HP PC Commercial BIOS (UEFI) Setup Whitepaper
August 2018 
919946-003 
HP PC Commercial BIOS (UEFI) Setup 
© Copyright 2016-2018 HP Development Company, L.P. 
4 Security Menu 19 
4.3 Trusted Platform Module (TPM) Embedded Security Menu 
This sub-menu for the Trusted Platform Module (TPM.) is a dedicated microprocessor that provides security functions for 
secure communication and software and hardware integrity. The built in TPM hardware solution is more secure than a 
software only solution. 
Table 10  TPM Embedded Security Menu features 
Feature 
Type 
Description 
Default 
Notes 
TPM 
Specification 
Version 
Display 
only 
The Trusted Computing Group (TCG) is an industry group that 
defines specifications for a TPM. As of this writing, possible TPM 
specification versions are 1.2 or 2.0. 
TPM Device 
Setting 
Makes the TPM available. The following settings are possible: 
•  Available 
•  Hidden 
Available 
Reboot, Physical 
Presence Required 
 TPM State 
Setting 
When checked, enables the ability for the OS to take ownership of 
the TPM 
Checked 
Reboot, Physical 
Presence Required 
Clear TPM 
Action 
When selected, clears the TPM on the next boot. After clearing 
the TPM, this resets to No. The following settings are possible: 
•  No 
•  On next boot 
No 
Reboot Required 
TPM 
Activation 
Policy 
Setting 
This setting allows an administrator to choose between 
convenience and extra security. The extra security is to ensure 
that the user of the system will at least see that the TPM device 
upgraded its firmware (F1 to Boot), or at most the user has the 
ability to reject the upgrade of the TPM device (Allow user to 
reject.) These user prompts limit the impact of remote attacks on 
the system by requiring a user to be physically present for the 
upgrade. When security of the system is of less concern, the third 
option (No prompts) removes any requirement for a user to 
acknowledge the upgrade. This last option is the most convenient 
for remotely upgrading many systems at once. 
The following settings are possible: 
•  F1 to Boot 
•  Allow user to reject 
No prompts 
Allow 
user to 
reject 
HP recommends 
an option that 
requires the 
physical presence 
of the user 










