You administer computers that run Windows 8 Enterprise and are members of an Active Directory domain.
Some volumes on the computers are encrypted with BitLocker.
The BitLocker recovery passwords are stored in Active Directory. A user forgets the BitLocker passwordto local
drive E: and is unable to access the protected volume.
You need to provide a BitLocker recovery key to unlock the protected volume.
Which two actions should you perform?
(Each correct answer presents part of the solution.Choose two.)
A.
Ask the user to run the manage-bde -protectors -disable e: command.
B.
Ask the user for his or her logon name.
C.
Ask the user to run the manage-bde -unlock E: -pwcommand.
D.
Ask the user for his or her computer name.
E.
Ask the user for a recovery key ID for the protected drive.
Explanation:
Original Answer was ‘A’ and ‘E’.
BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
Reference:
http://technet.microsoft.com/en-us/library/cc771778(v=ws.10).aspx
Record the name of the user’s computer
You can use the name of the user’s computer to locate the recovery password in AD DS. If the user doesnot
know the name of the computer, ask the user to readthe first word of the Drive Labelin the BitLocker Drive
Encryption Password Entryuser interface. This is the computer name when BitLocker was enabled and is
probably the current name of the computer.
Verify the user’s identity
You should verify that the person that is asking for the recovery password is truly the authorized user of that
computer. Another option is to verify that the computer with the name the user provided belongs to theuser.
Wrong. Asking user their logon name is a very lame way to verify their identity. Answers D & E seem to be the best solution, because:
-you need to know computer name in order to find computer object in AD, where bitlocker passwords are store;
-without recovery key ID you will not know which bitlocker recovery password to use.
You ask for the users name to verify that he is indeed the owner of the laptop/drive.
Otherwise you could unlock the drive for anyone who has access to it.
This is precisly what you want to prevent with Bitlocker.
I disagree.
1) Saying a name does not verify you at all. You can easily find out the name of the owner if you have the access to the PC. For example, open Outlook or simply press Start to verify username. In such cases mobile phone call verification would is preferred, but it is not mentioned in the answers.
2) It is mentioned in the conditions, that some (NOT ONE) volumes on the computers are encrypted. This means you will have to find out which is locked. So you need recovery key ID.
D & E is correct.
Source: http://www.concurrency.com/blog/enable-bitlocker-automatically-save-keys-to-active-directory/
If you already ask the computername than you already have enough information to retrieve the key… retard…
4.
Enter the first eight digits of the recovery key ID to see a list of possible matching recovery keys, or enter the entire recovery key ID to get the exact recovery key.
5.
From the Reason for Drive Unlock list, select one of the predefined options, and then click Submit.
MBAM returns the following:
◦ An error message if no matching recovery password is found
◦ Multiple possible matches if the user has multiple matching recovery passwords
◦ The recovery password and recovery package for the submitted user
1.
Open a web browser and navigate to the Administration and Monitoring Website.
2.
In the left pane, select Drive Recovery to open the Recover access to an encrypted drive page.
3.
Enter the end user’s Windows log-on domain and user name to view recovery information.
UNLESS If you are in the MBAM Advanced Helpdesk Users group, the user domain and user ID fields are not required
4.
Enter the first eight digits of the recovery key ID to see a list of possible matching recovery keys, or enter the entire recovery key ID to get the exact recovery key.
5.
From the Reason for Drive Unlock list, select one of the predefined options, and then click Submit.
MBAM returns the following:
◦ An error message if no matching recovery password is found
◦ Multiple possible matches if the user has multiple matching recovery passwords
◦ The recovery password and recovery package for the submitted user
D and E is the best way. This is the method used by our group. Nine times out of ten, no one is going to call and not be the end user or their leadership.
Martin,
so are you saying D and E