Table 3-4Computer Setup—Security (continued)

System Security

Data Execution Prevention (enable/disable) - Helps prevent operating system security breaches.

(these options are

Default is enabled.

hardware dependent)

SVM CPU Virtualization (enable/disable). Controls the virtualization features of the processor.

 

 

Changing this setting requires turning the computer off and then back on. Default is disabled.

 

Virtualization Technology (VTx) (enable/disable) - Controls the virtualization features of the

 

processor. Changing this setting requires turning the computer off and then back on. Default is

 

disabled.

 

Virtualization Technology Directed I/O (VTd) (enable/disable) - Controls virtualization DMA

 

remapping features of the chipset. Changing this setting requires turning the computer off and

 

then back on. Default is disabled.

 

Trusted Execution Technology (enable/disable) - Controls the underlying processor and chipset

 

features needed to support a virtual appliance. Changing this setting requires turning the

 

computer off and then back on. Default is disabled. To enable this feature you must enable the

 

following features:

 

Embedded Security Device Support

 

Virtualization Technology

 

Virtualization Technology Directed I/O

 

Embedded Security Device (enable/disable) - Permits activation and deactivation of the

 

Embedded Security Device.

 

NOTE: To configure the Embedded Security Device, a Setup password must be set.

 

Reset to Factory Settings (Do not reset/Reset) - Resetting to factory defaults will erase all

 

security keys and leave the device in a disabled state. Changing this setting requires that

 

you restart the computer. Default is Do not reset.

 

CAUTION: The embedded security device is a critical component of many security

 

schemes. Erasing the security keys will prevent access to data protected by the Embedded

 

Security Device. Choosing Reset to Factory Settings may result in significant data loss.

 

Measure boot variables/devices to PCR1 - Typically, the computer measures the boot path

 

and saves collected metrics to PCR5 (a register in the Embedded Security Device). Bitlocker

 

tracks changes to any of these metrics, and forces the user to re-authenticate if it detects

 

any changes. Enabling this feature lets you set Bitlocker to ignore detected changes to boot

 

path metrics, thereby avoiding re-authentication issues associated with USB keys inserted in

 

a port. Default is enabled.

 

 

System Security

OS management of Embedded Security Device (enable/disable) - This option allows the user to

(continued)

limit OS control of the Embedded Security Device. Default is enabled. This option is automatically

 

disabled if Trusted Execution Technology is enabled.

 

Reset of Embedded Security Device through OS (enable/disable) - This option allows the

 

user to limit the operating system ability to request a Reset to Factory Settings of the

 

Embedded Security Device. Default is disabled.

 

NOTE: To enable this option, a Setup password must be set.

 

No PPI provisioning (Windows 8 only) - This option lets you set Windows 8 to bypass the PPI

 

(Physical Presence Interface) requirement and directly enable and take ownership of the

 

TPM on first boot. You cannot change this setting after TPM is owned/initialized, unless the

 

TPM is reset. Default is disabled for non-Windows 8 systems, and enabled for Windows 8.

 

Allow PPI policy to be changed by OS. Enabling this option allows the operating system to

 

execute TPM operations without Physical Presence Interface. Default is disabled.

 

NOTE: To enable this option, a Setup password must be set.

 

 

Computer Setup (F10) Utilities 15