HP Z228 Maintenance And Service Manual page 28

System Security
(continued)
DriveLock Security
Secure Boot
Configuration
18 Chapter 2 System management
computer and then turn it back on. Default is disabled. To enable this feature you must enable the
following features:
◦
Embedded Security Device Support
◦
Virtualization Technology
◦
Virtualization Technology Directed I/O
●
Embedded Security Device—(Enable/Disable). Permits activation and deactivation of the Embedded
Security Device.
NOTE: To configure the Embedded Security Device, a setup password must be set.
●
Reset to Factory Settings (Do not reset/Reset)—Resetting to factory defaults erases all security
keys and leaves the device in a disabled state. Changing this setting requires that you restart the
computer. Default is Do not reset.
CAUTION: The embedded security device is a critical component of many security schemes.
Erasing the security keys will prevent access to data protected by the Embedded Security Device.
Choosing Reset to Factory Settings may result in significant data loss.
●
Measure boot variables/devices to PCR1—Typically, the computer measures the boot path and
saves collected metrics to PCR5 (a register in the Embedded Security Device). Bitlocker tracks
changes to any of these metrics and forces the user to re-authenticate if it detects any changes.
Enabling this feature lets you set Bitlocker to ignore detected changes to boot path metrics, thereby
avoiding re-authentication issues associated with USB keys inserted in a port. Default is enabled.
OS management of Embedded Security Device—(Enable/Disable). This option allows the user to limit OS
control of the Embedded Security Device. Default is enabled. This option is automatically disabled if
Trusted Execution Technology is enabled.
●
Reset of Embedded Security Device through OS—(Enable/Disable). This option allows the user to
limit the operating system ability to request a Reset to Factory Settings of the Embedded Security
Device. Default is disabled.
NOTE: To enable this option, a Setup password must be set.
●
No PPI provisioning (Windows 8 only)—This option lets you set Windows 8 to bypass the PPI
(Physical Presence Interface) requirement and directly enable and take ownership of the TPM on
first boot. You cannot change this setting after TPM is owned/initialized, unless the TPM is reset.
Default is disabled for systems other than Windows 8, and enabled for Windows 8.
●
Allow PPI policy to be changed by OS. Enabling this option allows the operating system to execute
TPM operations without Physical Presence Interface. Default is disabled.
NOTE: To enable this option, a Setup password must be set.
Allows you to assign or modify a master or user password for hard drives. When this feature is enabled,
the user is prompted to provide one of the DriveLock passwords during POST. If neither is successfully
entered, the hard drive will remain inaccessible until one of the passwords is successfully provided during
a subsequent cold-boot sequence.
NOTE: This selection will only appear when at least one drive that supports the DriveLock feature is
attached to the system.
●
Legacy Support—Enable/Disable. Allows you to turn off all legacy support on the computer,
including booting to DOS, running legacy graphics cards, booting to legacy devices, and so on. If set
to disable, legacy boot options in Storage > Boot Order are not displayed. Default is enabled.
●
Secure Boot—Enable/Disable. Allows you to make sure an operating system is legitimate before
booting to it, making Windows resistant to malicious modification from preboot to full OS booting,
preventing firmware attacks. UEFI and Windows Secure Boot only allow code signed by pre-
approved digital certificates to run during the firmware and OS boot process. Default is disabled,
except for Windows 8 systems which have this setting enabled. Secure Boot enabled also sets
Legacy Support to disabled.
●
Key Management—This option lets you manage the custom key settings.