HP t628 Troubleshooting Manual page 44

Table A-1 Computer Setup—Security (continued)
Option
System Security
Secure Boot
Configuration
38 Appendix A Computer Setup (F10) Utility, BIOS Settings
Description
Provides these options:
Data Execution Prevention (enable/disable) - Helps prevent operating system security breaches.
●
Default is enabled.
Virtualization Technology (enable/disable) – Controls the virtualization features of the processor.
●
Changing this setting requires turning the computer off and then back on. Default is disabled.
● Embedded Security Device (enable/disable) – Permits activation and deactivation of the Embedded
Security Device. Changing this setting requires turning the computer off and then back on.
NOTE: To configure the Embedded Security Device, a Setup password must be set.
○ Reset to Factory Setting (Do not reset/Reset) – Resetting to factory defaults will erase all
security keys. Changing this setting requires turning the computer off and then back on.
Default is 'Do not reset'.
○ Measure boot variables/devices to PCR1 (disable/enable) – Typically, the computer measures
the boot path and saves collected metrics to PCR5 (a register in the Embedded Security
Device). Bitlocker tracks changes to any of these metrics, and forces the user to re-
authenticate if it detects any changes. Enabling this feature lets you set Bitlocker to ignore
detected changes to boot path metrics, thereby avoiding reauthentication issues associated
with USB keys inserted in a port. Default is enabled.
● OS Management of Embedded Security Device (enable/disable) – This option allows the user to limit
operating system control of the Embedded Security Device. Changing this setting requires turning
the computer off and then back on. This
● Reset of Embedded Security Device through OS (enable/disable) – This option allows the user to limit
the operating system ability to request a Reset to Factory Settings of the Embedded Security Device.
Changing this setting requires turning the computer off and then back on. Default is disable.
NOTE: To enable this option, a Setup password must be set.
● No PPI provisioning (enable/disable) – This option lets you set the operating system to bypass the
PPI (Physical Presence Interface) requirement and directly enable and take ownership of the TPM on
first boot. You cannot change this setting after TPM is owned/initialized, unless the TPM is reset.
Allow PPI policy to be changed by OS (enable/disable) – Enabling this option allows the operating
●
system to execute TPM operations without Physical Presence Interface. Default is disabled.
The options on this setup page are only for Windows 10 and other operating systems that support Secure
Boot. Changing the default setting of the setup options on this page for operating system that do not
support secure boot may prevent the system from booting successfully.
Legacy Support (enable/disable) – Enable or disable the legacy operating system support (Windows
Embedded Standard 7 and HP Thin-Pro).
Secure Boot (enable/disable) – Only when the Legacy Support set to disable, this item can be set to
enable. This item is for Secure Boot flow control. Secure boot is possible only if system run in user mode.
Key Management
● Clear Secure Boot Keys (Clear/Don't Clear). Lets you clear the Secure Boot Key.
● Key ownership (HP keys/Customer keys). Lets you change the keys of different owners.
Fast Boot (Enable/Disable) – Enable Fast Boot cause system boot by initializing a minimal set of devices
which is required to launch active boot option. This option has no effect for BBS boot options.