ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization issues Windows 10 laptops to field engineers. Security policy mandates that all data on the internal drive be encrypted and that decryption keys are released only if firmware and bootloader measurements match known-good values. Normal startups must be transparent to users with no additional authentication prompts. Which endpoint configuration best meets these requirements?
Deploy a software-based full-disk encryption product that loads the decryption key into memory once the user logs on.
Enable BitLocker Device Encryption in TPM-only mode with Secure Boot so the TPM releases the drive's encryption key after successful boot-integrity verification.
Enable UEFI Secure Boot and store the BitLocker recovery key on a removable USB drive users must insert during each boot.
Configure BitLocker to require both the TPM and a user-entered pre-boot PIN at every startup.
Enabling BitLocker in TPM-only mode meets all constraints. BitLocker writes the Volume Master Key (VMK) into the drive's BitLocker metadata, encrypting and sealing it to a secret that resides in the laptop's Trusted Platform Module. During boot, the firmware and bootloader are measured into the TPM's Platform Configuration Registers (PCRs). If those measurements match the values that were present when BitLocker was enabled, the TPM releases the secret, Windows unseals the VMK, and the operating system starts without prompting the user.
Adding a pre-boot PIN would violate the "no extra prompts" requirement. A software-only encryption product cannot verify firmware integrity without a hardware root of trust. Requiring users to insert a USB startup key at every boot also introduces an interaction the policy forbids.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is TPM in relation to BitLocker?
Open an interactive chat with Bash
How does Secure Boot work with BitLocker?
Open an interactive chat with Bash
Why is TPM-only mode preferred here instead of using a pre-boot PIN?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .