The System Security Settings screen details are explained
as follows:
Option
Description
CPU AES-NI
Improves the speed of applications by performing encryption
and decryption by using the Advanced Encryption Standard Instruction
Set (AES-NI). This option is set to Enabled by default.
System Password
Sets the system password.
This option is set to Enabled by default and
is read-only if the password jumper is not installed in the system.
Setup Password
Sets the setup password. This option is read-only
if the password jumper is not installed in the system.
Password Status
Locks the system password. This option is set to Unlocked by
default.
TPM Security
NOTE: The TPM menu is available only when the TPM module is installed.
Enables you to control the reporting mode of the TPM. The TPM Security option is set to Off by default. You can only modify the TPM Status, and TPM Activation
if the TPM Status field is set to either On with Pre-boot Measurements or On without
Pre-boot Measurements.
When TPM 1.2 is
installed, the TPM Security option is set to Off, On with Pre-boot Measurements, or On without Pre-boot Measurements.
Changes the operational state of
the TPM. This option is set to No Change by
default.
TPM Firmware
Indicates the firmware version
of the TPM.
TPM Status
Specifies the TPM status.
TPM Command
Controls the Trusted Platform Module
(TPM). When set to None, no command is sent
to the TPM. When set to Activate, the TPM is
enabled and activated. When set to Deactivate, the TPM is disabled and deactivated. When set to Clear, all the contents of the TPM are cleared. This option is set to None by default.
When TPM 2.0 is installed, the TPM
Security option is set to On or Off. This option is set to Off by default.
Changes the operational state of
the TPM. This option is set to No Change by
default.
TPM Firmware
Indicates the firmware version
of the TPM.
TPM Hierarcy
Enable, disable, or clear the storage
and endorsement hierarchies. When set to Enabled, the storage and endorsement hierarchies can be used.
When set to Disabled, the storage and endorsement
hierarchies cannot be used.
When set to Clear, the storage and endorsement hierarchies are cleared
of any values, and then reset to Enabled.
Power Button
Enables or disables the power button on the front
of the system. This option is set
to Enabled by default.
AC Power Recovery
Sets how the system behaves after AC power is restored
to the system. This option is set
to Last by default.
AC Power Recovery Delay
Sets the time delay for the system to power up after
AC power is restored to the system. This option is set to Immediate by default.
User Defined Delay (60 s to 600 s)
Sets the User Defined Delay option when the User Defined option for AC Power Recovery Delay is selected.
UEFI Variable Access
Provides varying degrees of securing UEFI variables.
When set to Standard (the default), UEFI variables
are accessible in the operating system per the UEFI specification.
When set to Controlled, selected UEFI variables
are protected in the environment and new UEFI boot entries are forced
to be at the end of the current boot order.
Secure Boot
Enables Secure Boot, where the BIOS authenticates
each pre-boot image by using the certificates in the Secure Boot Policy.
Secure Boot is set to Disabled by default.
Secure Boot Policy
When Secure Boot policy is set to Standard, the BIOS uses the system manufacturer’s key and certificates to
authenticate pre-boot images. When Secure Boot policy is set to Custom, the BIOS uses the user-defined key and certificates.
Secure Boot policy is set to Standard by default.
Secure Boot Mode
Configures how the BIOS uses the Secure Boot Policy
Objects (PK, KEK, db, dbx).
If the current
mode is set to Deployed Mode, the available
options are User Mode and Deployed
Mode. If the current mode is set to User Mode, the available options are User Mode, Audit Mode, and Deployed Mode.
Options
Description
User Mode
In User Mode, PK must be installed, and BIOS performs signature verification
on programmatic attempts to update policy objects.
The BIOS allows unauthenticated programmatic transitions between
modes.
Deployed Mode
Deployed Mode is the most secure mode. In Deployed Mode, PK must be installed and the BIOS performs signature verification
on programmatic attempts to update policy objects.
Deployed Mode restricts the programmatic mode
transitions.
Audit Mode
In Audit mode, PK is not present. The BIOS does not authenticate programmatic
updates to the policy objects, and transitions between modes. The
BIOS performs a signature verification on pre-boot images and logs
the results in the image Execution Information Table, but executes
the images whether they pass or fail verification.
Audit Mode is useful for programmatic determination
of a working set of policy objects.
Secure Boot Policy Summary
Specifies the list of certificates and hashes that
secure boot uses to authenticate images.
Secure Boot Custom Policy Settings
Configures the Secure Boot Custom Policy. To enable
this option, set the Secure Boot Policy to Custom option.