WIXLIB

HP BIOSPHEREAN ECOSYSTEM OF PROTECTIONS TO DEFEND YOUR PCTECHNICAL WHITEPAPER

ATTACKS ONTHE BIOS CAN BEDIFFICULT TODETECTFortunately, the HP BIOSphere1 ecosystemautomates the protection of the BIOS and enablesrobust PC manageability.TABLE OF CONTENTSWHY IS BIOS IMPORTANT? . 2HP BIOSPHERE HELPS DEFEND YOUR PC . 2AUTOMATED PROTECTION . 2CUSTOMIZABLE SAFEGUARDS AGAINST PHYSICAL ATTACKS . 3FLEXIBLE AND CUSTOMIZABLE MANAGEMENT . 3BIOSPHERE GEN6 FEATURES . 4HP BIOSPHERE GENERATIONS . 6SETUP INFORMATION . 6HP BIOSPHERE WHITEPAPER1

WHY IS BIOS IMPORTANT?An unsecured BIOS can offer a dangerous amount of access to a hacker and cyber-attackstargeting the BIOS are on the rise. Hackers often gain access to the BIOS via phishing attacks.Physically present attackers can quickly disassemble the system and establish a directconnection to the non-volatile storage device on the circuit board to inject malware.Malware can also be introduced via unsecured ports.BIOS level attacks are very difficult to detect because they control the device below theoperating system and cannot be removed or modified by anti-virus software. Malwaretargeting the BIOS can continually supply data and reinstate itself after network defensesdeploy. A compromised BIOS can remain hidden, disable other security measures on thePC, and even survive a disk wipe and operating system reinstallation.HP BIOSPHERE HELPS DEFEND YOUR PCBuilding on over a decade of BIOS security leadership, HP BIOSphere offers an ecosystemof protections to help defend the PC, including automated protections, customizablesafeguards, and easy manageability to guard against attacks without interruptingemployee productivity.1HP BIOSphere can help protect against a variety of attacks or corruption, including attacksthat target the Master Boot Record (MBR) and GUID Partition Table (GPT); attacks that attemptto enter through unauthorized wireless bridging; and more, including new types of malwarethat may be created to target the BIOS in the future. It can also help protect against physicalattacks on the device, with features like BIOS passwords, port controls, and HP Secure Erase4.AUTOMATED PROTECTIONHP BIOSphere Gen6 provides enhanced firmware protection automatically from themoment the PC is first booted up, guarding against malicious attacks and accidentalerrors that can compromise the BIOS.HARDWARE ROOT OF TRUSTAt every boot, HP Pro and Elite PCs ensure that an authentic BIOSis present before the CPU starts executing code.1 (In PCs that alsoinclude HP Sure Start2, corrupted BIOS can self-heal automatically.)SECURE BOOTWhen HP business PCs are manufactured, the Unified ExtensibleFirmware Interface (UEFI) creates a list of keys that identifytrusted hardware, firmware, and operating system loader code. Italso creates a list of keys to identify known malware. Secure Bootuses these keys to define and block potential threats before theycan attack or infect the PC. For example, Secure Boot can preventPCs from starting from illegally copied CDs or DVDs that couldharm the computer. Secure Boot does not lock out valid recoverydiscs or Windows discs.CRITICAL FIRMWAREPROTECTIONHP BIOSphere Gen6 implements NIST 800-147 and ISO/IEC19678:2015, to make sure the BIOS only gets authentic updatesfrom HP. Other key security standards it implements include draftNIST 800-155, UEFI Secure Boot, and Trusted Computing Group.MEETS SECURITYSTANDARDSElements such as the MBR or GPT are protected againstcorruption or deletion that could render the PC unable to boot.SIMPLE BIOS UPDATESHP BIOSphere Gen6 can receive BIOS and Intel ME updatesdeployed via Windows Update, making it as easy as a standarddriver update.3 Automatic updates can even be scheduled via thenetwork, with customizable dates and times.HP BIOSPHERE WHITEPAPER2

CUSTOMIZABLE SAFEGUARDS AGAINSTPHYSICAL ATTACKSModern workstyles increasingly take PCs out of the office and into cafes, airports, andshared spaces where physical attacks become a greater risk. HP BIOSphere includespowerful protections against physical attacks that are simple to set up and customize,helping businesses of all sizes safeguard their PCs and protect sensitive information.PRE-BOOT SECURITYPrevent unauthorized users from accessing devices with featureslike Power-on Authentication and HP DriveLock.PORT CONTROLSProtect ports against malicious USB drives or attempts tosteal data. HP BIOSphere Gen6 allows users to enable/disableindividual ports and block the ability to boot from USB. (Manydevices now use USB-C to charge user devices; if disabled,USB-C will still charge and can be used to power the PC.Available on select HP PCs.)SECURE ERASEPermanently erase data from hard disk drives or solidstate drives (SSD) to prevent data theft after disposing of orrepurposing old devices.4FLEXIBLE AND CUSTOMIZABLEMANAGEMENTHP BIOSphere Gen6 includes protections that are enabled by default, as well ascapabilities like Power-On Authentication and port controls that can easily be set up oneach PC by pressing F10 on start-up to enter the BIOS.REPLICATED SETUPFor small businesses, Replicated Setup enables users to easilysave BIOS settings to a file—such as a USB key—and use them toclone configurations to other machines.REMOTE BIOSMANAGEMENTCompanies with managed IT can centrally configure and updateBIOS settings across a PC fleet in just minutes, using the HP BIOSConfiguration Utility.5 This script-driven tool provides admins theability to remotely manage BIOS settings on PCs. Read available BIOS settings and their values from a supporteddesktop, workstation, or notebook computer Set or reset Setup Password on a supported desktop,workstation, or notebook computer Replicate BIOS settings across multiple client computersHP BIOSphere settings and passwords can also be managedremotely using the HP Manageability Integration Kit7 (MIK) forMicrosoft System Center Configuration Manager (SCCM). TheMIK’s BIOS Configuration interface allows the IT administrator todefine and deploy BIOS settings policies to client computers.HP BIOSPHERE WHITEPAPER3

BIOSPHERE GEN6 FEATURESSTANDARDS AND PROTECTIONSMaster Boot Record (MBR) /GUID Partition Table (GPT)Protection & RecoveryEnables protection of the Master Boot Record (MBR) and GUIDPartition Table (GPT) against corruption or deletion that couldrender the PC unable to boot. HP BIOSphere can also backup andrestore your MBR or GPT should it become corrupted or deleted.Users can also lock the Master Boot record to prevent it frombeing altered. These features can be enabled in the BIOS settings.Hardware-basedRoot of TrustHardware-enforced assurance that an authentic BIOS is presentbefore the CPU starts executing code to boot.CONFIGURABLE PROTECTIONSPower-On Authentication6Ensures that only authorized users can start up the PC or accessthe BIOS by requiring user authentication prior to system startup. Power-On Authentication supports passwords or fingerprintidentification6.HP DriveLock & HPAutomatic DriveLockPrevents SATA hard disk drives, solid state drives (SSD) and NVMEdrives from running without authorization by requiring the BIOS toauthenticate the user before the drive is unlocked.For convenience, if the user is already using Power-OnAuthentication, HP Automatic DriveLock can ensure fast, secureaccess without entering additional passwords if supported bythe drive.HP One Step LogonSimplifies your log-in process with Power-On Authentication usingyour Windows Credentials.Single Sign On gives you the protection of Power-OnAuthentication, without making you re-enter your credentialsat the Windows login screen. Must be enabled using HP ClientSecurity Manager Gen5 or later.Port ControlsProtects against unwanted access with the ability to enable ordisable individual USB ports and devices. Many devices now useUSB-C to charge: if disabled, USB-C will still charge user devicesand can be used to power the PC (available on select HP PCs).Device ControlAllows administrators the option to individually disable integrateddevices such as cameras, microphones, or Bluetooth as needed intheir environment.HP Secure EraseNEW for Gen6Permanently erases data on hard disk drives, to prepare a systemfor disposal or redeployment if supported by the drive.HP BIOSphere Gen5: Permanently erases data on SATA hard diskdrives, solid state drives (SSD).New for BIOSphere Gen6: HP BIOSphere Gen6 adds supportNVME Drives.Integrated Camera ControlNEW for Gen6F10 Hotkey support for managing camera privacy (toggle on/off).OTHERBIOS Updatesvia Windows UpdateUpdates the BIOS and Intel ME through Windows Update or devicemanager, as easy as a standard driver update.Automatic BIOS Updatesvia NetworkAllows you to schedule automatic BIOS updates via the network.Dates and times are customizable in the F10 setup menu.HP LAN-WLAN ProtectionProtects enterprise LAN from unauthorized wireless bridgingaccess by turning off wireless LAN on LAN insertion.Power Management ControlAllows for customization of power management andcharging behavior.Peak ShiftReduces power consumption by auto-switching the systemto battery power during preset peak hours of the day. Mustbe enabled via HP Power Manager or remotely via the HPManageability Integration Kit.HP BIOSPHERE WHITEPAPER4

ENTERPRISE AND MANAGEABILITY FEATURESReplicated SetupEnables you to easily save BIOS settings to a file—such as a USBkey—and use them to clone configurations to other machines.Replicated setup with BCU will work with Windows and Linux (if HPSure Admin8 is disabled).Device Guard Enablement(for Windows Enterpriseusers only)Enhances system security by supporting the latest anti-malwareprotection features of Windows 10, including Device Guard. DeviceGuard requires: BIOS Admin Password, Virtualization, Secure Bootto be enabled. Removeable and Network devices and the MicrosoftUEFI CA key will be disabled. The Device Guard BIOS settingsimplifies managing these other BIOS settings. Device Guard isoptimized for easy deployment locally or remotely via the MIKplugin.HP MAC Address ManagerAllows unique network controller address associated with theplatform itself to be used for cabled docks & network adapters,regardless of the power state of the platform which is criticallyimportant to many IT existing image deployment and remotemanagement workflows.HP Wireless WakeupIncludes host-based MAC address over USB-C . Works regardlessof what power state the notebook is in when the dock is attached.Use the system’s MAC address when docked, rather than thedock’s address—helps administrators to identify systems,regardless of where they are docked. Dock must support hostbased MAC address.Remote DiagnosticsAllows magic packet configuration to wake up system from sleepstandby through WLAN adaptors.UEFI Wi-FiNEW for Gen6UEFI WiFi enables HP select notebook platforms to use WPA2Personal & select WPA2-Enterprise protocols (EAP-TLS,EAP-TTLS, and EAP-PEAP) to perform secure preboot wirelessnetwork connectivity for BIOS update/configuration and OSupdate/recovery operations. Examples of enabled UEFI WiFi usecases are: preboot network join/authentication, BitLocker Unlock,PXE Boot, OS Recovery, HP Sure Recover10, Remote HP PC HardwareDiagnostics, System BIOS Updates, etc.UEFI WiFi has been added to select platforms which areconfigured with the current generation of Intel CPUs and IntelWireless LAN Modules.For more details on enabling and configuring UEFI WiFi supportplease see the whitepaper and for remote management supportalso see MIK.UEFI Secure BootNEW for Gen6HP BIOSPHERE WHITEPAPERProtects against unwanted access with the ability to enable ordisable individual USB ports and devices. Many devices now useUSB-C to charge: if disabled, USB-C will still charge user devicesand can be used to power the PC (available on select HP PCs).5