Trusted Platform Module (TPM)
|
Trusted Platform Module (TPM) is a security device that stores computer-generated keys for encryption and features such as BitLocker, Virtual Secure Mode, remote Attestation.
By default, the
Trusted Platform Module (TPM) option is enabled.
For additional security, Dell Technologies recommends keeping Trusted Platform Module (TPM) enabled to allow these security technologies to fully function.
|
TPM On
|
Allows you to enable or disable TPM.
By default, the
TPM On option is enabled.
For additional security, Dell Technologies recommends keeping TPM enabled to allow these security technologies to fully function.
|
Physical Presence Interface (PPI) Bypass for Enable Commands
|
The Physical Presence Interface (PPI) Bypass options can be used to allow the operating system to manage certain aspects of the TPM. If these options are enabled, you are not prompted to confirm certain changes to the TPM configuration.
By default, the
PPI Bypass for Enable Commands option is enabled.
For additional security, Dell Technologies recommends keeping the
PPI Bypass for Enable Commands option enabled.
|
Physical Presence Interface (PPI) Bypass for Disable Commands
|
By default, the
PPI Bypass for Disable Commands option is disabled.
For additional security, Dell Technologies recommends keeping the
PPI Bypass for Disable Commands option disabled.
|
Physical Presence Interface (PPI) Bypass for Clear Commands
|
By default, the
PPI Bypass for Clear Commands option is disabled.
For additional security, Dell Technologies recommends keeping the
PPI Bypass for Clear Commands option disabled.
|
Attestation Enable
|
The
Attestation Enable option controls the endorsement hierarchy of TPM. Disabling the
Attestation Enable option prevents TPM from being used to digitally-sign certificates.
By default, the
Attestation Enable option is enabled.
For additional security, Dell Technologies recommends keeping the
Attestation Enable option enabled.
NOTE:When disabled, this feature may cause compatibility issues or loss of functionality in some operating systems.
|
Key Storage Enable
|
The
Key Storage Enable option controls the storage hierarchy of TPM, which is used to store digital keys. Disabling the
Key Storage Enable option restricts the ability of TPM to store owner's data.
By default, the
Key Storage Enable option is enabled.
For additional security, Dell Technologies recommends keeping the
Key Storage Enable option enabled.
NOTE:When disabled, this feature may cause compatibility issues or loss of functionality in some operating systems.
|
SHA-256
|
Allows you control the usage of SHA-256 by TPM. When enabled, the BIOS and TPM use the SHA-256 hash algorithm to extend measurements into the TPM PCRs during BIOS boot. When disabled, the BIOS and TPM use the SHA-1 hash algorithm to extend measurements into the TPM PCRs during BIOS boot.
By default, the
SHA-256 option is enabled.
For additional security, Dell Technologies recommends keeping the
SHA-256 option enabled.
|
Clear
|
When enabled, the
Clear option clears information stored in the TPM after exiting the system's BIOS. This option returns to disabled state when the system restarts.
By default, the
Clear option is disabled.
Dell Technologies recommends enabling the
Clear option only when TPM data is required to be cleared.
|
TPM State
|
Enables or disables the Trusted Platform Module (TPM). This is the normal operating state for the Trusted Platform Module (TPM) when you want to use its complete array of capabilities.
By default, the
TPM State option is enabled.
|
Intel Platform Trust Technology (PTT)
|
Intel PTT is a firmware-based Trusted Platform Module (fTPM) device that is part of Intel chipsets. It provides credential storage and key management that can replace the equivalent functionality of a discrete TPM chip.
|
PTT On
|
Enables or disables the Intel PTT option.
By default, the
PTT On option is enabled.
For additional security, Dell Technologies recommends keeping the
PTT On option enabled.
|
Physical Presence Interface (PPI) Bypass for Clear Commands
|
The PPI Bypass for Clear Commands option allows the operating system to manage certain aspects of PTT. When enabled, you are not prompted to confirm changes to the PTT configuration.
By default, the
PPI Bypass for Clear Commands option is disabled.
For additional security, Dell Technologies recommends keeping the
PPI Bypass for Clear Commands option disabled.
|
Clear
|
When enabled, the
Clear option clears the information stored in the PTT fTPM after exiting the system's BIOS. This option returns to disabled state when the system restarts.
By default, the
Clear option is disabled.
Dell Technologies recommends enabling the
Clear option only when PTT fTPM data needs to be cleared.
|
Chassis intrusion
|
|
Chassis Intrusion Detection
|
Allows you to control the chassis intrusion feature. This feature notifies the user when the base cover has been removed from the computer.
When set to
Enabled, a notification is displayed on the next boot and the event is logged in the BIOS Events log.
When set to
On-Silent, the event is logged in the BIOS Events log, but no notification is displayed.
When set to
Disabled, no notification is displayed and no event is logged in the BIOS Events log.
By default, the
Chassis Intrusion Detection option is enabled.
For additional security, Dell Technologies recommends keeping the
Chassis Intrusion Detection option enabled.
|
Block Boot Until Cleared
|
Enables or disables the Block Boot Until Cleared option.
By default, the
Block Boot Until Cleared option is enabled.
NOTE:When enabled, the computer does not boot until the chassis intrusion is cleared. If the administrator password is set, Setup has to be unlocked before the warning can be cleared.
|
Legacy Manageability Interface Access
|
Allows the administrator to control the access to BIOS configuration through the Legacy Manageability Interface option. When enabled, this prevents the BIOS Administrator password-based manageability tools from running, prevents some Dell software applications from reading configuration settings, and/or prevents changes to the BIOS configuration settings.
When enabled, this option only supports the Authenticated BIOS Manageability Interface (ABI) for managing the BIOS configuration changes. To support this feature, ABI must be enabled and provisioned.
When set to
Enabled, the Legacy Manageability Interface can be used to read and change BIOS configuration settings.
When set to
Read-Only, BIOS configuration settings can be read, but cannot be changed through the Legacy Manageability Interface.
When set to
Disabled, the Legacy Manageability Interface is disabled. BIOS configuration reads and writes are blocked.
|
SMM Security Mitigation
|
Enables or disables additional UEFI SMM Security Mitigation protections. This option uses the Windows SMM Security Mitigations Table (WSMT) to confirm to the operating system that security best practices have been implemented by the UEFI firmware.
By default, the
SMM Security Mitigation option is enabled.
For additional security, Dell Technologies recommends keeping the
SMM Security Mitigation option enabled unless you have a specific application which is not compatible.
NOTE:This feature may cause compatibility issues or loss of functionality with some legacy tools and applications.
|
Data Wipe on Next Boot
|
|
Start Data Wipe
|
CAUTION:Secure Data Wipe operation deletes information in a way that it cannot be reconstructed.
Commands such as delete and format in the operating system may remove files from showing up in the file system, however they can be reconstructed through forensic means as they are still represented on the physical media. Data Wipe prevents this reconstruction and is not recoverable.
When enabled, the BIOS will queue up a data wipe cycle for storage devices that are connected to the motherboard on the next reboot.
By default, the
Start Data Wipe option is disabled.
|
Absolute
|
Enables, disables, or permanently disables the BIOS module interface of the optional Absolute Persistence Module service from Absolute software.
By default, the
Absolute option is enabled.
For additional security, Dell Technologies recommends keeping the
Absolute option enabled.
WARNING:The 'Permanently Disabled' option can only be selected once. When 'Permanently Disabled' is selected, Absolute Persistence cannot be re-enabled. No further changes to the Enable/Disable states are allowed.
NOTE:The Enable/Disable options are unavailable while the computer is in the activated state.
NOTE:When the Absolute features are activated, the Absolute integration cannot be disabled from the BIOS setup screen.
|
UEFI Boot Path Security
|
Enables or disables the computer to prompt the user to enter the Administrator password (if set) when booting to a UEFI boot path device from the F12 boot menu.
By default, the
Always Except Internal HDD option is enabled.
|
Firmware Device Tamper Detection
|
Allows you to control the firmware device tamper detection feature. This feature notifies the user when the firmware device is tampered. When enabled, a screen warning messages are displayed on the computer and a tamper detection event is logged in the BIOS Events log. The computer fails to reboot until the event is cleared.
By default, the
Firmware Device Tamper Detection option is enabled.
For additional security, Dell Technologies recommends keeping the
Firmware Device Tamper Detection option enabled.
|