HP PC Commercial BIOS (UEFI) Setup

ManualsBrandsHP ManualsDesktopsHP ProBook 650 G4 Notebook PC

July 2020

919946-004

4 Security Menu 29

Ready BIOS for

Device Guard

Use

Action

Ready BIOS for Device Guard Use includes a drop-down box that

automatically configures the BIOS settings that Windows requires to

enable Device Guard, or to change the configuration back to the

configuration before Device Guard was enabled. Device Guard is a

Windows feature that enables higher security around drivers and

BIOS behavior.

The following settings are possible:

• Configure on Next Boot

• Clear Configuration on Next Boot

When set to Configure on Next Boot, the BIOS changes the following

settings to the states required by Device Guard after saving changes

and exit.

• Virtualization features are enabled.

• Removable and network boot devices are disabled (for

example, USB boot, CD-ROM boot, Thunderbolt™ boot,

etc.).

• MS UEFI CA Key is disabled.

When set to Clear Configuration on Next Boot, the BIOS sets the

listed features to their Custom Default state if custom defaults have

been saved. If custom defaults have not been saved, the BIOS

restores the listed features to their factory default states.

4.6 Secure Platform Management (SPM)

This submenu controls settings for Secure Platform Management that are used for secure enablement and management of

the HP Sure Run, Sure Recover, and Sure Admin (Enhanced BIOS Authentication Mode) capabilities.

You cannot provision SPM and activate HP Sure Run directly from the BIOS Setup interface. You can provision SPM using HP

Client Security Manager Software or the HP Manageability Integration Kit. When provisioned, the controls in this menu can

be used to deprovision the system or deactivate HP Sure Run.

Table 16 Secure Platform Management Menu features

Feature

Type

Description

Default

Notes

SPM Current

State

Setting

(Display

Only)

• Provisioned

• Not provisioned

Not

provisioned

Unprovision

SPM

Action

This action deprovisions SPM, which causes HP Sure Run to revert to

the Inactive state and return HP Sure Recover to default settings.

HP Sure Run

Current State

Setting

(Display

Only)

• Active

• Inactive

Inactive

Deactivate HP

Sure Run

Action

This action deactivates HP Sure Run without deprovisioning SPM.

HP Sure Admin

– EBAM

Current State

Setting

(Display

Only)

• Enabled

• Disabled

Disabled

Disable EBAM

Action

This action disables Enhanced BIOS Authentication Mode (EBAM)