HP Sure Start for AMD Technical whitepaper
July 2019
L75214-001
HP Sure Start for AMD
© Copyright 2019 HP Development Company, L.P.
3 User notifications, event logging, and policy management 12
notebook, a desktop, or a tablet. Manual mode is useful to users who can perform forensics on the system flash contents before
repair. Typical users are not encouraged to use manual mode. The default setting of this feature is Automatic.
3.3.3 HP Sure Start BIOS Setting Protection
The BIOS setting protection policy is disabled by default. To enable the feature, the owner/administrator of the client device
should first configure all BIOS policies to the preferred setting. The owner/administrator also must configure a BIOS setup
administrator password.
Once that is completed, the BIOS setting protection policy should be changed to “Enable.” At this point, a backup copy of all BIOS
settings is created in the HP Sure Start for AMD–protected storage. Going forward, none of the BIOS settings can be modified
locally or remotely. On each boot, the BIOS policy settings are verified to be in the desired state, and if there is any discrepancy,
the BIOS settings are restored from the HP Sure Start for AMD–protected storage.
To modify a BIOS setting, the BIOS administrator password must be provided and BIOS setting protection subsequently disabled,
at which point changes can be made to the BIOS settings.
3.3.4 HP Sure Start Secure Boot Keys Protection
With this setting at the factory default of enable, HP Sure Start for AMD provides enhanced protection of the secure boot
databases and keys used by BIOS to verify the integrity and authenticity of the OS bootloader before launching it at boot. When
set to disable, only standard UEFI secure boot variable protection is used and no backup copy is kept by the HP Sure Start for AMD
subsystem.
3.3.5 HP Sure Start Security Event Policy
This BIOS policy setting controls what action is taken when HP Sure Start for AMD detects an attack or attempted attack while the
OS is running. There are three possible configurations for this policy:
• Log event only: When this setting is selected, the HP ESC logs detection events, which can be viewed in the Applications and
Services Logs/HP Sure Start for AMD path of the Microsoft Windows Event Viewer.
3
• Log event and notify user: This is the default setting. When this setting is selected, the HP ESC logs detection events, which can
be viewed in the Applications and Services Logs/HP Sure Start for AMD path of the Microsoft Windows Event Viewer.
• Additionally, the user is notified within Windows that the event occurred.
4
• Log event and power off system: When this setting is selected, the HP ESC logs detection events, which can be viewed in the
Applications and Services Logs/HP Sure Start for AMD path of the Microsoft Windows Event Viewer. Additionally, the user is
notified within Windows that the event occurred, and that system shutdown is imminent.
3.3.6 HP Sure Start Security Event Boot Notification
This BIOS policy setting controls whether HP Sure Start for AMD warnings and error messages that are displayed when the system
is booted require the local user to acknowledge the error before the boot continues. With the default Require Acknowledgement
setting, the system halts with the error message displayed. The local user must press a key to continue the boot. If changed to
Time out after 15 seconds, the message is displayed, but the boot process continues automatically after the message is displayed
for 15 seconds.
3.3.7 Lock BIOS Version
In the (F10) BIOS setup, this feature is located in Main/Update System BIOS.
3
HP Notification Software must be installed to view HP Sure Start for AMD events in the Windows Event Viewer.
4
HP Notification Software must be installed to receive notifications.