You administer Windows 8.1 computers in you company network. all computers include Windows 8.1 compatible trusted platform modele (TPM).
You configure a computer that will run a credit processing application.
You need to ensure that the computer requires a user to enter a PIN code when starting the computer.
Which policy should you configure? (To answer, select the appropriate policy in the answer area.)
A. Allow Secure Boot for Integrity validation
B. Require Additional authentication at startup
C. Allow enhanced PINs for Startup
D. Configure minimum PIN length for startup a local
Correct Answer: B
Explanation/Reference:
How to enable BitLocker to prompt for PIN during startup
You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO). To do this:-
Click Start > Run.
Type "gpedit.msc"
Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
One the right pane, double-click on Require additional authentication at startup.
Choose Enabled
Uncheck the Allow BitLocker without a compatible TPM
Under Configure TPM startup PIN:, choose Require startup PIN with TPM http://technet.microsoft.com/en-us/library/jj679890.aspx
BitLocker Group Policy Settings
Require additional authentication at startup
This policy setting is used to control which unlock options are available for operating system drives. With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
..
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
only the TPM for authentication
insertion of a USB flash drive containing the startup key
the entry of a 4-digit to 20-digit personal identification number (PIN) a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
* Configure TPM startup
Allow TPM
Require TPM
Do not allow TPM
* Configure TPM startup PIN
Allow startup PIN with TPM
Require startup PIN with TPM
Do not allow startup PIN with TPM
* Configure TPM startup key
Allow startup key with TPM
Require startup key with TPM
Do not allow startup key with TPM
* Configure TPM startup key and PIN
Allow TPM startup key with PIN
Require startup key and PIN with TPM
Do not allow TPM startup key with PIN
Further Information:
Allow Secure Boot for integrity validation
This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
Secure Boot ensures that the computer’s preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
Allow enhanced PINs for startup
This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
Configure minimum PIN length for startup
This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
http://4sysops.com/archives/bitlocker-group-policy-changes-in-windows-8/ BitLocker Group Policy changes in Windows 8
"Allow Secure Boot for integrity validation" allows you to configure the use of Secure Boot on computers that have UEFI firmware. More specifically, it lets you disable it since the default is to use Secure Boot when it is available on a computer. In the event you do disable it, you can configure the "use enhanced Boot Configuration Data validation profile" to choose specific BCD settings to verify.
Explanation/Reference:
How to enable BitLocker to prompt for PIN during startup
You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO). To do this:-
Click Start > Run.
Type "gpedit.msc"
Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
One the right pane, double-click on Require additional authentication at startup.
Choose Enabled
Uncheck the Allow BitLocker without a compatible TPM
Under Configure TPM startup PIN:, choose Require startup PIN with TPM http://technet.microsoft.com/en-us/library/jj679890.aspx
BitLocker Group Policy Settings
Require additional authentication at startup
This policy setting is used to control which unlock options are available for operating system drives. With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
..
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
only the TPM for authentication
insertion of a USB flash drive containing the startup key
the entry of a 4-digit to 20-digit personal identification number (PIN) a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
* Configure TPM startup
Allow TPM
Require TPM
Do not allow TPM
* Configure TPM startup PIN
Allow startup PIN with TPM
Require startup PIN with TPM
Do not allow startup PIN with TPM
* Configure TPM startup key
Allow startup key with TPM
Require startup key with TPM
Do not allow startup key with TPM
* Configure TPM startup key and PIN
Allow TPM startup key with PIN
Require startup key and PIN with TPM
Do not allow TPM startup key with PIN
Further Information:
Allow Secure Boot for integrity validation
This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
Secure Boot ensures that the computer’s preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
Allow enhanced PINs for startup
This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
Configure minimum PIN length for startup
This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
http://4sysops.com/archives/bitlocker-group-policy-changes-in-windows-8/ BitLocker Group Policy changes in Windows 8
"Allow Secure Boot for integrity validation" allows you to configure the use of Secure Boot on computers that have UEFI firmware. More specifically, it lets you disable it since the default is to use Secure Boot when it is available on a computer. In the event you do disable it, you can configure the "use enhanced Boot Configuration Data validation profile" to choose specific BCD settings to verify.
Allow Secure Boot for integrity validation