Please help me understand the differences between the two. Trying to justify the trade-off between security and usability to myself before going to management with my recommendation.
Both scenarios assume secured BIOS configurations to eliminate physical threats. User Accounts are AAD managed with lockout after X unsuccessful login attempts. There may be sensitive or confidential assets that may be placed on these devices.
Scenario 1: Bitlocker FDE with Preboot Auth. User enters pin to unlock the OS. After drive is unlocked, user is presented with sign-in splash.
Scenario 2: Bitlocker FDE without Preboot Auth. User does not enter pin and loads OS automatically when booted. User is presented with sign-in splash.
What threats should I be concerned about in Scenario 2 that Scenario 1 protects against?
Many thanks in advance.