A company has an Active Directory Domain Services (AD DS) domain with Windows 8.1 client computers.
You need to minimize the amount of Trusted Platform Module (TPM) authorization information that is stored
in the registry.
What should you do?
A.
Create a Group Policy object (GPO) that sets the Configure the level of TPM owner authorization
information available to operating system policy setting to None.
B.
Create a Group Policy object (GPO) that enables the Turn on TPM Local Encryption policy setting.
C.
Create a Group Policy object (GPO) that disables the Configure the level of TPM owner authorization
information available to operating system policy setting.
D.
Enable Platform Configuration Register indices (PCRs) 0, 2, 4, and 11 for the Configure TPM validation profile
for native UEFI firmware configuration policy setting.
Explanation:
http://technet.microsoft.com/en-us/library/jj679889.aspx#BKMK_tpmgp_oauthos
Configure the level of TPM owner authorization information available to the operating system
This policy setting configures how much of the TPM owner authorization information is stored in the registry
of the local computer. Depending on the amount of TPM owner authorization information that is stored
locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM
that require TPM owner authorization without requiring the user to enter the TPM owner password.
There are three TPM owner authentication settings that are managed by the Windows operating system.
You can choose a value of Full, Delegate, or None.
Full – This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the
TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote
or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not
require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPMbased applications may require that this setting is changed before features that depend on the TPM antihammering logic can be used. Delegated – This setting stores only the TPM administrative delegation blob and
the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based
applications that depend on the TPM antihammering logic. When you use this setting, we recommend using
external or remote storage for the full TPM owner authorization value—for example, backing up the value in
Active Directory Domain Services (AD DS).
None – This setting provides compatibility with previous operating systems and applications. You can also use it
for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues
with some TPM-based applications.
Further Information:
http://technet.microsoft.com/en-us/library/cc770660.aspx
Active Directory Domain Services (AD DS) can be used to store Trusted Platform Module (TPM) recovery
information.There is only one TPM owner password per computer; therefore, the hash of the TPM owner password is
stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of ms-TPMOwnerInformation.
http://www.group-policy.com/ref/policy/2859/Configure_TPM_platform_validation_profile
Configure TPM platform validation profile
This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security
hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not
have a compatible TPM or if BitLocker has already been turned on with TPM protection.
If you enable this policy setting before turning on BitLocker, you can configure the boot components that the
TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these
components change while BitLocker protection is in effect, the TPM will not release the encryption key to
unlock the drive and the computer will instead display the BitLocker Recovery console and require that either
the recovery password or recovery key be provided to unlock the drive.
If you disable or do not configure this policy setting, the TPM uses the default platform validation profile or the
platform validation profile specified by the setup script. A platform validation profile consists of a set of
Platform Configuration Register (PCR) indices ranging from 0 to 23, The default platform validation profile
secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and
Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the
NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access
Control (PCR 11). The descriptions of PCR settings for computers that use an Extensible
Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard BIOS.
The BitLocker Drive Encryption Deployment Guide on Microsoft TechNet contains a complete list of PCR
settings for both EFI and standard BIOS.
Warning: Changing from the default platform validation profile affects the security and manageability of your
computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased
depending upon inclusion or exclusion (respectively) of the PCRs.