A company has an Active Directory Domain Services (AD DS) domain. All client computers run Windows 10
Enterprise. Some computers have a Trusted Platform Module (TPM) chip.
You need to configure a single Group Policy object (GPO) that will allow Windows BitLocker Drive Encryption
on all client computers.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
Enable the Require additional authentication at startup policy setting.
B.
Enable the Enforce drive encryption type on operating system drives policy setting.
C.
Enable the option to allow BitLocker without a compatible TPM.
D.
Configure the TPM validation profile to enable Platform Configuration Register indices (PCRs) 0, 2, 4, and
11.
Explanation:
We need to allow Windows BitLocker Drive Encryption on all client computers (including client computers that
do not have Trusted Platform Module (TPM) chip).
We can do this by enabling the option to allow BitLocker without a compatible TPM in the group policy. The
‘Allow BitLocker without a compatible TPM’ option is a checkbox in the ‘Require additional authentication at
startup’ group policy setting. To access the ‘Allow BitLocker without a compatible TPM’ checkbox, you need to
first select Enabled on the ‘Require additional authentication at startup’ policy setting.
Incorrect Answers:
B: Enabling the ‘Enforce drive encryption type on operating system drives’ policy setting allows you to configure
whether the entire drive or used space only is encrypted when BitLocker is enabled. However, it does not
enable the use of BitLocker on computers without a TPM chip.
D: The Platform Configuration Register indices (PCRs) 0, 2, 4, and 11 are enabled by default for computers
that use an Extensible Firmware Interface (EFI). Configuring the TPM validation profile does not enable the use
of BitLocker on computers without a TPM chip.http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
agree