Configure file and disk encryption

Question 1

TPM

Answer 1

Trusted platform module

Cryptography specification and name of the chip used in PC hardware to allow for Bitlocker

Question 2

Bitlocker is available in what editions of Windows desktop

Answer 2

Windows Vista / 7 Ultimate
Windows Vista / 7 Enterprise
Windows Pro 8
Windows Enterprise 8

Question 3

First server version to have bitlocker

Answer 3

Server 2008

Question 4

FDE

Answer 4

Full Disk Encryption

Question 5

Bitlocker

Answer 5

software-based full disk encryption data-protection security features.

Question 6

Bitlocker is available in what editions of Server 2012

Answer 6

All of them

Question 7

Bitlocker To Go

Answer 7

Data on a USB device is encrypted.

Bitlocker exe is put on the drive and requires a password to access the data on the drive.

Question 8

Five Bitlocker implementation

Answer 8

TPM
USB
TPM+USB
TPM+PIN
TPN+PIN+USB

Note that this means Bitlocker does not need a TPM chip to store a trusted key. You can use the USB instead

Question 9

TPM chip does what for Bitlcoker

Answer 9

Preboot execution security
Confirms that hardware has not been tampered with
Confirms that files were not accessed while PC was off

Question 10

USB instead of TPM for Bitlocker

Answer 10

You must always have the USB plugged in, to even turn on…

You can simulate the TPM chip with the USB device.
One downside: You can’t detect system integrity / confirm there was no hardware tampering, or that files weren’t accessed from the HD while the PC was off.

Question 11

Recovery Key

Answer 11

Optional key to use in the event that you lose the TPM chip (hardware failure) or the USB or any other requirement (PIN) to boot.

For emergencies.

Can be password, key stored on USB, can be printed, or distributed via Group Policy

Question 12

BL requirements to use TPM

Answer 12

TPM 1.2 or 2.0
TCG-compliant BIOS or UEFI firmware
Support for USB mass storage devices
separate partition on the drive just for data that’s encrypted.

Question 13

EPS

Answer 13

Encrypted File System

Allows users to right-click a file , open properties, and encrypt files / folders.

Question 14

Add-BitLockerKeyProtector

Answer 14

Adds a key protector for a BitLocker volume.

Question 15

Backup-BitLockerKeyProtector

Answer 15

Saves a key protector for a BitLocker volume in AD DS.

Question 16

Clear-BitLockerAutoUnlock

Answer 16

Removes BitLocker automatic unlocking keys.

Question 17

Disable-BitLocker

Answer 17

Disables BitLocker encryption for a volume.

Question 18

Disable-BitLockerAutoUnlock

Answer 18

Disables automatic unlocking for a BitLocker volume.

Question 19

Enable-BitLocker

Answer 19

Enables encryption for a BitLocker volume.

Question 20

Enable-BitLockerAutoUnlock

Answer 20

Enables automatic unlocking for a BitLocker volume.

Question 21

Get-BitLockerVolume

Answer 21

Gets information about volumes that BitLocker can protect.

Question 22

Lock-BitLocker

Answer 22

Prevents access to encrypted data on a BitLocker volume.

Question 23

Remove-BitLockerKeyProtector

Answer 23

Removes a key protector for a BitLocker volume.

Question 24

Resume-BitLocker

Answer 24

Restores Bitlocker encryption for the specified volume.

Question 25

Suspend-BitLocker

Answer 25

Suspends Bitlocker encryption for the specified volume.

Question 26

Unlock-BitLocker

Answer 26

Restores access to data on a BitLocker volume.

Question 27

Bitlocker implementation: TPM

Answer 27

Use just the TPM chip, which stores encryption keys and can detect hardware tampering and HD access while hardware is offline

Question 28

Bitlocker implementation: USB

Answer 28

USB stick simulates the TPM chip. Provides encryption keys but does not detect hardware tampering or HDC access while hardware is offline

Question 29

Bitlocker implementation: TPM+USB

Answer 29

TPM does what the TPM does (encryption, tamper detect) AND you require a USB stick just to boot the PC.

Question 30

Bitlocker implementation:TPM+PIN

Answer 30

TPM does what the TPM does (encryption, tamper detect) AND you require a PIN just to boot the PC.

Question 31

Bitlocker implementation:TPN+PIN+USB

Answer 31

TPM does what the TPM does (encryption, tamper detect) AND you require a PIN and the USB stick to boot the pc.

Question 32

What version will allow you to store the recovery key in your .NET Passport account?

Answer 32

w8

This means the key is stored in the cloud

Question 33

What are the hard disk requirements for BitLocker?

Answer 33

You need two disks, or one disk with two partition.
The boot / system volume cannot be encrypted.
The OTHER volume, with the OS and your encrypted data, is encrypted.

Question 34

BitLocker Network Unlock

Answer 34

A service that allows PCs resuming from hibernation or rebooting to forgo the entering of a PIN on those startups if you use TPM + PIN or USB + PIN.

Question 35

Bitlocker Network Unlock is available as of

Answer 35

Windows 8

Server 2012

Question 36

Bitlocker Network Unlock requires clients to have what drivers

Answer 36

UEFI DHCP drivers

Question 37

What server requirements are there for BitLocker Network Unlock?

Answer 37

The service must be installed on Server 2012
It must be on a server with WDS role installed
There must be a seperate DHCP server
You must have a properly configured public/private key pairing
You must select clients via group policy

Question 38

UEFI

Answer 38

Unified Extensible Firmware Interface

Next generation for BIOS

Question 39

manage-bde: status

Answer 39

Provides information about all drives on the computer, whether or not they are BitLocker-protected.

Question 40

manage-bde: on

Answer 40

Encrypts the drive and turns on BitLocker.

Question 41

manage-bde: off

Answer 41

Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.

Question 42

manage-bde: pause

Answer 42

Pauses encryption or decryption.

Question 43

manage-bde: resume

Answer 43

Resumes encryption or decryption.

Question 44

manage-bde: lock

Answer 44

Prevents access to BitLocker-protected data.

Question 45

manage-bde: unlock

Answer 45

Allows access to BitLocker-protected data with a recovery password or a recovery key.

Question 46

manage-bde: autounlock

Answer 46

Manages automatic unlocking of data drives.

Question 47

manage-bde: protectors

Answer 47

Manages protection methods for the encryption key.

Question 48

manage-bde: tpm

Answer 48

Configures the computer’s Trusted Platform Module (TPM). This command is not supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.

Question 49

manage-bde: setidentifier

Answer 49

Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.

Question 50

manage-bde: forcerecovery

Answer 50

Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.

Question 51

manage-bde: changepassword

Answer 51

Modifies the password for a data drive.

Question 52

manage-bde: changepin

Answer 52

Modifies the PIN for an operating system drive.

Question 53

manage-bde: changekey

Answer 53

Modifies the startup key for an operating system drive.

Question 54

manage-bde: keypackage

Answer 54

Generates a key package for a drive.

Question 55

manage-bde: upgrade

Answer 55

Upgrades the BitLocker version.

Question 56

manage-bde: WipeFreeSpace

Answer 56

Wipes the free space on a drive.

Question 57

EFS

Answer 57

Older alternative to BitLocker

Encrypting File System

Question 58

EFS encryption is based on

Answer 58

The local user’s password.

Changing the password can invalidate that cert

Question 59

EFS encryption for domains is based on

Answer 59

2 or more keys.
1st – the user’s key / agent
2nd – The domain’s recovery key / agent, set by group policy

This enables Admins to recover data if the user’s key is lost.

Question 60

best practices for EFS

Answer 60

keep multiple recovery agents
encrypt folders, not files
export keys from AD so there’s a backup

Question 61

Why should you encrypt folders, not files, for EFS

Answer 61

If you encrypt just the file, and not the folder containing the file, when users open the file Windows creates a clear-text copy of that file (it does this always, not just for bitlocker. That ~filename.doc) which will not be encrypted.