HP PC Commercial BIOS (UEFI) Setup
HP PC Commercial BIOS (UEFI) Setup
July 2020
919946-004
© Copyright 2016-2020 HP Development Company, L.P.
4 Security Menu 28
Feature
Type
Description
Default
Notes
Sure Start Secure
Boot Keys
Protection
Setting
Saves backup copy of Secure Boot Keys so that they can
be recovered if someone attempts to alter them in an
unauthorized manner.
Checked
Enhanced HP
Firmware Runtime
Intrusion Prevention
and Detection
Setting
Monitors key areas of memory for corruption or attack,
notifies user of attack (based on the settings in Sure
Start Security Event Policy), and prevents the attack
from taking place.
NOTE: Only available on certain Intel systems.
Checked
HP Firmware
Runtime Intrusion
Detection
Setting
Monitors key areas of memory for corruption or attack
and notifies user of attack (based on the settings in Sure
Start Security Event Policy).
NOTE: Only available on certain AMD chipset systems
2016 or later.
Checked
Sure Start Security
Event Policy
Setting
Determines how to respond to a detected event:
• Log the event in the audit log.
• Log the event in the audit log and prompt the
user to acknowledge the event.
• Log the event in the audit log and power off the
system.
Prior to 2016: Not available
Log Event and
notify user
Sure Start Security
Event Boot
Notification
Enable a warning message at boot screen if there is a
Sure Start event (BIOS recovery, Memory intrusion, etc.)
Require
Acknowledgment
4.5 Secure Boot Configuration Menu
This submenu controls settings for the Secure Boot OS loader feature.
Table 15 Secure Boot Menu features
Feature
Type
Description
Default
Notes
Secure Boot
Setting
When checked, this enable the Secure Boot capability.
Enable
Import
Custom Secure
Boot keys
Setting
When checked and system is rebooted, custom secure boot keys are
imported from the EFI\HP directory from the hard drive or USB
device. The custom keys consist of PK, KEK, DB, and Dbx .bin files.
When import succeeds or fails, a preboot prompt shows the results
of each key bin file.
Unchecked
Reboot
Required
Clear Secure
Boot Keys
One Time
Action
When checked, clears the Secure Boot keys one time on next save
and exit. This setting will be unchecked again when you return from
exit. This action is not available when no imported keys are present.
Unchecked
Reboot
Required
Reset Secure
Boot keys to
factory defaults
One Time
Action
When checked, restores secure boot keys to factory defaults one
time on next save and exit. This setting will be unchecked again,
when you return from exit.
Unchecked
Reboot
Required
Enable MS
UEFI CA key
Setting
When checked, the Microsoft (MS) UEFI Certificate Authority (CA) key
is trusted by Secure Boot
NOTE: Uncheck this to support Windows 10 Device Guard feature
Checked