Disk Encryption policy for Windows devices

Question 1

What is the first policy type to configure encryption on managed devices?

Answer 1

Endpoint security > Windows encryption policy

Question 2

What are the two profiles available under the Windows encryption policy?

Answer 2

• BitLocker
• Personal Data Encryption

Question 3

How does Personal Data Encryption (PDE) differ from BitLocker?

Answer 3

PDE encrypts files instead of whole volumes and disks.

Question 4

When does BitLocker release data encryption keys?

Answer 4

At boot

Question 5

When does Personal Data Encryption (PDE) release data encryption keys?

Answer 5

Until a user signs in using Windows Hello for Business

Question 6

What is the second policy type for configuring encryption on managed devices?

Answer 6

Device configuration profile for endpoint protection for BitLocker

Question 7

What settings are included in the device configuration profile for endpoint protection?

Answer 7

BitLocker settings

Question 8

What Windows versions support BitLocker settings in endpoint protection?

Answer 8

Windows 10/11

Question 9

What are the 3 RBAC roles to manage Bitlocker?

Answer 9

• Help Desk Operator
• Endpoint Security Administrator
• Global Admin

Question 10

What are the 6 steps to create an endpoint security policy for Windows and deploy Bitlocker ?

Answer 10

1. Endpoint security > Disk encryption > Create Policy
2. Platform: Windows
3. Profile: Choose either BitLocker or Personal Data Encryption
4. Configuration settings
5. Scope tags
6. Assignments

Question 11

In an endpoint security policy for Windows to deploy Bitlocker, what are the 5 configuration settings options ?

Answer 11

• BitLocker
• BitLocker Drive Encryption
• Operating System Drives
• Fixed Data Drives
• Removable Data Drives

Question 12

What are the 3 key components included in BitLocker option in configuration settings in endpoint security policy ?

Answer 12

• Require Device Encryption,
• Allow Warning for Other Disk Encryption,
• Configure Recovery Password Rotation

These components help manage encryption settings and recovery options in BitLocker.

Question 13

2

What does BitLocker Drive Encryption option in configuration settings in endpoint security policy allow you to choose?

Answer 13

• Drive encryption method and cipher strength,
• Unique identifiers for your organization

This customization ensures that the encryption meets organizational security standards.

Question 14

What are the 3 enforcement options for Operating System Drives in BitLocker, in configuration settings in endpoint security policy ?

Answer 14

• Enforce drive encryption type,
• Require additional authentication at startup,
• Choose recovery methods

These options enhance security and recovery processes for operating system drives.

Question 15

2

In configuration settings in endpoint security policy, what can be enforced for Fixed Data Drives using BitLocker?

Answer 15

• Enforce drive encryption type,
• Choose recovery methods

This ensures that fixed data drives are protected according to organizational policies.

Question 16

What control does BitLocker provide for Removable Data Drives, in configuration settings in endpoint security policy?

Answer 16

Control use of BitLocker on removable drives

This allows organizations to manage encryption settings for portable storage devices.

Question 17

What are the 6 steps to create an endpoint security policy for Windows and deploy Bitlocker ?

Answer 17

1. Devices > Manage devices > Configuration > On the Policies tab, select Create
2. Platform: Windows
3. Profile: Select Templates > Endpoint protection
4. Configuration settings, expand Windows Encryption.
5. Scope tags
6. Assignments

Question 18

What is the most secure combination of authentication methods for unlocking a drive?

Answer 18

TPM + startup PIN + startup key

This combination is considered the most secure as it requires multiple authentication tasks.

Question 19

Which authentication method requires the user to insert a USB flash drive containing a startup key?

Answer 19

TPM + startup key

In this method, the encryption key is stored on the TPM chip.

Question 20

What does the TPM + startup PIN method require from the user?

Answer 20

Entering a PIN

The encryption key is stored on the TPM chip.

Question 21

What is needed for the startup key only method?

Answer 21

Insert a USB flash drive with the startup key

This method does not require a TPM chip, but the BIOS must support USB access before the OS loads.

Question 22

What does the TPM only method require from the user?

Answer 22

No user action is required

The encryption key is stored on the TPM chip.

Question 23

True or False: The startup key only method requires a TPM chip.

Answer 23

False

The device does not need to have a TPM chip for this method.

Question 24

What happens to a BitLocker encrypted drive until it is unlocked?

Answer 24

The drive is encrypted.

Question 25

What are the two methods to unlock a BitLocker encrypted drive in recovery mode?

Answer 25

* Recovery password * Recovery key

Question 26

What is a recovery password in BitLocker?

Answer 26

A 48-digit number typed on a regular keyboard or using function keys (F1-F10).

Question 27

What is a recovery key in BitLocker?

Answer 27

An encryption key created when BitLocker is first employed for recovering data encrypted on a BitLocker volume.

Question 28

# 2 steps How to rotate the BitLocker recovery key ?

Answer 28

1.Select **Devices** > **All devices** 2. Select a **device**, and then **select the BitLocker key rotation remote action**.

Question 29

What does Intune enable for end users regarding recovery keys?

Answer 29

Self-service scenarios through Company Portal (website or app) ## Footnote This allows users to obtain their recovery keys without calling the helpdesk.

Question 30

Where are BitLocker recovery keys stored when using Intune?

Answer 30

Within Entra ID ## Footnote This storage is essential for managing recovery key access.

Question 31

What is the default setting for the tenant-wide toggle preventing recovery key access for non-admin users?

Answer 31

'No' ## Footnote This allows all users to recover their BitLocker keys.

Question 32

What happens when the tenant-wide toggle preventing recovery key access for non-admin users is set to 'Yes'?

Answer 32

Restricts non-admin users from seeing their BitLocker keys ## Footnote This means only admins can access the keys for their devices.

Question 33

What do Audit Logs within the Entra ID portal track?

Answer 33

History of activities related to recovery key access ## Footnote This includes logs for user recovery key accesses made through the Company Portal.

Question 34

What category are recovery key accesses logged under in Audit Logs?

Answer 34

Key Management ## Footnote This categorization helps in organizing logs related to key access.

Question 35

What information is logged when a user accesses a recovery key?

Answer 35

User Principal Name and key ID ## Footnote This information aids in tracking who accessed the key.

Question 36

What can you set as an Entra Conditional Access policy to access BitLocker Recovery Key?

Answer 36

Require a compliant device ## Footnote This ensures that only devices meeting compliance requirements can access sensitive resources.

Question 37

True or False: A device that fails to meet compliance requirements can access the BitLocker Recovery Key.

Answer 37

False ## Footnote Such devices are considered non-compliant and cannot access corporate resources.

Question 38

Fill in the blank: The access to certain corporate resources is restricted by the __________ policy.

Answer 38

Conditional Access ## Footnote This policy helps manage resource access based on device compliance.

Question 39

What must users enter if BitLocker does not unlock their operating system drive?

Answer 39

A recovery key

Question 40

Where can BitLocker recovery keys be stored and accessed?

Answer 40

Using Intune

Question 41

What is the first step to access the BitLocker key for a user in Intune?

Answer 41

Navigate to Devices and select Windows devices

Question 42

After selecting the device in Intune, what should you select next to access recovery keys?

Answer 42

Recovery keys

Question 43

What should you do in the details pane to show the recovery key?

Answer 43

Select Show Recovery Key

Question 44

Besides Intune, where else can you access the BitLocker recovery key?

Answer 44

From Entra ID

Question 45

In Entra ID, what must you select to access BitLocker keys?

Answer 45

The appropriate device from All devices

Question 46

Fill in the blank: To access BitLocker keys in Intune, you must navigate to _______.

Answer 46

Devices and select Windows devices