ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization is rolling out company-owned Windows 11 laptops that must use full disk encryption. Security policy states: 1) a cryptographic key must be sealed in tamper-resistant hardware so the OS can verify boot integrity; 2) if a laptop is lost, it must not boot without user interaction; 3) the help-desk team needs the ability to recover data even if an employee forgets the unlock secret. Which implementation best satisfies all of these key-management requirements while minimizing user impact during normal startups?
Enable BitLocker in TPM-only mode and configure Group Policy to automatically back up recovery keys to Active Directory Domain Services.
Enable BitLocker in TPM + PIN mode and configure Group Policy to escrow recovery keys to Active Directory Domain Services for authorized help-desk retrieval.
Install third-party software-based volume encryption that uses a user-selected password stored in a local configuration file with no automated key escrow.
Enable Encrypting File System (EFS) on user profiles and require users to store their private keys on hardware security (smart-card) tokens managed by IT.
Using BitLocker with a Trusted Platform Module (TPM) plus a pre-boot PIN meets each requirement. The TPM stores the volume master key protected by platform measurements (hardware-based sealing). Adding a PIN forces user presence at every startup, so a stolen laptop will not boot automatically even if the TPM is present. Group Policy can be set to escrow BitLocker recovery keys automatically into Active Directory, giving the help desk controlled access for data recovery. A TPM-only configuration omits the mandatory user interaction. EFS encrypts individual files, not the full disk, and USB-based key storage or local passwords either rely on removable media or leave keys only on the device, hindering centralized recovery.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BitLocker and how does it work?
Open an interactive chat with Bash
What is a Trusted Platform Module (TPM)?
Open an interactive chat with Bash
Why is TPM + PIN mode better than TPM-only for security?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .