The correct answer is B. BitLocker Drive Encryption because the requirements describe native Windows full-disk encryption that integrates tightly with enterprise Windows security features and centralized management. BitLocker is Microsoft’s built-in disk encryption technology designed to provide transparent encryption for the operating system volume and additional fixed/removable drives. It supports hardware-backed startup protection through integration with the Trusted Platform Module (TPM), which can help protect encryption keys and validate boot integrity before unlocking the OS volume. This matches the prompt’s requirement for “hardware-backed startup protection.”
The scenario also emphasizes “centralized key escrow via Active Directory/management policies.” In enterprise deployments, BitLocker recovery information can be backed up to Active Directory and managed through Group Policy / MDM controls, enabling standardized enforcement (encryption settings, recovery key handling, compliance reporting) across servers and endpoints. This is a core operational advantage in regulated environments like healthcare: it enables rapid response (recoverability), consistent policy application, and audit-friendly control of encryption keys—without requiring third-party key management tooling for basic escrow needs.
Additionally, the prompt calls for securing the “system partition and attached data volumes” in a way that is compatible with Windows platform behavior and minimizes disruption. BitLocker supports encrypting both the OS volume and data volumes, and it is designed for transparent operation once enabled, so normal server use and domain authentication continue as expected.
Why the other options are not correct: FileVault is Apple’s full-disk encryption for macOS, not Windows. VeraCrypt and Rohos Disk Encryption are third-party solutions that can provide disk encryption, but they do not match the stated preference for deep Windows enterprise integration with TPM-based startup protection and Active Directory–based recovery key escrow through standard Microsoft management policies.
Therefore, the best solution for this Windows enterprise requirement is BitLocker Drive Encryption.
