You administer computers that run Windows 8 Pro and are members of an Active Directory
domain. The computers are encrypted with BitLocker and are configured to store BitLocker
encryption passwords in Active Directory.
A user reports that he has forgotten the BitLocker encryption password for volume E on his
computer.
You need to provide the user a BitLocker recovery key to unlock the protected volume.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Ask the user for his computer name.
B.
Ask the user to run the manage-bde -unlock E: -pw command.
C.
Ask the user for his logon name.
D.
Ask the user for a recovery key ID for the protected volume.
AD is the correct answer
Can anyone prove please?
i would say A,D however it does say the user has forgotten the password, so if you was to ask the user might get same response “ive forgotten my password” hence why A, C being the answer
– You need to know computer name in order to find computer object in AD, where bitlocker passwords are store;
– Without recovery key ID you will not know which bitlocker recovery password to use.
AD
Okay guys… So, let me know where you work so I can steal some company laptops and have you:
1. Take my “pc name”
and…
2. and use the “recovery ID key” I just gave you.
… without not even ONCE asking me to confirm who I am? or if I even have an account on my stolen laptop? Yeah… that’s smart!
The answer must be A and C (unless you are in support of security mishaps).
The answer is A and D and I’m 100% sure of this.
Proof here: https://technet.microsoft.com/en-us/library/dn383583%28v=ws.11%29.aspx
You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
– Record the name of the user’s computer
– Verify the user’s identity
– Locate the recovery password in AD DS
– Gather information to determine why recovery occurred
– Give the user the recovery password
Asking the user’s login is not a proper way of verifying his identity. If you I steal your computer, I can see your login and computer name pretty much easily. That rules option C out.
Option B is out too since… well meh.
And here is the proof that option D is correct (still from the above link):
If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.
If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.
So it’s definitely A and D.
A and D.