Exam MS-500 topic 2 question 41 discussion

May be the documentation has changed but TPM 1.2 is supported for bitlocker https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices#silently-enable-bitlocker-on-devices You can configure a BitLocker policy that automatically and silently enables BitLocker on a device. Device must contain at least TPM (Trusted Platform Module) 1.2. The answer should be ->D. Device2 and Device3 only

Valid on exam 9/21/2022

It should be D. Device Prerequisites A device must meet the following conditions to be eligible for silently enabling BitLocker: If end users sign in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11. If end users sign in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11. The device must be Azure AD Joined or Hybrid Azure AD Joined. Device must contain at least TPM (Trusted Platform Module) 1.2. The BIOS mode must be set to Native UEFI only.

D "BitLocker supports TPM version 1.2 or higher" : https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq

I chose D option. Technically A correct. Question is unclear. In practice, the correct answer is A. Device Prerequisites A device must meet the following conditions to be eligible for silently enabling BitLocker: If end users sign in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11. If end users sign in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11. The device must be Azure AD Joined or Hybrid Azure AD Joined. Device must contain at least TPM (Trusted Platform Module) 1.2. The BIOS mode must be set to Native UEFI only.

I got confused by device 1. but its probably azure ad registrered. and therefore can't be silently enabled. TPM 1.3 is also a BS option. but guess since its higher than 1.2 it should be possible in fantasy land where 1.3 exists.

There ist no TPM 1.3. So B is correct

Answer is 2 and 3 The device must be Azure AD Joined or Hybrid Azure AD Joined and Device must contain at least TPM (Trusted Platform Module) 1.2. #3 is TPM 1.3 as per Microsoft - https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#device-prerequisites

Solo existen las versiones 1.2 y 2.0, no existe ninguna version 1.3 por lo que esta pregunta tiene trampa. https://www.xatakawindows.com/windows/asi-puedes-comprobar-tu-ordenador-posee-chip-tpm-puedes-instalar-windows-11-tu-equipo

Valid on exam October 14, 2022

The prerequisites changed a few months ago: 1.2 TPM or 2.0 TPM, before that only 2.0 was compatible to silently enable Bitlocker. So Device 2 and 3. Device 1 is a tricky one: You can Intune enroll devices without Azure AD join, but then again they say its a hybrid environment. Very naughty question from Microsoft!

Link provided by exam topics states "Device must contain at least TPM (Trusted Platform Module) 1.2." Thus Device2 & Device3 are supported.

" The device must also be Azure AD joined or hybrid Azure AD joined. The device must also contain at least TPM version 1.2 or the Trusted Platform Module." Reference: https://cloudacademy.com/course/microsoft-365-device-application-protection-2923/configuring-and-managing-windows-device-encryption/

If it is true that in order to silently enable BitLocker, the device must contain TPM (Trusted Platform Module) 2.0. than only option would be B. Device1 is not AAD joined and Device3 is lacking the needed TPM version. However, it is cruel by Microsoft to put a TPM version that does not exist. So much confusion because of it.

Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.

B is only correct answer, TPM 1.3 doesn't exist, it is more catch me answer

I think all them can be enrolled, join the dots, 1.3v is over 1.2v so thats fine, there is no such thing as Active Directory joined in AAD its Hybird or AAD joined, so by fact it states Hybrid we assume its joined, there for all are acceptable