A company has an Active Directory Domain Services (AD DS) domain. All client computers run Windows 8.1. Some computers have a Trusted Platform Module (TPM) chip. Members of the ITStaff security group are part of the local Power Users group on each client computer.
You need to configure a single Group Policy object (GPO) that will allow Windows BitLocker Drive Encryption on all client computers by using the least amount of privilege necessary. Which commands should you run? (To answer, drag the appropriate command or commands to the correct location or locations in the answer area. Commands may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.)
Correct Answer:
Explanation/Reference:
Ref: http://technet.microsoft.com/en-us/library/ee706521(v=ws.10).aspx
Explanation:
http://technet.microsoft.com/en-US/library/cc754948.aspx
Group Policy Planning and Deployment Guide
..Administrative requirements for Group Policy
To use Group Policy, your organization must be using Active Directory, and the destination desktop and server computers must be running Windows Server 2008, Windows Vista, Windows Server 2003, or Windows XP.
By default, only members of the Domain Admins or the Enterprise Admins groups can create and link GPOs, but you can delegate this task to other users.
..
http://technet.microsoft.com/en-us/library/jj679890.aspx
BitLocker Group Policy Settings
.. Require additional authentication at startup
This policy setting is used to control which unlock options are available for operating system drives.
..With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
.. Reference
If you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive.
…
Further information:
..Enforce drive encryption type on fixed data drives
This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
