Exam AZ-801 topic 1 question 23 discussion

Good read: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview We need: Allow BitLocker without a compatible TPM and Require additional authentication at startup "If BitLocker needs to be used on a computer without a TPM, select Allow BitLocker without a compatible TPM. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive."

I think the answer is correct. https://techcommunity.microsoft.com/blog/nonprofittechies/how-to-enable-azure-disk-encryption/3735071 Gen1 AZ VMs also support AZ disk encryption (bitlocker).

After running through multiple deep searches and think model AIs, This is the best answer I came across "Require additional authentication at startup" is necessary to activate BitLocker on the OS drive and define how it interacts with the system's security hardware (TPM or alternative methods), which is a foundational step before recovery options can take effect. "Choose how BitLocker-protected operating system drives can be recovered" directly addresses the requirement to store the recovery key in Active Directory, ensuring compliance with the stated goal.

Not Sure. Enforce drive encryption type on operating system drives Choose how Bitlocker protected operating system drives can be recovered.

Correct answer

Require additional authentication at startup Choose how BitLocker-protected operating system drives can be recovered

The answer is correct!

I half-agree with the answer https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered Reference: Choose how BitLocker-protected operating system drives can be recovered In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If Store recovery password and key packages is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If Store recovery password only is selected, only the recovery password is stored in AD DS.

Answer given is incorrect. The question is about a azure VM. VMs do not have TPM and so you must select "Require additional authentication at startup" and "not enforce drive encryption on OS drives".

https://woshub.com/store-bitlocker-recovery-keys-active-directory/

https://askme4tech.com/how-enable-bitlocker-group-policy#:~:text=How%20to%20configure%20the%20GPO%201%20Open%20the,BitLocker%20is%20the%20Require%20additional%20authentication%20at%20startup.

I think it's correct https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::OSEncryptionType_Name https://admx.help/?Category=MDOP&Policy=Microsoft.Policies.BitLockerManagement::RDVRecoveryUsagePolicy