TPM 2.0 Security
|
Trusted Platform Module (TPM) is a security device that stores computer-generated keys for encryption and features such as BitLocker, Virtual Secure Mode, remote Attestation.
By default, the
TPM 2.0 Security option is enabled.
For additional security, Dell Technologies recommends keeping the Trusted Platform Module (TPM) enabled to allow these security technologies to fully function.
|
TPM 2.0 Security On
|
Enables or disables the TPM.
By default, the
TPM 2.0 Securty On option is enabled.
For additional security, Dell Technologies recommends keeping TPM enabled to allow these security technologies to fully function.
|
Attestation Enable
|
The
Attestation Enable option controls the endorsement hierarchy of TPM. Disabling the
Attestation Enable option prevents TPM from being used to digitally sign certificates.
By default, the
Attestation Enable option is enabled.
For additional security, Dell Technologies recommends keeping the
Attestation Enable option enabled.
NOTE:When disabled, this feature may cause compatibility issues or loss of functionality in some operating systems.
|
Key Storage Enable
|
The
Key Storage Enable option controls the storage hierarchy of TPM, which is used to store digital keys. Disabling the
Key Storage Enable option restricts the ability of TPM to store owner's data.
By default, the
Key Storage Enable option is enabled.
For additional security, Dell Technologies recommends keeping the
Key Storage Enable option enabled.
NOTE:When disabled, this feature may cause compatibility issues or loss of functionality in some operating systems.
|
SHA-256
|
Allows you to control the usage of SHA-256 by TPM. When enabled, the BIOS and TPM use the SHA-256 hash algorithm to extend measurements into the TPM PCRs during BIOS boot. When disabled, the BIOS and TPM use the SHA-1 hash algorithm to extend measurements into the TPM PCRs during BIOS boot.
By default, the
SHA-256 option is enabled.
For additional security, Dell Technologies recommends keeping the
SHA-256 option enabled.
|
Clear
|
When enabled, the
Clear option clears information that is stored in the TPM after exiting the system's BIOS. This option returns to the disabled state when the computer restarts.
By default, the
Clear option is disabled.
Dell Technologies recommends enabling the
Clear option only when TPM data is required to be cleared.
|
Physical Presence Interface (PPI) Bypass for Clear Command
|
The PPI Bypass for Clear Command option allows the operating system to manage certain aspects of PTT. When enabled, you are not prompted to confirm changes to the PTT configuration.
By default, the
PPI Bypass for Clear Command option is disabled.
For additional security, Dell Technologies recommends keeping the
PPI Bypass for Clear Command option disabled.
|
Intel Total Memory Encryption
|
|
Multi-Key Total Memory Encryption (Up to 16 keys)
|
Enables or disables the processor’s memory encryption feature.
By default, the
Intel Total Memory Encryption option is disabled.
|
Chassis Intrusion
|
|
Chassis Intrusion
|
Enables or disables the detection of chassis intrusion events. This feature notifies the user when the base cover has been removed from the computer.
When set to
Enabled, a notification is displayed on the next boot and the event is logged in the BIOS Events log.
When set to
Disabled, no notification is displayed and no event is logged in the BIOS Events log.
When set to
On-Silent, the event is logged in the BIOS Events log, but no notification is displayed.
By default, the
Chassis Intrusion Detection option is disabled.
For additional security, Dell Technologies recommends keeping the
Chassis Intrusion
option enabled.
|
Block Boot Until Cleared
|
The
Block Boot Until Clear option is enabled when
Chassis Intrusion is enabled. When enabled, the computer does not boot until the chassis intrusion is cleared.
|
Clear Intrusion Warning
|
The
Clear Intrusion Warning option appears only after chassis intrusion is enabled and is tripped.
By default, the
Clear Intrusion Warning option is disabled.
|
SMM Security Mitigation
|
Enables or disables additional UEFI SMM Security Mitigation protections. This option uses the Windows SMM Security Mitigations Table (WSMT) to confirm to the operating system that security best practices have been implemented by the UEFI firmware.
By default, the
SMM Security Mitigation option is enabled.
For additional security, Dell Technologies recommends keeping the
SMM Security Mitigation option enabled unless you have a specific application which is not compatible.
NOTE:This feature may cause compatibility issues or loss of functionality with some legacy tools and applications.
|
Data Wipe on Next Boot
|
|
Start Data Wipe
|
Data Wipe is a secure wipe operation that deletes information from a storage device.
CAUTION:The
Secure Data Wipe operation erases information in a way that it cannot be reconstructed.
Commands such as delete and format in the operating system may remove files from showing up in the file system, however they can be reconstructed through forensic means as they are still represented on the physical media. Data Wipe prevents this reconstruction and is not recoverable.
When enabled, the BIOS will queue up a data wipe cycle for storage devices that are connected to the motherboard on the next reboot.
By default, the
Start Data Wipe option is disabled.
|
Absolute
|
Absolute Software provides various cyber security solutions, some requiring software preloaded on Dell computers and integrated into the BIOS. To use these features, you must enable the Absolute BIOS setting and contact Absolute forconfiguration and activation.
By default, the
Absolute option is enabled.
For additional security, Dell Technologies recommends keeping the
Absolute option enabled.
WARNING:The
Permanently Disabled option can only be selected once. When
Permanently Disabled is selected,
Absolute Persistence cannot be reenabled. No further changes to the Enable/Disable states are allowed.
NOTE:The Enable/Disable options are unavailable while the computer is in the activated state.
NOTE:When the Absolute features are activated, the Absolute integration cannot be disabled from the BIOS Setup screen.
|
UEFI Boot Path Security
|
Enables or disables the computer to prompt the user to enter the Administrator password (if set) when booting to a UEFI boot path device from the F12 boot menu.
By default, the
Always Except Internal HDD option is enabled.
|
Firmware Device Tamper Detection
|
Allows you to control the firmware device tamper detection feature. This feature notifies the user when the firmware device is tampered. When enabled, a screen warning message is displayed on the computer and a tamper detection event is logged in the BIOS Events log. The computer fails to reboot until the event is cleared.
By default, the
Firmware Device Tamper Detection option is enabled.
For additional security, Dell Technologies recommends keeping the
Firmware Device Tamper Detection option enabled.
|
Clear Firmware Device Tamper Detection
|
Allows you to clear the events that are logged when tampering of firmware device is detected.
By default, the
Clear Firmware Device Tamper Detection option is disabled.
|