ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-801 All Questions

View all questions & answers for the AZ-801 exam
Go to Exam

Exam AZ-801 topic 1 question 23 discussion

Actual exam question from Microsoft's AZ-801
Question #: 23
Topic #: 1
[All AZ-801 Questions]

HOTSPOT
-

You have a generation 1 Azure virtual machine named VM1 that runs Windows Server and is joined to an Active Directory domain.

You plan to enable BitLocker Drive Encryption (Bit-Locker) on volume C of VM1.

You need to ensure that the BitLocker recovery key for VM1 is stored in Active Directory.

Which two Group Policy settings should you configure first? To answer, select the settings in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by nefaxto at Feb. 10, 2023, 2:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
phi3nix
Highly Voted 2 years ago
Good read: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview We need: Allow BitLocker without a compatible TPM and Require additional authentication at startup "If BitLocker needs to be used on a computer without a TPM, select Allow BitLocker without a compatible TPM. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive."
upvoted 6 times
phi3nix
2 years ago
If this question is about VM domain joined in Azure. Azure VM does not have TPM. We need to use a password to decrypt it. Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. For domain joined VMs, don't push any group policies that enforce TPM protectors. For information about the group policy for "Allow BitLocker without a compatible TPM," see BitLocker Group Policy Reference. BitLocker policy on domain-joined virtual machines with custom group policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key.
upvoted 1 times
...
...
Escaruncho
Most Recent 3 months, 2 weeks ago
I think the answer is correct. https://techcommunity.microsoft.com/blog/nonprofittechies/how-to-enable-azure-disk-encryption/3735071 Gen1 AZ VMs also support AZ disk encryption (bitlocker).
upvoted 1 times
...
Krayzr
3 months, 4 weeks ago
After running through multiple deep searches and think model AIs, This is the best answer I came across "Require additional authentication at startup" is necessary to activate BitLocker on the OS drive and define how it interacts with the system's security hardware (TPM or alternative methods), which is a foundational step before recovery options can take effect. "Choose how BitLocker-protected operating system drives can be recovered" directly addresses the requirement to store the recovery key in Active Directory, ensuring compliance with the stated goal.
upvoted 1 times
...
BlackCat9588
4 months, 1 week ago
Not Sure. Enforce drive encryption type on operating system drives Choose how Bitlocker protected operating system drives can be recovered.
upvoted 1 times
...
starseed
9 months ago
Correct answer
upvoted 1 times
...
smorar
1 year ago
Require additional authentication at startup Choose how BitLocker-protected operating system drives can be recovered
upvoted 2 times
...
calotta1
1 year, 10 months ago
The answer is correct!
upvoted 1 times
...
syu31svc
2 years, 1 month ago
I half-agree with the answer https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered Reference: Choose how BitLocker-protected operating system drives can be recovered In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If Store recovery password and key packages is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If Store recovery password only is selected, only the recovery password is stored in AD DS.
upvoted 1 times
syu31svc
2 years, 1 month ago
Enforce drive encryption type on operating system drives This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption
upvoted 1 times
syu31svc
2 years, 1 month ago
"enable BitLocker Drive Encryption (Bit-Locker) on volume C " Enforce drive encryption type on operating system drives would address this I guess
upvoted 1 times
...
...
...
prepper666
2 years, 2 months ago
Answer given is incorrect. The question is about a azure VM. VMs do not have TPM and so you must select "Require additional authentication at startup" and "not enforce drive encryption on OS drives".
upvoted 4 times
...
Verdural
2 years, 3 months ago
https://woshub.com/store-bitlocker-recovery-keys-active-directory/
upvoted 3 times
...
wyindualizer
2 years, 4 months ago
https://askme4tech.com/how-enable-bitlocker-group-policy#:~:text=How%20to%20configure%20the%20GPO%201%20Open%20the,BitLocker%20is%20the%20Require%20additional%20authentication%20at%20startup.
upvoted 3 times
...
nefaxto
2 years, 4 months ago
I think it's correct https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::OSEncryptionType_Name https://admx.help/?Category=MDOP&Policy=Microsoft.Policies.BitLockerManagement::RDVRecoveryUsagePolicy
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel