Table 8-3Computer Setup—Security (continued)

System Security

OS management of Embedded Security Device (enable/disable) - This option allows the user to limit

(continued)

OS control of the Embedded Security Device. Default is enabled. This option is automatically

 

disabled if Trusted Execution Technology is enabled.

 

Reset of Embedded Security Device through OS (enable/disable) - This option allows the user

 

to limit the operating system ability to request a Reset to Factory Settings of the Embedded

 

Security Device. Default is disabled.

 

NOTE: To enable this option, a Setup password must be set.

 

No PPI provisioning (Windows 8 only) - This option lets you set Windows 8 to bypass the PPI

 

(Physical Presence Interface) requirement and directly enable and take ownership of the TPM

 

on first boot. You cannot change this setting after TPM is owned/initialized, unless the TPM is

 

reset. Default is disabled for non-Windows 8 systems, and enabled for Windows 8.

 

Allow PPI policy to be changed by OS. Enabling this option allows the operating system to

 

execute TPM operations without Physical Presence Interface. Default is disabled.

 

NOTE: To enable this option, a Setup password must be set.

 

 

DriveLock Security

Allows you to assign or modify a master or user password for hard drives. When this feature is

 

enabled, the user is prompted to provide one of the DriveLock passwords during POST. If neither is

 

successfully entered, the hard drive will remain inaccessible until one of the passwords is

 

successfully provided during a subsequent cold-boot sequence.

 

NOTE: This selection will only appear when at least one drive that supports the DriveLock feature

 

is attached to the system.

 

 

Secure Boot

This is a feature of Windows 8.

Configuration

Legacy Support—Enable/Disable. Allows you to turn off all legacy support on the computer,

 

 

including booting to DOS, running legacy graphics cards, booting to legacy devices, and so

 

on. If set to disable, legacy boot options in Storage > Boot Order are not displayed.

 

Default is enabled.

 

Secure Boot—Enable/Disable. Allows you to make sure an operating system is legitimate

 

before booting to it, making Windows resistant to malicious modification from preboot to full

 

OS booting, preventing firmware attacks. UEFI and Windows Secure Boot only allow code

 

signed by pre-approved digital certificates to run during the firmware and OS boot process.

 

Default is disabled, except for Windows 8 systems which have this setting enabled. Secure

 

Boot enabled also sets Legacy Support to disabled.

 

Key Management—This option lets you manage the custom key settings.

 

Clear Secure Boot Keys—Don't Clear/Clear. Allows you to delete any previously loaded

 

 

custom boot keys. Default is Don't Clear.

 

Key Ownership—HP Keys/Custom Keys. Selecting Custom Mode allows you to modify

 

 

the contents of the secure boot signature databases and the platform key (PK) that verifies

 

 

kernels during system start up, allowing you to use alternative operating systems.

 

 

 

Computer Setup (F10) Utilities 189