TPM 2.0 Security
|
The Trusted Platform Module (TPM) provides various cryptographic services which serve as the cornerstone for many platform security technologies. Trusted Platform Module (TPM) is a security device that stores computer-generated keys for encryption and features such as BitLocker, Virtual Secure Mode, remote Attestation.
By default, the
Trusted Platform Module (TPM) option is enabled.
For additional security, Dell Technologies recommends keeping
Trusted Platform Module (TPM) enabled to allow these security technologies to fully function.
NOTE: The options that are listed apply to computers with a discrete
Trusted Platform Module (TPM) chip.
|
TPM 2.0 Security On
|
Allows you to enable or disable TPM.
By default, the
TPM On option is enabled.
For additional security, Dell Technologies recommends keeping
TPM On enabled to allow these security technologies to fully function.
|
Attestation Enable
|
The
Attestation Enable option controls the endorsement hierarchy of TPM. Disabling the
Attestation Enable option prevents TPM from being used to digitally sign certificates.
By default, the
Attestation Enable option is enabled.
For additional security, Dell Technologies recommends keeping the
Attestation Enable option enabled.
NOTE:When disabled, this feature may cause compatibility issues or loss of functionality in some operating systems.
|
Key Storage Enable
|
The
Key Storage Enable option controls the storage hierarchy of TPM, which is used to store digital keys. Disabling the
Key Storage Enable option restricts the ability of TPM to store owner's data.
By default, the
Key Storage Enable option is enabled.
For additional security, Dell Technologies recommends keeping the
Key Storage Enable option enabled.
NOTE:When disabled, this feature may cause compatibility issues or loss of functionality in some operating systems.
|
SHA-256
|
Allows you to control the hashing algorithm that is used by the TPM. When enabled, the TPM uses the SHA-256 hashing algorithm. When disabled, the TPM uses the SHA-1 hash algorithm.
By default, the
SHA-256 option is enabled.
For additional security, Dell Technologies recommends keeping the
SHA-256 option enabled.
|
Clear
|
When enabled, the
Clear option clears information that is stored in the TPM after exiting the computer's BIOS. This option returns to the disabled state when the computer restarts.
By default, the
Clear option is disabled.
Dell Technologies recommends enabling the
Clear option only when TPM data is required to be cleared.
|
PPI Bypass for Clear Commands
|
The PPI Bypass for Clear Commands option allows the operating system to manage certain aspects of PTT. When enabled, you are not prompted to confirm changes to the PTT configuration.
By default, the
PPI Bypass for Clear Commands option is disabled.
For additional security, Dell Technologies recommends keeping the
PPI Bypass for Clear Commands option disabled.
|
Intel Total Memory Encryption
|
|
Multi-Key Total Memory Encryption (Up to 16 keys)
|
Total Memory Encryption is used to protect memory from physical attacks including freeze spray, probing DDR to read the cycles, and others.
Default: OFF
|
Chassis Intrusion
|
Controls the chassis intrusion feature.
Default: Disabled
|
SMM Security Mitigation
|
|
SMM Security Mitigation
|
Enables or disables additional UEFI SMM Security Mitigation protections.
Default: ON
NOTE:This feature may cause compatibility issues or loss of functionality with some legacy tools and applications.
|
Data Wipe on Next Boot
|
|
Start Data Wipe
|
Data Wipe is a secure wipe operation that deletes information from a storage device.
CAUTION:The secure Data Wipe operation deletes information in a way that it cannot be reconstructed.
Commands such as delete and format in the operating system may remove files from showing up in the file system. However, they can be reconstructed through forensic means as they are still represented on the physical media. Data Wipe prevents this reconstruction and is not recoverable.
When enabled, the data wipe option will prompt to wipe any storage devices that are connected to the computer on the next boot.
By default, the
Start Data Wipe option is disabled.
|
Absolute
|
|
Absolute
|
Absolute Software provides various cyber security solutions, some requiring software preloaded on Dell computers and integrated into the BIOS. To use these features, you must enable the Absolute BIOS setting and contact Absolute for configuration and activation.
By default, the
Absolute option is enabled.
For additional security, Dell Technologies recommends keeping the
Absolute option enabled.
NOTE:When the Absolute features are activated, the Absolute integration cannot be disabled from the BIOS setup screen.
|
UEFI Boot Path Security
|
|
UEFI Boot Path Security
|
Enables or disables the computer to prompt the user to enter the Administrator password (if set) when booting to a UEFI boot path device from the F12 boot menu.
By default, the
Always Except Internal HDD option is enabled.
|
Firmware Device Tamper Detection
|
|
Firmware Device Tamper Detection
|
Allows you to control the firmware device tamper detection feature. This feature notifies the user when the firmware device is tampered. When enabled, a screen warning messages is displayed on the computer and a tamper detection event is logged in the BIOS Events log. The computer fails to reboot until the event is cleared.
By default, the
Firmware Device Tamper Detection option is enabled.
For additional security, Dell Technologies recommends keeping the
Firmware Device Tamper Detection option enabled.
|
Clear Firmware Device Tamper Detection
|
Clears the event and enables booting.
Default: OFF
|