GPO for TPM and PIN



Daft question of the hour.

i have setup a GPO that says use TPM and PIN so that hopefully our users have to put in a pin at boot that have Bitlocker, on Windows 10.

Should this apply to "all authenticated users" Or should it actually be against a mythical list of a"all computers" if there is a thing called all computers how can i select it.

  • I would personally apply it to a group to avoid applying it to devices that aren't compliant. 

    There is Authenticated Computers though - this is a catch all group if you're using a directory.

    Automatically when you apply a policy to the root it'll add both Authenticated Users and Authenticated Computers for you. You can then drag them out and drag in a group if needed?