Exam 70-744 topic 1 question 39 discussion

Actual exam question from Microsoft's 70-744

Question #: 39
Topic #: 1

Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU.
You install Windows Defender on Nano1.
You plan to implement BitLocker Drive Encryption (BitLocker) on the operating system volumes of the application servers.
You need to ensure that the BitLocker recovery keys are stored in Active Directory.
Which Group Policy setting should you configure?

A. System cryptography: Force strong key protection for user keys stored on the computer
B. Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
C. System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
D. Choose how BitLocker-protected operating system drives can be recovered.

Show Suggested Answer

Suggested Answer: B 🗳️
References:
https://technet.microsoft.com/en-us/library/jj679890(v=ws.11).aspx#BKMK_rec3

by why_does_it_matter at April 15, 2020, 9:19 a.m.

Comments

Submit Cancel

Timock

4 years, 5 months ago

This is under a section in the Policy: In "Save BitLocker recovery information to Active Directory Doman Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

upvoted 1 times

...

Yebubbleman

4 years, 5 months ago

The Exam Ref 70-744 book would suggest B, despite the misleading bit about Windows Server 2008 and Windows Vista.

upvoted 1 times

Yebubbleman

4 years, 5 months ago

Alright, so, B is the precursor GPO option to D. B really does only apply to Windows Server 2008 and Windows Vista, whereas D applies to Windows Server 2008 R2 and Windows 7 or newer. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-rec3

upvoted 1 times

...

SamsOtro

4 years, 7 months ago

D is Correct - Choose how BitLocker-protected operating system drives can be recovered

upvoted 2 times

...

KidCastaldo

4 years, 8 months ago

The answer is D. If you read the GPO descriptions for those settings, B is "ONLY applicable to computers running Windows Server 2008 or Windows Vista." D is for "At least Windows Server 2008 R2 or Windows 7"

upvoted 4 times

...

jelly_baby

4 years, 9 months ago

D is correct, not B. "All servers run 2016". The GPO in B states at the end '2008 and Vista'. Forest function level is 2008, not the servers, so this GPO would not apply.

upvoted 3 times

...