HP PC Commercial BIOS (UEFI) Setup Administration Guide For Commercial Platforms using HP BIOSphere Gen 3-5 2016 -2019 Technical Whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteBook x360 1020 G2

HP PC Commercial BIOS (UEFI) Setup

June 2019

919946-004

4 Security Menu 22

4.3 Trusted Platform Module (TPM) Embedded Security Menu

This submenu for the Trusted Platform Module (TPM.) is a dedicated microprocessor that provides security functions for

secure communication and software and hardware integrity. The built-in TPM hardware solution is more secure than a

software-only solution.

Table 11 TPM Embedded Security Menu features

Feature

Type

Description

Default

Notes

TPM

Specification

Version

Display

Only

The Trusted Computing Group (TCG) is an industry group that

defines specifications for a TPM. As of this writing, possible TPM

specification versions are 1.2 or 2.0.

NOTE: Windows 10 requires TPM 2.0 capability.

TPM Device

Setting

Makes the TPM available. The following settings are possible:

• Available

• Hidden

Available

Reboot, Physical

Presence Required

 TPM State

Setting

When checked, enables the ability for the OS to take ownership of

the TPM (v1.2) or enables OS and application access to the

various security capabilities of the TPM (v2.0).

Checked

Reboot, Physical

Presence Required

Clear TPM

Action

When selected, clears the TPM on the next boot. After clearing

the TPM, this resets to No. The following settings are possible:

• No

• On next boot

Reboot Required

TPM

Activation

Policy

Setting

This setting allows an administrator to choose between

convenience and extra security. The extra security is to ensure

that the user of the system will at least see that the TPM device

upgraded its firmware (F1 to Boot), or at most the user has the

ability to reject the upgrade of the TPM device (Allow user to

reject.) These user prompts limit the impact of remote attacks on

the system by requiring a user to be physically present for the

upgrade. When security of the system is of less concern, the third

option (No prompts) removes any requirement for a user to

acknowledge the upgrade. This last option is the most convenient

for remotely upgrading many systems at once.

The following settings are possible:

• F1 to Boot

• Allow user to reject

• No prompts

Allow

user to

reject

HP recommends

an option that

requires the

physical presence

of the user