Owners Manual
Option Description
elds if the TPM Status eld is set to either On with Pre-boot Measurements or On
without Pre-boot Measurements.
TPM Information Changes the operational state of the TPM. This option is set to No Change by default.
TPM Status Species the TPM status.
TPM Command Clears all the contents of the TPM. The TPM Clear option is set to No by default.
CAUTION: Clearing the TPM results in the loss of all keys in the TPM. The loss
of TPM keys may aect booting to the operating system.
Intel TXT Enables or disables the Intel Trusted Execution Technology (TXT) option. To enable the
Intel TXT option, virtualization technology and TPM Security must be enabled with Pre-
boot measurements. This option is set to O by default.
Power Button Enables or disables the power button on the front of the system. This option is set to
Enabled by default.
AC Power Recovery Sets how the system behaves after AC power is restored to the system. This option is set
to Last by default.
AC Power Recovery Delay Sets the time delay for the system to power up after AC power is restored to the system.
This option is set to Immediate by default.
User Dened Delay (60 s to 240 s) Sets the User Dened Delay option when the User Dened option for AC Power
Recovery Delay is selected.
UEFI Variable Access Provides varying degrees of securing UEFI variables. When set to Standard (the default),
UEFI variables are accessible in the operating system per the UEFI specication. When set
to Controlled, selected UEFI variables are protected in the environment and new UEFI
boot entries are forced to be at the end of the current boot order.
Secure ME PCI Cfg Space Enabling this setting will hide the PCI conguration space for the Management Engine
(ME) HECI devices.
Secure Boot Enables Secure Boot, where the BIOS authenticates each pre-boot image by using the
certicates in the Secure Boot Policy. Secure Boot is disabled by default.
Secure Boot Policy When Secure Boot policy is set to Standard, the BIOS uses the system manufacturer’s key
and certicates to authenticate pre-boot images. When Secure Boot policy is set to
Custom, the BIOS uses the user-dened key and certicates. Secure Boot policy is set to
Standard by default.
Secure Boot Mode Congures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx).
• User Mode: In User Mode, PK must be installed, and BIOS performs signature
verication on programmatic attempts to update policy objects. The BIOS allows
unauthenticated programmatic transitions between modes.
• Audit Mode: In Audit Mode, PK is not present. The BIOS does not authenticate
programmatic updates to the policy objects, and transitions between modes. Audit
Mode is useful for programmatically determining a working set of policy objects. BIOS
performs signature verication on pre-boot images and logs results in the image
Execution Information Table, but executes the images whether they pass or fail
verication.
• Deployed Mode: Deployed Mode is the most secure mode. In Deployed Mode, PK
must be installed and the BIOS performs signature verication on programmatic
attempts to update policy objects. Deployed Mode restricts the programmatic mode
transitions
Secure Boot Policy Summary Species the list of certicates and hashes that secure boot uses to authenticate images.
Installation and Service Manual
Pre-operating system management applications
31