BIOS-enabled security features in HP business notebooks - Technical white paper
3 
Multiuser architecture in BIOS 
Multiuser architecture relies on role-based user groups. The BIOS can separate functions and access among these 
different user groups. The separation promotes higher security in the following ways: 
  Users no longer need to share passwords. 
  BIOS administrators do not have to share setup passwords with users. 
  BIOS administrators can assign granular control of setup features to users. 
Currently the BIOS defines two user types. 
  BIOS Administrator—Privileges include management of other BIOS users, full access to f10 BIOS settings, and the 
ability to control f10 access of other users and unlock the system when other BIOS users fail the preboot 
authentication. 
  BIOS User—Privileges include the ability to use an authentication password to boot the BIOS and access f10 BIOS 
settings as defined by the BIOS administrator. 
Enabling BIOS preboot authentication 
Before a BIOS user can be provided with preboot authentication, a BIOS administrator password must be created. 
1.  Boot the system, and press f10 to enter the BIOS setup. 
2.  Select Setup BIOS Administrator Password from the Security menu. 
3.  Follow the prompts to create and confirm the new administrator password.  
The BIOS administrator sets up the BIOS user password as follows: 
1.  Boot the system, and then press f10 to enter the BIOS setup. 
2.  Select User Management from the Security menu. To add a BIOS user, select Create new BIOS User account.  
3.  Follow the steps on the screen to create the user ID, and then press Enter to continue. By default, the BIOS user 
password is the same as the BIOS user ID. For example, if the BIOS administrator creates a “user1” ID, then the 
default password is also “user1”. 
4.  Repeat the steps to create a BIOS User account for each new user. 
The BIOS will now prompt for a BIOS user password during boot. The BIOS user can change the default password as 
follows: 
1.  Boot the system, and then press f10 to enter the BIOS setup. 
2.  Select Change Password from the Security menu and follow prompts to change to a new password. 
NOTE: For maximum system protection, strong BIOS administrator and BIOS user passwords must be selected, and the 
BIOS administrator password must be different from the user password. 
If an incorrect password is entered three times, the system prevents any further retries until the system is powered 
down and restarted. This feature further protects the system from unauthorized access by forcing the user to enter the 
password manually, thereby preventing dictionary attacks. Users can set up HP SpareKey to regain access if credentials 
are lost or forgotten. HP SpareKey allows users to answer a series of questions (established during the HP SpareKey 
enrollment process) to access their notebooks. See the Forgotten passwords section for more information about HP 
SpareKey. 
Preboot authentication using ProtectTools 
Another way to enable BIOS preboot authentication is to use ProtectTools Security Manager within Windows. The 
ProtectTools Security Manager wizard enables various security levels to protect the computer system and the data. 
ProtectTools users can set the following security levels: 
  Preboot Security—Protects the system before it boots to the OS. This ProtectTools function initiates the BIOS preboot 
authentication process. 
  HP Drive Encryption—Protects computer data by encrypting the hard drive. 









