You administer Windows 8.1 computers in your company network. All computers include Windows 8.1 compatible Trusted Platform Module (TPM).
You configure a computer that will run a credit card processing application.
You need to ensure that the computer requires a user to enter a PIN code when starting the computer.
Which policy should you configure? (To answer, select the appropriate policy in the answer area.)
Hot Area:
Correct Answer:
Explanation/Reference:
http://technet.microsoft.com/en-us/library/jj679890.aspx
BitLocker Group Policy Settings
Require additional authentication at startup
This policy setting is used to control which unlock options are available for operating system drives.
With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
..On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
only the TPM for authentication
insertion of a USB flash drive containing the startup key
the entry of a 4-digit to 20-digit personal identification number (PIN)
a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
* Configure TPM startup
Allow TPM
Require TPM
Do not allow TPM
* Configure TPM startup PIN
Allow startup PIN with TPM
Require startup PIN with TPM
Do not allow startup PIN with TPM
* Configure TPM startup key
Allow startup key with TPM
Require startup key with TPM
Do not allow startup key with TPM
* Configure TPM startup key and PIN
Allow TPM startup key with PIN
Require startup key and PIN with TPM
Do not allow TPM startup key with PIN
Further information:
http://4sysops.com/archives/active-directory-and-bitlocker-part-3-group-policy-settings/
Active Directory and BitLocker - Part 3: Group Policy settings
…
There are a few things you’ll need to note when configuring these settings in Group Policy for your Active Directory.
..Second, make sure you get the "Require additional authentication at startup" setting correct under "Operating system drives." Make sure that "Allow BitLocker without a compatible TPM" is unchecked and that you’re not requiring more than one startup option. This is how it should look:
http://4sysops.com/archives/bitlocker-group-policy-changes-in-windows-8/
BitLocker Group Policy changes in Windows 8
"Allow Secure Boot for integrity validation" allows you to configure the use of Secure Boot on computers that have UEFI firmware. More specifically, it lets you disable it since the default is to use Secure Boot when it is available on a computer. In the event you do disable it, you can configure the "use enhanced Boot Configuration Data validation profile" to choose specific BCD settings to verify.
Allow Secure Boot for integrity validation
