You have a client Windows 10 Enterprise computer. The computer is joined to an Active Directory
domain. The computer does not have a Trusted Platform Module (TPM) chip installed. You need
to configure BitLocker Drive Encryption (BitLocker) on the operating system drive. Which Group
Policy object (GPO) setting should you configure?

A.
Allow access to BitLocker-protected fixed data drives from earlier version of Windows.

B.
Require additional authentication at startup.

C.
Allow network unlock at startup.

D.
Configure use of hardware-based encryption for operating system drives.

Explanation:
To make use of BitLocker on a drive without TPM, you should run the gpedit.msc command. You
must then access the Require additional authentication at startup setting by navigating to Computer
Configuration \\Administrative Templates\\Windows Components\\Bit Locker Drive
Encryption\\Operating System Drives under Local Computer Policy. You can now enable the feature
and tick the Allow BitLocker without a compatible TPM checkbox.
Incorrect Answers:
A: The Allow access to BitLocker-protected fixed data drives from earlier version of Windows policy
setting is used to control whether access to drives is allowed via the BitLocker To Go Reader, and
if the application is installed on the drive.
C: The Allow network unlock at startup policy allows clients running BitLocker to create the
necessary network key protector during encryption.
D: The Configure use of hardware-based encryption for operating system drives policy controls
how BitLocker reacts when encrypted drives are used as operating system drives.
http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_depopt4