System Security

Use this window to control the security features of the system.

NOTE:  The help page may include information about features and values that are not supported on your system. Server Administrator displays only the features and values that are supported on your system.

User Privileges

Table 1. User Privileges
Selection View Manage
System Security Administrator, Elevated Administrator (Linux only) Administrator, Elevated Administrator (Linux only)
NOTE: For more details on user privilege levels, see Privilege Levels In The Server Administrator GUI.
NOTE: Based on available hardware, dependencies may exist between the various attributes for settings. For example, setting an attribute value may change the state of the dependent attributes to non-editable or editable, as the case may be. For example, changing the Password Status setting to Locked does not allow you to configure the System Password.
NOTE: Based on the processor type of the system, the TPM and TCM options are available.

CPU AES-NI

Indicates the status of the Processor AES-NI feature. AES-NI improves the speed of applications by performing encryption and decryption using the Advanced Encryption Standard Instruction Set.

System Password

The System Password is the password entered that allows the system to boot to an operating system. Changes to system password take effect immediately. The password is read-only if the password jumper (PWRD_EN) is not installed in the system.

NOTE: Upper case letters are valid on the 13th generation PowerEdge servers and later.

Setup Password

The Setup Password is the password that is entered to change any BIOS settings. However, the system password can be changed without entering the correct setup password if Password Status is set to Unlocked. Changes to setup password take effect immediately. The password is read-only if the password jumper (PWRD_EN) is not installed in the system.

NOTE: Upper case letters are valid on the 13th generation PowerEdge servers and later.

Password Status

Unlocked When the option is set to Unlocked, the System Password can be changed without entering the Setup Password. This allows an administrator to maintain a setup password to protect against unauthorized BIOS Setup changes, while a user can freely change the system password.
Locked When the option is set to Locked, the Setup Password must be entered to change the System Password. To prevent the system password from being modified without providing the setup password, set this option to Locked and enable the Setup Password.
NOTE: Instructions: To lock a system password and system password, reboot the system and click Locked under Password Status attribute.

TPM Information

Displays the type of Trusted Platform Module, if present.

Intel(R) AES-NI

Displays the status of Intel(R) Processor AES-NI feature.

TPM Security

Controls the reporting of the Trusted Platform Module (TPM) in the system.

Off (default) Presence of the TPM is not reported to the operating system.
On with Pre-boot Measurements BIOS stores TCG compliant measurements to the TPM during POST.
On without Pre-boot Measurements BIOS bypasses pre-boot measurements.
NOTE: A system or setup password is recommended with this TPM Security setting.

TPM Firmware

Displays the TPM's firmware version.

TPM Hierarchy

Allows enabling, disabling, or clearing the storage and endorsement hierarchies. When the option is set to Enabled, the storage and endorsement hierarchies are enabled, when disabled the storage and endorsement hierarchies cannot be used. When set to clear the storage and endorsement values get cleared if any.

TPM Activation

Allows the user to change the operational state of the Trusted Platform Module (TPM). This field is Read-Only when TPM Security is set to Off.

Activate The TPM is enabled and activated.
Deactivate The TPM is disabled and deactivated.
No Change The operational state of the TPM remains unaltered.
NOTE:  This feature is not available for 13G Platforms or later.

TPM Status

Displays the status of the TPM.

TPM Clear

CAUTION: Clearing the TPM causes loss of all keys in the TPM. This could affect booting of the operating system.

When set to Yes, all the contents of the TPM is cleared. This field is Read-Only when TPM Security is set to Off.

NOTE:  This feature is not available for 13G Platforms or later.

TCM Security

Controls the reporting of the Trusted Cryptography Module (TCM) in the system.

Off (default) Presence of the TCM is not reported to the operating system.
On Presence of the TCM is reported to the operating system.
NOTE:  This feature is not available for 13G Platforms or later.

TCM Activation

Allows the user to change the operational state of the Trusted Cryptography Module (TCM). This field is Read-Only when TCM Security is set to Off.

Activate The TCM is enabled and activated.
Deactivate The TCM is disabled and deactivated.
No Change The operational state of the TCM remains unaltered.
NOTE:  This feature is not available for 13G Platforms or later.

TCM Clear

CAUTION: Clearing the TCM causes loss of all keys in the TCM. This could affect booting of the operating system.

When set to Yes, all the contents of the TCM is cleared. This field is Read-Only when TCM Security is set to Off.

NOTE:  This feature is not available for 13G Platforms or later.

TPM Command

Allows the user to control the Trusted Platform Module (TPM). This field is Read-Only when TPM Security is set to Off. The action requires an additional reboot before it can take effect.

Activate The TPM is enabled and activated.
Deactivate The TPM is disabled and deactivated.
None No command is sent to the TPM when set to none.
Clear All the contents of the TPM is cleared when set to clear.
CAUTION:  Clearing the TPM causes loss of all keys in the TPM. This could affect booting to operating system.
NOTE:  This feature is not available for 13th Generation Platforms or later.

Intel(R) TXT

Enables or disables Trusted Execution Technology. To enable Intel TXT, Virtualization Technology must be Enabled, TPM Security must be set to On with pre-boot measurements, and TPM Status must be Enabled, Activated. When TPM2 is used, the hash algorithm must be set to SHA256.

Memory Encryption

Enables or disables the Intel Total Memory Encryption and Multi-Tenant (Intel TME-MT).

Multiple Keys BIOS enables the TME-MT technology.
Single Key BIOS enables the TME technology.
Disable BIOS disables both TME and TME-MT technology.

Intel(R) SGX

Enables or disables the Intel Software Guard Extension (SGX) Technology. To enable Intel SGX, certain platform requirements must be met. The CPU must be SGX capable. SGX supports RDIMM memory configuration only. SGX supports ECC DIMMs only. Memory population must be compatible. (Minimum config: x8 identical DIMM1 to DIMM8 per CPU socket. DIMM number may vary per platform design). SGX only supports the same type memory configuration across all CPUs.SGX only support same interleaving mode across all CPUs. Memory Settings> Node Interleaving option must be Disabled. Memory Settings> Memory Operating Mode option must be Optimizer Mode. System Security> Memory Encryption option must be Enabled if TME Bypass for SGX not supported.

Off BIOS disables the SGX technology.
On BIOS enables the SGX technology.
Software (if available) Allows application to enable the SGX technology.

AC Power Recovery

Specifies how the system will react after AC power has been restored to the system. It is especially useful when systems are turned off with a power strip.

Last The system turns on if the system was on when AC was lost. The system remains off if the system was off when AC was lost.
On The system turns on after AC is restored.
Off The system stays off after AC is restored.

AC Power Recovery Delay

Specifies how the system will support the staggering of power-up after AC power has been restored to the system.

Immediate There is no delay for power-up.
Random The system creates a random delay for power-up.
User Defined The system delays power up by that amount. The system supported user-defined power-up delay range is from 60 s to 600 s.

User Defined Delay (60 s to 600 s)

Controls the duration for which the power-on process is delayed after the AC power supply is restored. The value is only effective, if AC Power Recovery Delay is set to User Defined The valid range is 60 s to 600 s.

UEFI Variable Access

UEFI variable access provides varying degrees of securing UEFI variables.

Standard (default) The UEFI variables are accessible in the operating system as per the UEFI specification.
Controlled The UEFI variables are protected in the operating system environment and new UEFI boot entries are forced to be at the end of the current boot order.

In-Band Manageability Interface

When the option is set to Disabled, this setting hides the Management Engine's (ME) HECI devices and the system's IPMI devices from the operating system. This prevents the operating system from changing the ME power capping settings, and blocks access to all in-band management tools. All managements must be managed via out-of-band.

NOTE: BIOS update requires HECI devices to be operational, and DUP updates require IPMI interface to be operational. This setting must be set to Enabled to avoid update errors.

Secure Boot

Allows enabling of Secure Boot, where the BIOS authenticates each component that is executed during the boot process using the certificates in the Secure Boot Policy. The following components are validated in the boot process:

  • UEFI drivers that are loaded from PCIe cards
  • UEFI drivers and executables from mass storage devices
  • Operating system boot loaders
NOTE: Secure Boot is not available unless the Boot Mode (in the Boot Settings menu) is set to UEFI.
NOTE: Secure Boot is not available unless the Load Legacy Video Option ROM setting (in the Miscellaneous Settings menu) is Disabled.
NOTE: Create a setup password if you enable Secure Boot.

Secure Boot Mode

Configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx). In Setup Mode and Audit Mode, PK is not present, and BIOS does not authenticate programmatic updates to the policy objects. In User Mode and Deployed Mode, PK is present, and BIOS performs signature verification on programmatic attempts to update policy objects. Deployed Mode is the most secure mode. Use Setup, Audit, or User Mode, when provisioning the system, and then use Deployed Mode for normal operation. Available mode transitions depend on the current mode and PK presence.

Audit Mode is useful for programmatically determining a working set of policy objects. In Audit Mode, the BIOS performs signature verification on pre-boot images and logs results in the Image Execution Information Table, but executes the images whether they pass or fail verification. For more information about transitions between the four modes, see the Secure Boot Modes in the UEFI specification .

Secure Boot Policy

Sets the Secure Boot Policy.

Standard When the option is set to Standard, the BIOS uses the key and certificates from the system manufacturer to authenticate pre-boot images.
Custom When the option is set to Custom, the BIOS uses the user-customized key and certificates.
NOTE: If Custom mode is selected, the Secure Boot Custom Policy Settings menu is displayed.
NOTE: Changing the default security certificates may cause the system to fail booting from certain boot options.

Authorize Device Firmware

When the option is set to Enabled, this field adds the SHA-256 hash of each third-party device firmware to the Secure Boot Authorized Signature Database. After the hashes are added, the field automatically reverts to Disabled.

NOTE: This field is read-only unless Secure Boot is Enabled and Secure Boot Policy is Custom. This field is available only in secure system management consoles.

BIOS Update Control

Allows or prevents the BIOS update using DOS or UEFI shell based flash utilities. For environments not requiring local BIOS updates, it is recommended to set this field to Disabled.

NOTE: The BIOS updates via Update Package are not affected by this setup option.
Unlocked Allows all BIOS update.
Limited Prevents local BIOS updates from DOS or UEFFI shell based flash utilities, or from Lifecycle Controller User Interface.
NOTE: Limited is recommended for environments that do not require local BIOS updates. These environments include Remote Enablement Update or executing Update Package from operating system.
For more information on the other buttons present in the Server Administrator Action pages, see Server Administrator Window Buttons.