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

is the answer for bitlocker to go correct because essentially if a USB drive (in this case the D drive) is available then it can be secured with bitlock to go regardless if it is already protected?

The answer options for Auto Unlock is little bit confusing. Yes, Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. However, Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. One of them is Network Unlock clients must have a TPM chip and at least one TPM protector. Thefore, in my view, answer is only Device 1.

autolock relates to Bitlocker Network Unlock When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. Only devices 1 and 3 have encrypted OS drives https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq

BitLocker To Go is BitLocker Drive Encryption on removable data drives. drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using BitLocker Drive Encryption in Control Panel. Device 1,2,3 and 4. CORRECT. https://docs.microsoft.com/pt-pt/windows/security/information-protection/bitlocker/bitlocker-to-go-faq Auto-Unlock part is tricky: You can configure BitLocker to automatically unlock volumes that do not host an operating system. So only Device 2 and 3 have bitlocker enable on D drive. https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlockerautounlock?view=win10-ps However auto-unlock requires TPM or USB or some auto unlock way... So I would say only Device 2. There must be something missing in this Question... or answer...

What is TPM?