Table 7-3
Computer Setup—Security (continued)
System Security
(continued)
OS management of Embedded Security Device (enable/disable) - This option allows the user to limit
OS control of the Embedded Security Device. Default is enabled. This option is automatically
disabled if Trusted Execution Technology is enabled.
{
Reset of Embedded Security Device through OS (enable/disable) - This option allows the user
to limit the operating system ability to request a Reset to Factory Settings of the Embedded
Security Device. Default is disabled.
NOTE:
To enable this option, a Setup password must be set.
{
No PPI provisioning (Windows 8 only) - This option lets you set Windows 8 to bypass the PPI
(Physical Presence Interface) requirement and directly enable and take ownership of the TPM
on first boot. You cannot change this setting after TPM is owned/initialized, unless the TPM is
reset. Default is disabled for non-Windows 8 systems, and enabled for Windows 8.
{
Allow PPI policy to be changed by OS. Enabling this option allows the operating system to
execute TPM operations without Physical Presence Interface. Default is disabled.
NOTE:
To enable this option, a Setup password must be set.
DriveLock Security
Allows you to assign or modify a master or user password for hard drives. When this feature is
enabled, the user is prompted to provide one of the DriveLock passwords during POST. If neither is
successfully entered, the hard drive will remain inaccessible until one of the passwords is
successfully provided during a subsequent cold-boot sequence.
NOTE:
This selection will only appear when at least one drive that supports the DriveLock feature
is attached to the system.
Secure Boot
Configuration
This is a feature of Windows 8.
{
Legacy Support—Enable/Disable. Allows you to turn off all legacy support on the computer,
including booting to DOS, running legacy graphics cards, booting to legacy devices, and so
on. If set to disable, legacy boot options in
Storage > Boot Order
are not displayed.
Default is enabled.
{
Secure Boot—Enable/Disable. Allows you to make sure an operating system is legitimate
before booting to it, making Windows resistant to malicious modification from preboot to full
OS booting, preventing firmware attacks. UEFI and Windows Secure Boot only allow code
signed by pre-approved digital certificates to run during the firmware and OS boot process.
Default is disabled, except for Windows 8 systems which have this setting enabled. Secure
Boot enabled also sets
Legacy Support
to disabled.
{
Key Management—This option lets you manage the custom key settings.
│
Clear Secure Boot Keys—Don't Clear/Clear. Allows you to delete any previously loaded
custom boot keys. Default is Don't Clear.
│
Key Ownership—HP Keys/Custom Keys. Selecting Custom Mode allows you to modify
the contents of the secure boot signature databases and the platform key (PK) that verifies
kernels during system start up, allowing you to use alternative operating systems.
142
Chapter 7 Computer Setup (F10) Utility