Table 3-4 Computer Setup—Security (continued)
System Security | Data Execution Prevention (enable/disable) - Helps prevent operating system security breaches. |
(these options are | Default is enabled. |
hardware dependent) | SVM CPU Virtualization (enable/disable). Controls the virtualization features of the processor. |
| |
| Changing this setting requires turning the computer off and then back on. Default is disabled. |
| Virtualization Technology (VTx) (enable/disable) - Controls the virtualization features of the |
| processor. Changing this setting requires turning the computer off and then back on. Default is |
| disabled. |
| Virtualization Technology Directed I/O (VTd) (enable/disable) - Controls virtualization DMA |
| remapping features of the chipset. Changing this setting requires turning the computer off and |
| then back on. Default is disabled. |
| Trusted Execution Technology (enable/disable) - Controls the underlying processor and chipset |
| features needed to support a virtual appliance. Changing this setting requires turning the |
| computer off and then back on. Default is disabled. To enable this feature you must enable the |
| following features: |
| ● Embedded Security Device Support |
| ● Virtualization Technology |
| ● Virtualization Technology Directed I/O |
| Embedded Security Device (enable/disable) - Permits activation and deactivation of the |
| Embedded Security Device. |
| NOTE: To configure the Embedded Security Device, a Setup password must be set. |
| ● Reset to Factory Settings (Do not reset/Reset) - Resetting to factory defaults will erase all |
| security keys and leave the device in a disabled state. Changing this setting requires that |
| you restart the computer. Default is Do not reset. |
| CAUTION: The embedded security device is a critical component of many security |
| schemes. Erasing the security keys will prevent access to data protected by the Embedded |
| Security Device. Choosing Reset to Factory Settings may result in significant data loss. |
| ● Measure boot variables/devices to PCR1 - Typically, the computer measures the boot path |
| and saves collected metrics to PCR5 (a register in the Embedded Security Device). Bitlocker |
| tracks changes to any of these metrics, and forces the user to |
| any changes. Enabling this feature lets you set Bitlocker to ignore detected changes to boot |
| path metrics, thereby avoiding |
| a port. Default is enabled. |
|
|
System Security | OS management of Embedded Security Device (enable/disable) - This option allows the user to |
(continued) | limit OS control of the Embedded Security Device. Default is enabled. This option is automatically |
| disabled if Trusted Execution Technology is enabled. |
| ● Reset of Embedded Security Device through OS (enable/disable) - This option allows the |
| user to limit the operating system ability to request a Reset to Factory Settings of the |
| Embedded Security Device. Default is disabled. |
| NOTE: To enable this option, a Setup password must be set. |
| ● No PPI provisioning (Windows 8 only) - This option lets you set Windows 8 to bypass the PPI |
| (Physical Presence Interface) requirement and directly enable and take ownership of the |
| TPM on first boot. You cannot change this setting after TPM is owned/initialized, unless the |
| TPM is reset. Default is disabled for |
| ● Allow PPI policy to be changed by OS. Enabling this option allows the operating system to |
| execute TPM operations without Physical Presence Interface. Default is disabled. |
| NOTE: To enable this option, a Setup password must be set. |
|
|