You administer computers that run Windows 8 Enterprise and are members of an Active Directory
domain. Some volumes on the computers are encrypted with BitLocker. The BitLocker recovery
passwords are stored in Active Directory. A user forgets the BitLocker password to local drive E:
and is unable to access the protected volume. You need to provide a BitLocker recovery key to
unlock the protected volume. Which two actions should you perform? (Each correct answer
presents part of the solution. Choose two.)
A.
Ask the user to run the manage-bde-protectors-disable e: command.
B.
Ask the user for his or her logon name.
C.
Ask the user to run the manage-bde-unlock E:-pw command.
D.
Ask the user for his or her computer name.
E.
Ask the user for a recovery key ID for the protected drive.
Explanation:
Asking user their logon name is a very lame way to verify their identity. Answers D & E seem to be
the best solution, because:
– You need to know computer name in order to find computer object in AD, where bitlocker
passwords are store
– Without recovery key ID you will not know which bitlocker recovery password to use
The question doesn’t mention there are multiple encrypted drives assigned to this computer, but we do know that the KeyID would be important even if it’s only one drive for verification purposes.
manage-bde with -pw looks tempting, but the question does mention user and it takes an administrator command prompt to run this command. I would rule out that answer.