Which two actions should you perform?

You administer computers that run Windows 8 Enterprise and are members of an Active
Directory domain.
Some volumes on the computers are encrypted with BitLocker. The BitLocker recovery
passwords are stored in Active Directory. A user forgets the BitLocker password to local
drive E: and is unable to access the protected volume.
You need to provide a BitLocker recovery key to unlock the protected volume.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

You administer computers that run Windows 8 Enterprise and are members of an Active
Directory domain.
Some volumes on the computers are encrypted with BitLocker. The BitLocker recovery
passwords are stored in Active Directory. A user forgets the BitLocker password to local
drive E: and is unable to access the protected volume.
You need to provide a BitLocker recovery key to unlock the protected volume.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

A.
Ask the user to run the manage-bde -protectors -disable e: command.

B.
Ask the user for a recovery key ID for the protected drive.

C.
Ask the user for his or her logon name.

D.
Ask the user for his or her computer name.



Leave a Reply 8

Your email address will not be published. Required fields are marked *


joe

joe

I might be wrong, but shouldn’t it be to B and D.
User might have the recovery Key ID in a paper or in a USB but not know how to use it, therefore admin just have to ask for computer name look for it up in AD and then enter recovery key info provided by user and vuola problem solved.

Cleytonsc

Cleytonsc

this answer is B and D.

sam

sam

B,C
Reason: if user forgets there pin/password, drive goes into recovery mode in MBAM heldesk –> Drive Recovery –> for admin to recovery pin for user u must fill the form out which states,
1.user domain
2.user ID
3.Recovery Key ID
4.reason for drive unlock

If the TPM wont accept the PIN then –> manage TPM –>
1.computer domain
2.computer name
3.user domain
4.user ID
5. the reason for request

as it states the user can remember there password and TPM hasnt failed to accept pin i say the first part of the state is correct

hope that helps

John

John

I can’t find any real documentation on this scenario anywhere but since the question says I have to provide a Bitlocker recovery key and specifically mentions they are stored in Active Directory I can assume the following:

Disabling Bitlocker temporarily using the command line interface (manage-bde) grants temporary access to the encrypted drive (until the next reboot) but does nothing in helping find or create a recovery key so (A) is ruled out as a possible answer.

Since Bitlocker data in Active directory is stored under computers and not users, asking for the person’s username will not help in locating the recovery key stored in Active Directory so (C) is ruled out.

That leaves me with B and D as the answer. Can anyone point to documentation that confirms or denies these as the answers?

Bustin

Bustin

B,D – Question states drive E, which leads to me to believe multiple drives

B=
Multiple recovery passwords
If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.

If at any time you are unsure what password to provide, or if you fear that you might be providing the incorrect password, ask the user to read the password ID that is displayed in the recovery console. You might not need the user to read the entire ID to narrow down to one of the passwords for a computer. The first eight characters or last six characters should be sufficient.

Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.

D=
Record the name of the user’s computer

You can use the name of the user’s computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the Drive Label in the BitLocker Drive Encryption Password Entry user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.

https://technet.microsoft.com/en-us/library/cc771778(v=ws.10).aspx#BKMK_VerifyIdentity

red

red

Bustin correct

Now PAY ME

Now PAY ME

READ IN FULL CONTEXT:
https://technet.microsoft.com/en-us/library/cc771778(v=ws.10).aspx#BKMK_VerifyIdentity

OMG!

Bustin, your conclusion relates to the THIRD step in the process, a sub-step, none-the-less.

First TWO steps are:

1. Record the name of the user’s computer
2. Verify the user’s identity

follow the KISS rule here folks, [K]eep [I]t [S]imple [S]illy(rabbit). This is Microsoft, remember.