This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
You want to roll BitLocker out to corporate Windows devices with minimum user friction. Devices have TPM 2.0 and meet readiness requirements. Which policy choice best matches a silent encryption goal?
Endpoint security disk encryption policy that uses TPM-only startup authentication and stores recovery keys in Microsoft Entra ID.
A settings catalog profile that requires TPM plus PIN at startup.
An Endpoint security disk encryption policy that disables recovery key escrow so users can manage their own keys.
A user calls the helpdesk because their device entered BitLocker recovery. The technician retrieves and reads the recovery password to the user. What should the technician do immediately after recovery completes?
Delete the device record from Intune to invalidate the disclosed key.
Trigger the BitLocker key rotation remote action on the device in Intune.
Email the recovery password to the user so they have it on file.
A security administrator wants only the support team to be able to read BitLocker recovery keys, without granting broader Intune or directory administration. Which approach follows the principle of least privilege?
Assign each support technician the Global Administrator role.
Have all support staff share a single Intune service account credential.
Assign a built-in helpdesk role (or a custom role that grants only the BitLocker key read permission) scoped to the devices the team supports.
You're building an encryption posture audit in Microsoft Defender. Which approach gives you a resilient, risk-prioritized view of which devices fail encryption-related controls?
Hard-code a specific ConfigurationId in a hunting query and filter DeviceTvmSecureConfigurationAssessment against it.
ConfigurationId
DeviceTvmSecureConfigurationAssessment
First query DeviceTvmSecureConfigurationAssessmentKB for BitLocker/Encryption-related configurations, then join those IDs to DeviceTvmSecureConfigurationAssessment filtered to IsApplicable == true, and prioritize by ConfigurationImpact and compliance.
DeviceTvmSecureConfigurationAssessmentKB
IsApplicable == true
ConfigurationImpact
Rely solely on the Intune encryption report and skip Defender hunting entirely.
Which Intune configuration combination ensures a device can't begin BitLocker encryption until a recoverable key exists in your tenant?
Enable silent encryption and disable recovery key escrow to Microsoft Entra ID.
Save BitLocker recovery information to Microsoft Entra ID and require that recovery information is stored before BitLocker starts.
Configure TPM plus PIN startup authentication and rely on the user to record the PIN.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?