HP Business Desktops BIOS
Securing startup 
The power-on password, user smart card, and TPM preboot authentication functions as a user 
authentication and boot access control mechanism. If this password is set or either smart card or TPM 
preboot authentication is established, the user will be prompted to enter this password or smart card 
on each startup and optionally on each restart. The startup process is halted if the correct password or 
smart card is not entered. TPM preboot authentication uses the TPM user credential (passphrase) to 
authenticate the user. 
Device boot control is a series of settings that control which devices can be booted and in what order. 
This feature is important to prevent subversion of the installed OS as described earlier. The settings in 
this category are 
1.  Network Service Boot (enable/disable) 
2.  Removable Media Boot (enable/disable) 
3.  Remote Wake Boot Source (controls which device will boot on wakeup) 
4.  Boot Order (controls which devices can be booted and in what order) 
5.  USB port and mass storage controller disable (mentioned earlier) 
6.  DriveLock 
Securing portable data 
Computers that contain mobile technology hard disk drives used in MultiBay slots can protect the data 
on those drives with a DriveLock password. The password is stored on the drive and the drive 
firmware controls access so that the DriveLock security goes with the drive, not the platform. Each time 
the computer is restarted, the drive will remain inaccessible until the DriveLock password is provided. 
This drive locking mechanism is an industry standard (ATA–5). 
It is recommended that the system administrator establish a master DriveLock password on each drive 
and then allow the user to establish the user DriveLock password. This is the only way to recover a 
drive if the DriveLock password is lost. The master DriveLock password provides a mechanism to clear 
the user DriveLock password, if it is forgotten. Otherwise, the drive is rendered useless and 
all data will be lost. 
As a convenience to the user, the DriveLock password and power-on passwords (or smart card 
credentials) can be set to match. In this case, the BIOS will use the Power-on password or smart card 
credential to unlock the drive for the user without additional prompts. For the sake of security, there is 
no copy of the DriveLock password permanently stored in any fashion in the BIOS. Of course, if the 
power-on password and DriveLock passwords are set to match, then an encrypted version of the 
DriveLock password is contained in the BIOS, since the power-on password is stored in the BIOS flash 
memory. For this reason some users may choose to make their DriveLock password different from the 
power-on password. 
Smart cards 
Using smart cards for user or administrator preboot authentication provides one of two benefits: ease 
of use or multifactor authentication. In addition, the same smart card can hold OS user credentials. 
If the administrator has enabled the use of smart cards in BIOS setup, the smart card will replace the 
typed-in passwords. BIOS administrator authentication and user authentication are handled with two 
separate smart cards: the user smart card and the administrator smart card. If smart cards are 
enabled, the administrator smart card must be enabled first. After enabled the administrator smart 
card, enabling the user smart card is optional. 
When enabling the smart cards, the administrator has the choice of enabling multifactor 
authentication, which requires a PIN (Personal Identification Number, a 4- to 10-digit number 
required to enable smart card access), or single-factor authentication, which does not require a PIN. 
Single-factor authentication is more convenient (only requires possession of the card), while multifactor 
authentication is more secure (requires possession of the card and knowledge of the PIN). If single-
11 










