ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-100 All Questions

View all questions & answers for the MD-100 exam
Go to Exam

Exam MD-100 topic 3 question 4 discussion

Actual exam question from Microsoft's MD-100
Question #: 4
Topic #: 3
[All MD-100 Questions]

HOTSPOT -
You have three computers that run Windows 10 as shown in the following table.

All the computers have C and D volumes. The Require additional authentication at startup Group Policy settings is disabled on all the computers.
Which volumes can you encrypt by using BitLocker Drive Encryption (BitLocker)? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10
by Nail at Oct. 4, 2020, 11:09 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Rstilekar
Highly Voted 4 years, 2 months ago
Only the OS drive needs the TPM for Bitlocker Encryption by default. The D drive is not the booting drive and isn't the OS drive. So question two is possible on all Computers. So Q2 ans is Computer 1, 2, 3. The GPO change mentioned is only for the booting / OS drive (OS drive needs the TPM for Bitlocker Encryption by default can be overridden by using this policy if enabled) - "Require additional authentication at startup" is available GPO only under OS drives under Bitlocker Encryption as seen in below screens. This setting gives access to the option "Allow BitLocker without a compatible TPM" . If you enable "Allow BitLocker without a compatible TPM" then you could enable BitLocker on Computer 1 without needing TPM chip even for OS drive.. Since its disabled state (default) only thus, the question 1 is not allowed on Computer1 without TPM chip. So Q1 ans is Computer 2 & 3 only.
upvoted 30 times
Cisco
4 years, 1 month ago
How does it encrypt Volume D without a TPM? I thought the encryption keys were stored in the TPM?
upvoted 2 times
ercluff
4 years, 1 month ago
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-key-management-faq "Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios." "The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager."
upvoted 3 times
...
99redeyeflight
3 years, 1 month ago
if you try to enable Bitlocker on any non-boot volume, it will ask you to create a password or insert a USB key drive to setup.
upvoted 1 times
...
...
...
Nail
Highly Voted 4 years, 6 months ago
This answer is correct. It is a little counterintuitive but you would need to Enable (not disable) "Require additional authentication at startup" so you can get access to the option "Allow BitLocker without a compatible TPM". If you enable "Allow BitLocker without a compatible TPM" then you could enable BitLocker on Computer 1 on both volumes.
upvoted 23 times
67_sbc
4 years, 5 months ago
Agree. If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
upvoted 3 times
...
...
Kock
Most Recent 2 years, 6 months ago
BitLocker não requer um TPM. No entanto, apenas um computador com um TPM pode fornecer a segurança adicional da verificação de integridade do sistema prestartup. https://learn.microsoft.com/pt-br/training/modules/explore-device-encryption-features/4-recover-bitlocker-encrypted-drive
upvoted 1 times
...
Ketlops
2 years, 7 months ago
No TPM on my VM (use tpm.msc) but can still use bitlocker on data only D:drive, so correct answer For volume D its all 1,2,3
upvoted 1 times
...
flabezerra
2 years, 7 months ago
Examtopics is right. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#require-additional-authentication-at-startup:~:text=Users%20can%20configure%20only%20basic%20options%20on%20computers%20with%20a%20TPM.
upvoted 2 times
flabezerra
2 years, 7 months ago
...for the answer provided for "You can encrypt volume C on Computer2 and Computer3 only". We won't find any documentation relating TPM with data drive (volume D). So based on real machine test, all three computers will do the work with no restrictions.
upvoted 2 times
...
...
CODENAME_KND
2 years, 8 months ago
Answer provided is correct System requirements BitLocker has the following hardware requirements: For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
upvoted 2 times
CODENAME_KND
2 years, 8 months ago
The question states that "The Require additional authentication at startup Group Policy settings is disabled on all the computers." which means you can't use a removable device for the computer without TPM.
upvoted 2 times
...
...
Whatsamattr81
2 years, 10 months ago
For volume D its all 1,2,3... For C its just 2 and 3. The GPO in question only affects OS drives... If it weren't disabled you could choose "Allow BitLocker without a compatible TPM" and it would be all 3 for each question - but it isnt.
upvoted 1 times
...
Kifla
3 years, 3 months ago
Volume C can be encrypted only TPM module is present. Otherwise admin must set "Allow BitLocker without a compatible TPM" policy so the first answer is correct. Non OS drives can be encrypted without TPM module or policy in place so all PC's should be the correct answer. Just tested on my PC with 2 drives.
upvoted 4 times
...
neobahamutk
3 years, 3 months ago
"The Require additional authentication at startup Group Policy settings is disabled on all the computers." is the key por this question. If you enable "Allow BitLocker without a compatible TPM" you will need additional authentication to log in. So not meet the requiments fo the question. So computers 2 and 3 is correct. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
upvoted 1 times
...
JohnO1971
3 years, 4 months ago
Just tested this n a Test Rig and I can encrypt Drive D with no TPM and the policy not enabled. So it should be "All computers can encrypt drive D
upvoted 1 times
...
MR_Eliot
3 years, 5 months ago
Answer is incorrect. I have tested this and can confirm you can enable bitlocker on drive D without tpm. TPM is only for boot drive
upvoted 2 times
[Removed]
3 years, 5 months ago
You were able to do this without the 'enable additional requirements at startup gp' ? just wanted to confirm.
upvoted 1 times
MR_Eliot
3 years, 5 months ago
Yes. it works even the policy is disabled.
upvoted 2 times
...
...
...
CARIOCA
3 years, 8 months ago
What is the final answer and justification?
upvoted 1 times
...
encxorblood
3 years, 8 months ago
Yes. Correct. For a PC without TPM you need software based BitLocker. And this need the Policy.
upvoted 1 times
...
Metalsand
3 years, 9 months ago
This link is a better explanation of TPM 1.2 vs 2.0. https://www.dell.com/support/kbdoc/en-us/000131631/tpm-1-2-vs-2-0-features Has several charts showing differences - essentially, core feature and application support is exactly the same notably bitlocker.
upvoted 2 times
...
CARIOCA
3 years, 10 months ago
Essa questão ficou muito dividida no gabarito, afinal qual seria a resposta e qual a justificativa? Após um debate de 16 comentários, o gabarito é o mesmo ou não?
upvoted 1 times
...
Sheduic7720
3 years, 11 months ago
I think in second question all computers can be encrypted for drive D
upvoted 4 times
...
MadMax2021
4 years, 2 months ago
Could anyone please tell me briefly what is "TPM version"? I'm studying on my own without any experience in IT
upvoted 1 times
Thalex
4 years, 2 months ago
https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-top-node
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago