From 6d9f02fff40978e14b993e0c87c2c310b9955cb3 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Mon, 6 Nov 2023 07:11:15 -0700
Subject: [PATCH] Preboot auth

Signed-off-by: Tommy <contact@tommytran.io>
---
 Group Policies/Bitlocker Drive Encryption.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Group Policies/Bitlocker Drive Encryption.md b/Group Policies/Bitlocker Drive Encryption.md
index fa23be0..c5b01da 100644
--- a/Group Policies/Bitlocker Drive Encryption.md	
+++ b/Group Policies/Bitlocker Drive Encryption.md	
@@ -6,4 +6,5 @@ Choose drive encryption method and cipher strength (Windows 10 [Version 1511] an
 
 ## Operating System Drives
 
-Allow enhanced PINs for startup -> Enabled
+Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
+Allow enhanced PINs for startup -> Enabled.