HP Sure Start
10
Technical white paper | HP Sure Start
Verify Boot Block on Every Boot
HP Sure Start always veries the integrity of the system ash BIOS boot block before resuming from sleep, hibernate, or
power-o. When set to enable, HP Sure Start will also verify the integrity of the boot block on each warm boot (Windows
restart). The trade-o to consider is faster restart time versus more security. The default setting of this feature is disable.
BIOS Data Recovery Policy
When set to Automatic, HP Sure Start automatically repairs the BIOS or the Machine Unique Data when necessary. When
set to Manual, HP Sure Start requires a special key sequence to proceed with the repair. In the case of an issue with the
boot block code, the system will refuse to boot, and a unique blink sequence will ash on the system LED. The system
LED that lights may vary by platform and by instance. In the case of an issue with the Machine Unique Data, the system
will display a message on the screen. The key sequence required, and the blink sequence displayed, vary depending
whether the system is a notebook, a desktop, or a tablet. Manual mode is useful to users who can perform forensics on
the system ash contents before repair. Typical users are not encouraged to use manual mode. The default setting of this
feature is Automatic.
Network Controller Conguration Restore (Intel only)
When selected, HP Sure Start immediately restores the network controller conguration to factory defaults.
Prompt on Network Controller Conguration Change (Intel only)
HP provides a factory-dened network controller conguration which includes the MAC address. When this setting is set
to enable, the system monitors the state of the network controller conguration and prompts the user in the event of a
change from the factory-congured state. The default setting of this feature is disable.
Dynamic Runtime Scanning of Boot Block (Intel only)
When in the default setting of enable, HP Sure Start periodically checks the integrity of the BIOS boot block while the OS
is running. When in the disable setting, HP Sure Start only checks the integrity before a boot or resume from sleep or
hibernate.
HP Sure Start BIOS Setting Protection
The BIOS setting protection policy is disabled by default. To enable the feature, the owner/administrator of the client
device should rst congure all BIOS policies to the preferred setting. The owner/administrator also must congure a
BIOS setup administrator password.
Once that is completed, the BIOS setting protection policy should be changed to “Enable.” At this point, a backup copy
of all BIOS settings is created in the HP Sure Start–protected storage. Going forward, none of the BIOS settings can be
modied locally or remotely. On each boot, the BIOS policy settings are veried to be in the desired state, and if there is
any discrepancy, the BIOS settings are restored from the HP Sure Start–protected storage.
To modify a BIOS setting, the BIOS administrator password must be provided and BIOS setting protection subsequently
disabled, at which point changes can be made to the BIOS settings.
HP Sure Start Secure Boot Keys Protection
With this setting at the factory default of enable, HP Sure Start provides enhanced protection of the secure boot
databases and keys used by BIOS to verify the integrity and authenticity of the OS bootloader before launching it at
boot. When set to disable, only standard UEFI secure boot variable protection is used and no backup copy is kept by the
HP Sure Start subsystem.
Enhanced HP Firmware Runtime Intrusion Prevention and Detection (Intel only) and HP Firmware Runtime Intrusion
Detection (AMD only)
The RTID feature is enabled by default for all platforms shipped from the HP factory. There is no need for the end
customer/administrator to enable or otherwise deploy the feature to take advantage of HP Sure Start RTID.
The RTID feature can be optionally be set to disable by the platform owner/administrator.
HP Sure Start Security Event Policy
This BIOS policy setting controls what action is taken when HP Sure Start detects an attack or attempted attack while the