ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-100 All Questions

View all questions & answers for the MD-100 exam
Go to Exam

Exam MD-100 topic 3 question 85 discussion

Actual exam question from Microsoft's MD-100
Question #: 85
Topic #: 3
[All MD-100 Questions]

You have several computers that run Windows 10. The computers are in a workgroup and have BitLocker Drive Encryption (BitLocker) enabled.
You join the computers to Microsoft Azure Active Directory (Azure AD).
You need to ensure that you can recover the BitLocker recovery key for the computers from Azure AD.
What should you do first?

  • A. Disable BitLocker.
  • B. Add a BitLocker key protector.
  • C. Suspend BitLocker.
  • D. Disable the TMP chip.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key- protectors
by Nail at Oct. 4, 2020, 10:28 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Aray
Highly Voted 4 years, 8 months ago
"manage-bde.exe -protectors -aadbackup" is the command to throw the keus it to Azure AD
upvoted 21 times
Larry23
2 years, 4 months ago
If your machine is already encrypted and joined to Azure AD, you can run "manage-bde.exe -protectors -aadbackup C: -id {Your Bitlocker recovery key ID}" and it will backup the recovery key to azure without any issue. I just tested this on my machine. Answer B is correct.
upvoted 1 times
...
...
Henk36
Highly Voted 4 years, 3 months ago
Regarding the docs you should first run the command for adding keyprotector. Not after the device is encrypted. So in that case it should be A.https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#powershell-examples
upvoted 7 times
...
Kodoi
Most Recent 1 year, 11 months ago
Aは間違っている。 無効にしたあと、有効にする必要がある。 無効にしただけでは達成できない。
upvoted 1 times
...
Buruguduystunstugudunstuy
2 years, 3 months ago
Selected Answer: B
The correct answer is B. Add a BitLocker key protector. To ensure that you can recover the BitLocker recovery key for the computers from Azure AD after joining them to Azure AD, you should add a BitLocker key protector. A BitLocker key protector is a way to store a copy of the BitLocker recovery key in a safe location, such as Azure AD, which can be used to recover the drive in case of a hardware failure or other issue.
upvoted 1 times
...
Thomas4k
2 years, 8 months ago
again wrong answer. diable and enable bitlocker
upvoted 2 times
...
veteran_tech
3 years ago
You create the key protector, then you upload it to Azure AD.
upvoted 1 times
...
vo5rework
3 years, 7 months ago
Not completely official: https://campbell.scot/store-bitlocker-recovery-keys-in-azure-ad-for-devices-already-encrypted/. Seems to suggest you can do this without disabling bitlocker. B is the best answer.
upvoted 1 times
...
mikl
3 years, 7 months ago
Well - I can only see B as an option, the other three answers are completely nonsense?
upvoted 5 times
PChi
3 years, 3 months ago
Agreed. B is the best answer. Especially after reviewing the microsoft document attached to the answer.
upvoted 2 times
...
...
CARIOCA
4 years ago
Essa questão ficou muito dividida no gabarito, afinal qual seria a resposta e qual a justificativa? Após um debate de 9 comentários, o gabarito é o mesmo ou não?
upvoted 1 times
...
Merma
4 years, 3 months ago
B. seems like the best option https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10
upvoted 1 times
...
AVP_Riga
4 years, 3 months ago
Control Panel\All Control Panel Items\BitLocker Drive Encryption Backup your recovery keys
upvoted 1 times
...
badguytoo
4 years, 3 months ago
In general, the number one is correct. You can test it on your own.
upvoted 2 times
...
FableFa
4 years, 4 months ago
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors
upvoted 2 times
...
Divy95
4 years, 6 months ago
To save the encryption key to Azure AD, the only thing you need to do is log in using an Azure account. The recovery key would be backed up to Azure.
upvoted 2 times
Divy95
4 years, 6 months ago
Okay, as per Topic 2 Q32 the following group policies need to be enabled for Bitlocker encryption: Require additional authentication at startup Configure how Bitlocker protected OS drives can be recovered
upvoted 1 times
...
...
Nail
4 years, 8 months ago
I can't find anything to back this up but I think this is wrong. I think the only way you can escrow those keys is to disable BitLocker and then re-enable. So the first step would be to disable BitLocker.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel