The best answer is C. Use an MDM platform to manage the devices and force security configurations.
The question asks for a scalable solution to protect data on company laptops if they are stolen or lost. An MDM (Mobile Device Management) platform is the best choice because it allows centralized administration of many endpoints and can enforce security controls across all laptops, such as:
full-disk encryption requirements
screen lock policies
remote wipe capabilities
compliance checks
device configuration enforcement
This makes MDM the most scalable and manageable approach for protecting a fleet of laptops.
Why the other options are incorrect:
A. Configure the HSM for each device and store recovery keys centrally.This is not the most practical or scalable answer for standard laptops, and HSMs are not typically configured individually this way for endpoint theft prevention.
B. Implement LAPS to ensure secure password rotation for administrative accounts.LAPS helps secure local administrator passwords, but it does not directly protect data at rest on a stolen laptop.
D. Ensure that each laptop has the secure enclave properly initialized in the BIOS.Hardware-based protections can help, but this is not the best broad, centrally managed, scalable control compared with MDM-enforced policies.
From a Security+ perspective, the main protection against data loss from stolen laptops is usually centralized device management with enforced encryption and security controls, making C the best answer.
