From 122674463ac2b404da4bcf28cfaede0d8ac4803a Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 1 Jan 2024 09:05:48 -0700 Subject: [PATCH] Update policies --- Group Policies Objects/AutoPlay.md | 2 +- Group Policies Objects/Biometrics.md | 5 +++++ Group Policies Objects/Bitlocker.md | 1 - 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 Group Policies Objects/Biometrics.md diff --git a/Group Policies Objects/AutoPlay.md b/Group Policies Objects/AutoPlay.md index deb9dad..9e0029d 100644 --- a/Group Policies Objects/AutoPlay.md +++ b/Group Policies Objects/AutoPlay.md @@ -1,5 +1,5 @@ # AutoPlay Policies -`Computer Configuration\Administrative Templates\Windows Components\AutoPlay` +`Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies` - Turn off Autoplay -> Enabled diff --git a/Group Policies Objects/Biometrics.md b/Group Policies Objects/Biometrics.md new file mode 100644 index 0000000..b6566c3 --- /dev/null +++ b/Group Policies Objects/Biometrics.md @@ -0,0 +1,5 @@ +# AutoPlay Policies + +`Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features` + +- Configure enhanced anti-spoofing -> Enabled \ No newline at end of file diff --git a/Group Policies Objects/Bitlocker.md b/Group Policies Objects/Bitlocker.md index 9f1d6d9..2843998 100644 --- a/Group Policies Objects/Bitlocker.md +++ b/Group Policies Objects/Bitlocker.md @@ -12,6 +12,5 @@ Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit f - Disallow standard users from changing the PIN or password -> Enabled - Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**) -- Require additional authentication at startup (Windows Server 2008 and Windows Vista) -> Enabled -> Uncheck "Allow Bitlocker without a compatible TPM". Not necessary because you shouldn't be running these versions anyways, but just in case you do have them. - Allow enhanced PINs for startup -> Enabled. - Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,6,7,11 \ No newline at end of file