You have a client Windows 10 Enterprise computer. The computer is joined to an Active Directory domain. The
computer does not have a Trusted Platform Module (TPM) chip installed.
You need to configure BitLocker Drive Encryption (BitLocker) on the operating system drive.
Which Group Policy object (GPO) setting should you configure?

A.
Allow access to BitLocker-protected fixed data drives from earlier version of Windows.

B.
Require additional authentication at startup.

C.
Allow network unlock at startup.

D.
Configure use of hardware-based encryption for operating system drives.

Explanation:
To make use of BitLocker on a drive without TPM, you should run the gpedit.msc command. You must then
access the Require additional authentication at startup setting by navigating to Computer Configuration
\\Administrative Templates\\Windows Components\\Bit Locker Drive Encryption\\Operating System Drives under
Local Computer Policy. You can now enable the feature and tick the Allow BitLocker without a compatible TPM
checkbox.
Incorrect Answers:
A: The Allow access to BitLocker-protected fixed data drives from earlier version of Windows policy setting is
used to control whether access to drives is allowed via the BitLocker To Go Reader, and if the application is
installed on the drive.
C: The Allow network unlock at startup policy allows clients running BitLocker to create the necessary networkkey protector during encryption.
D: The Configure use of hardware-based encryption for operating system drives policy controls how BitLocker
reacts when encrypted drives are used as operating system drives

http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_depopt4