Your network contains an Active Directory domain named contoso.com. The domain contains a virtual
machine named Server1 that runs Windows Server 2012 R2.
Server1 has a dynamically expanding virtual hard disk that is mounted to drive E.
You need to ensure that you can enable BitLocker Drive Encryption (BitLocker) on drive E.
Which command should you run?
A.
manage-bde -protectors -add c: -startup e:
B.
manage-bde -lock e:
C.
manage-bde -protectors -add e: -startupkey c:
D.
manage-bde -on e:
Explanation:
Manage-bde: on
Encrypts the drive and turns on BitLocker.
Example:
The following example illustrates using the -on command to turn on BitLocker for drive C and add a recovery
password to the drive.
manage-bde –on C: -recoverypassword
D does not work on expanding drive. Option C should be used.
BitLocker pararmeters: https://technet.microsoft.com/en-us/library/dd875513%28v=ws.10%29.aspx#BKMK_protectors
Check out the parameters -protector and -lock. I believe that given the choices above, option D is the closest there is.
D does not work unless adding parameter “-used”, but it’s not included in this answer.
For my understanding of:
https://technet.microsoft.com/en-us/library/jj647767.aspx
it does not make sense just to turn on Bitlocker omitting a protector.
So answer C worked for me in lab, and then I could enable encryption with “-on e: -used”
Granted this is a poorly worded, ambiguous question, but reading the details of the link you posted I found this:
On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
manage-bde -on C:
Confusing things further, I found:
Don’t…Use BitLocker Encryption Inside Your Virtual Machines
BitLocker encryption is not supported within a virtual machine.
http://www.virtualizationadmin.com/kbase/VirtualizationTips/ServerVirtualization/MicrosoftHyper-VTips/Security/DosandDontsofEncryptionwithHyper-V.html
TPM does not appear to be supported within VM’s.
http://www.networksteve.com/windows/topic.php/Can_I_use_TPM_Base_Services_in_a_VM/?TopicId=52157&Posts=5
And again from this link:
https://technet.microsoft.com/en-us/library/jj647767.aspx
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:
I vote for answer C.
Thanx den. My first choice was C. Now I am sure.
The question is NOT to encrypt wright away, but later.
Yes, you have to read the question. It says “…enable that you can enable BitLocker Drive Encryption (BitLocker) on drive E”, which basically means to put the prerequisite(s) in place prior to enabling.
So whats the correct answer?
It’s C
On my Win8 pro machine created a 2gb thin provisioned .vhd.
Answer D: doesn’t work. This is the error you will get:
“ERROR: An error occurred (code 0x803100a5): BitLocker Drive Encryption only supports Used Used Space Only encryption on thin provisioned storage.”
C is the answer!!!
According to https://technet.microsoft.com/en-us/library/dd875513(v=ws.10).aspx#BKMK_protectors
-protectors
Syntax
manage-bde -protectors {-get | -add | -delete | -disable | -enable| -adbackup} Volume [-ComputerName Name]
Parameters…
-StartupKey
Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command.