Table 6-3
System Security
(these options are
hardware dependent)
118
Chapter 6 Computer Setup (F10) Utility
Computer Setup—Security (continued)
Data Execution Prevention (enable/disable) - Helps prevent operating system security breaches.
Default is enabled.
Virtualization Technology (VTx) (enable/disable) - Controls the virtualization features of the
processor. Changing this setting requires turning the computer off and then back on. Default is
disabled.
Virtualization Technology Directed I/O (VTd) (enable/disable) - Controls virtualization DMA
remapping features of the chipset. Changing this setting requires turning the computer off and then
back on. Default is disabled.
Trusted Execution Technology (enable/disable) - Controls the underlying processor and chipset
features needed to support a virtual appliance. Changing this setting requires turning the computer
off and then back on. Default is disabled. To enable this feature you must enable the following
features:
Embedded Security Device Support
●
Virtualization Technology
●
Virtualization Technology Directed I/O
●
Embedded Security Device (enable/disable) - Permits activation and deactivation of the Embedded
Security Device.
NOTE:
To configure the Embedded Security Device, a Setup password must be set.
Reset to Factory Settings (Do not reset/Reset) - Resetting to factory defaults will erase all
●
security keys and leave the device in a disabled state. Changing this setting requires that you
restart the computer. Default is Do not reset.
CAUTION:
Erasing the security keys will prevent access to data protected by the Embedded Security
Device. Choosing Reset to Factory Settings may result in significant data loss.
Measure boot variables/devices to PCR1 - Typically, the computer measures the boot path and
●
saves collected metrics to PCR5 (a register in the Embedded Security Device). Bitlocker tracks
changes to any of these metrics, and forces the user to re-authenticate if it detects any
changes. Enabling this feature lets you set Bitlocker to ignore detected changes to boot path
metrics, thereby avoiding re-authentication issues associated with USB keys inserted in a port.
Default is enabled.
OS management of Embedded Security Device (enable/disable) - This option allows the user to limit
OS control of the Embedded Security Device. Default is
Reset of Embedded Security Device through OS (enable/disable) - This option allows the user
●
to limit the operating system ability to request a Reset to Factory Settings of the Embedded
Security Device. Default is disabled.
NOTE:
To enable this option, a Setup password must be set.
No PPI provisioning (Windows 8 only) - This option lets you set Windows 8 to bypass the PPI
●
(Physical Presence Interface) requirement and directly enable and take ownership of the TPM
on first boot. You cannot change this setting after TPM is owned/initialized, unless the TPM is
reset. Default is disabled for non-Windows 8 systems, and enabled for Windows 8.
Allow PPI policy to be changed by OS. Enabling this option allows the operating system to
●
execute TPM operations without Physical Presence Interface. Default is disabled.
NOTE:
To enable this option, a Setup password must be set.
Button Retask Password Protection (disable/enable) - Controls whether or not the Setup password
must be provided to WMI methods used to re-task the function of the side panel buttons.
The embedded security device is a critical component of many security schemes.