HP Sure Start - Technical white paper
11
Technical white paper | HP Sure Start 
OS is running. There are three possible congurations for this policy:
• Log event only: When this setting is selected, the HP ESC logs detection events, which can be viewed in the Applications 
and Services Logs/HP Sure Start path of the Microsoft Windows Event Viewer.
3
• Log event and notify user: This is the default setting. When this setting is selected, the HP ESC logs detection events, 
which can be viewed in the Applications and Services Logs/HP Sure Start path of the Microsoft Windows Event Viewer. 
Additionally, the user is notied within Windows that the event occurred.
4 
• Log event and power o system: When this setting is selected, the HP ESC logs detection events, which can be viewed 
in the Applications and Services Logs/HP Sure Start path of the Microsoft Windows Event Viewer. Additionally, the user is 
notied within Windows that the event occurred, and that system shutdown is imminent.
HP Sure Start Security Event Boot Notication
This BIOS policy setting controls whether HP Sure Start warnings and error messages that are displayed when the 
system is booted require the local user to acknowledge the error before the boot continues. With the default Require 
Acknowledgement setting, the system halts with the error message displayed. The local user must press a key to 
continue the boot. If changed to Time out after 15 seconds, the message is displayed, but the boot process continues 
automatically after the message is displayed for 15 seconds.
Lock BIOS Version
In the (F10) BIOS setup, this feature is located in Main/Update System BIOS.
When set to disable, you can update the BIOS using any supported process. When the HP ESC detects a valid boot block 
update in the system ash, it updates the backup copy of the boot block.
When set to enable, all HP BIOS update tools refuse to update the BIOS. In addition, HP Sure Start protects the BIOS from 
attempts to change the BIOS version by removing the system ash via an unauthorized method. The HP ESC records the 
locked-down version of BIOS. When the HP ESC detects that the BIOS in the system ash changed, the HP ESC overwrites 
the BIOS boot block with the HP ESC copy of the boot block. The HP ESC copy of the boot block executes and recovers the 
remainder of the correct version of the BIOS. The default setting of this feature is disable.
Save/Restore MBR of System Hard Drive and Save/Restore GPT of System Hard Drive
In the (F10) BIOS setup, this feature is located in Security/Hard Drive Utilities. Only one of these capabilities is available, 
depending on the partition type of the primary drive (GPT or MBR), as detected by HP Sure Start.
When set to enable, HP Sure Start maintains a protected backup copy of the MBR/GPT partition table from the primary 
drive and compares the backup copy to the primary on each boot. If a dierence is detected, the user is prompted and  
can choose to recover from the backup to the original state, or to update the protected backup copy with the changes. 
The Boot Sector (MBR/GPT) Recovery Policy can optionally be used to remove the user decision for the action taken in 
the event of a discrepancy found by HP Sure Start.
When set to disable (default), no MBR/GPT protection is provided by HP Sure Start. 
Boot Sector (MBR/GPT) Recovery Policy 
When set to Local User Control (default) the user is prompted for the action to take when HP Sure Start detects a change 
in the MBR/GPT partition table. When set to Recover in the event of corruption, HP Sure Start automatically restores the 
MBR/GPT to the saved state any time dierences are encountered. 
3
 HP Notication Software must be installed to view HP Sure Start events in the Windows Event Viewer.
4
 HP Notication Software must be installed to receive notications.










