Statement of memory volatility

The purpose of this chapter is to provide general information regarding nonvolatile memory in HP Business computers. This chapter also provides general instructions for restoring nonvolatile memory that can contain personal data after the system has been powered off and the hard drive has been removed.

HP Business computer products that use Intel®-based or AMD®-based system boards contain volatile DDR memory. The amount of nonvolatile memory present in the system depends upon the system configuration. Intel-based and AMD-based system boards contain nonvolatile memory subcomponents as originally shipped from HP, assuming that no subsequent modifications have been made to the system and assuming that no applications, features, or functionality have been added to or installed on the system.

Following system shutdown and removal of all power sources from an HP Business computer system, personal data can remain on volatile system memory (DIMMs) for a finite period of time and will also remain in nonvolatile memory. Use the steps below to remove personal data from the computer, including the nonvolatile memory found in Intel-based and AMD-based system boards.

note:
If your tablet has a keyboard base, connect to the keyboard base before beginning steps in this chapter.

Current BIOS steps

Follow steps (a) through (l) below to restore the nonvolatile memory that can contain personal data. Restoring or reprogramming nonvolatile memory that does not store personal data is neither necessary nor recommended.
1. Turn on or restart the computer, and then press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
  
  note:
  If the system has a BIOS administrator password, enter the password at the prompt.
2. Select Main, select Apply Factory Defaults and Exit, and then select Yes to load defaults.
  
  The computer will reboot.
3. During the reboot, press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
  
  note:
  If the system has a BIOS administrator password, enter the password at the prompt.
4. Select the Security menu, select Restore Security Settings to Factory Defaults, and then select Yes to restore security level defaults.
  
  The computer will reboot.
5. During the reboot, press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
  
  note:
  If the system has a BIOS administrator password, enter the password at the prompt.
6. If an asset or ownership tag is set, select the Security menu and scroll down to the Utilities menu. Select System IDs, and then select Asset Tracking Number. Clear the tag, and then make the selection to return to the prior menu.
7. If a DriveLock password is set, select the Security menu, and scroll down to Hard Drive Utilities under the Utilities menu. Select Hard Drive Utilities, select DriveLock, then uncheck the checkbox for DriveLock password on restart. Select OK to proceed.
8. Select the Main menu, and then select Reset BIOS Security to factory default. Click Yes at the warning message.
  
  The computer will reboot.
9. During the reboot, press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
  
  note:
  If the system has a BIOS administrator password, enter the password at the prompt.
10. Select the Main menu, select Apply Factory Defaults and Exit, select Yes to save changes and exit, and then select Shutdown.
11. Reboot the system. If the system has a Trusted Platform Module (TPM) and/or fingerprint reader, one or two prompts will appear—one to clear the TPM and the other to Reset Fingerprint Sensor; press or tap F1 to accept or F2 to reject.
12. Remove all power and system batteries for at least 24 hours.
Complete one of the following:
- Remove and retain the storage drive.
– or –
- Clear the drive contents by using a third party utility designed to erase data from an SSD.
– or –
- Clear the contents of the drive by using the following BIOS Setup Secure Erase command option steps:
note:
If you clear data using Secure Erase, it cannot be recovered.
1. Turn on or restart the computer, and then press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
2. Select the Security menu and scroll down to the Utilities menu.
3. Select Hard Drive Utilities.
4. Under Utilities, select Secure Erase, select the hard drive storing the data you want to clear, and then follow the on-screen instructions to continue.
– or –
- Clear the contents of the drive using the following Disk Sanitizer commands steps:
note:
If you clear data using Disk Sanitizer, it cannot be recovered.

note:
The amount of time it takes for Disk Sanitizer to run can take several hours. Plug the computer into an AC outlet before starting.
1. Turn on or restart the computer, and then press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
2. Select the Security menu and scroll down to the Utilities menu.
3. Select Hard Drive Utilities.
4. Under Utilities, select Disk Sanitizer, select the hard drive storing the data you want to clear, and then follow the on-screen instructions to continue.

Nonvolatile memory usage

Nonvolatile memory usage
Nonvolatile memory type	Amount (Size)	Does this memory store customer data?	Does this memory retain data when power is removed?	What is the purpose of this memory?	How is data input into this memory?	How is this memory write-protected?
HP Sure Start flash (select models only)	8 MBytes	No	Yes	Provides protected backup of critical System BIOS code, EC firmware, and critical computer configuration data for select platforms that support HP Sure Start. For more information, see Using HP Sure Start (select models only).	Data cannot be written to this device via the host processor. The content is managed solely by the HP Sure Start Embedded Controller.	This memory is protected by the HP Sure Start Embedded Controller.
Real Time Clock (RTC) battery backed-up CMOS configuration memory	256 Bytes	No	Yes	Stores system date and time and noncritical data.	RTC battery backed-up CMOS is programmed using the Computer Setup (BIOS), or changing the Microsoft® Windows date & time.	This memory is not write-protected.
Controller (NIC) EEPROM	64 KBytes (not customer accessible)	No	Yes	Stores NIC configuration and NIC firmware.	NIC EEPROM is programmed using a utility from the NIC vendor that can be run from DOS.	A utility is required to write data to this memory and is available from the NIC vendor. Writing data to this ROM in an inappropriate manner will render the NIC non-functional.
DIMM Serial Presence Detect (SPD) configuration data	256 Bytes per memory module, 128 Bytes programmable (not customer accessible)	No	Yes	Stores memory module information.	DIMM SPD is programmed by the memory vendor.	Data cannot be written to this memory when the module is installed in a computer. The specific write-protection method varies by memory vendor.
System BIOS	9 MBytes	Yes	Yes	Stores system BIOS code and computer configuration data.	System BIOS code is programmed at the factory. Code is updated when the system BIOS is updated. Configuration data and settings are input using the Computer Setup (BIOS) or a custom utility.	note: Writing data to this ROM in an inappropriate manner can render the computer non-functional. A utility is required for writing data to this memory and is available on the HP website; go to http://www.hp.com/support. Select Find your product, and then follow the on-screen instructions.
Intel Management Engine Firmware (present only in select Elite or Z models. For more information, go to http://www.hp.com/support. Select Find your product, and then follow the on-screen instructions.)	1.5 MBytes or 7 MBytes	Yes	Yes	Stores Management Engine Code, Settings, Provisioning Data and iAMT third-party data store.	Management Engine Code is programmed at the factory. Code is updated via Intel secure firmware update utility. Unique Provisioning Data can be entered at the factory or by an administrator using the Management Engine (MEBx) setup utility. The third party data store contents can be populated by a remote management console or local applications that have been registered by an administrator to have access to the space.	The Intel chipset is configured to enforce hardware protection to block all direct read/write access to this area. An Intel utility is required for updating the firmware. Only firmware updates digitally signed by Intel can be applied using this utility.
Bluetooth flash (select products only)	2 Mbit	No	Yes	Stores Bluetooth configuration and firmware.	Bluetooth flash is programmed at the factory. Tools for writing data to this memory are not publicly available but can be obtained from the silicon vendor.	A utility is required for writing data to this memory and is made available through newer versions of the driver whenever the flash requires an upgrade.
802.11 WLAN EEPROM	4 Kbit to 8 Kbit	No	Yes	Stores configuration and calibration data.	802.11 WLAN EEPROM is programmed at the factory. Tools for writing data to this memory are not made public.	A utility is required for writing data to this memory and is typically not made available to the public unless a firmware upgrade is necessary to address a unique issue.
Webcam (select products only)	64 Kbit	No	Yes	Stores webcam configuration and firmware.	Webcam memory is programmed using a utility from the device manufacturer that can be run from Windows.	A utility is required for writing data to this memory and is typically not made available to the public unless a firmware upgrade is necessary to address a unique issue.
Fingerprint reader (select products only)	512 KByte flash	Yes	Yes	Stores fingerprint templates.	Fingerprint reader memory is programmed by user enrollment in HP ProtectTools Security Manager.	Only a digitally signed application can make the call to write to the flash.

Questions and answers

How can the BIOS settings be restored (returned to factory settings)?

note:
Restore defaults does not securely erase any data on your hard drive. See question and answer 6 for steps to securely erase data.

Restore defaults does not reset the Custom Secure Boot keys. See question and answer 7 for information about resetting the keys.
1. Turn on or restart the computer, and then press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
2. Select Main, and then select Apply Factory Defaults and Exit.
3. Follow the on-screen instructions.
4. Select Main, select Save Changes and Exit, and then follow the on-screen instructions.
What is a UEFI BIOS, and how is it different from a legacy BIOS?

The Unified Extensible Firmware Interface (UEFI) BIOS is an industry-standard software interface between the platform firmware and an operating system (OS). It is a replacement for the older BIOS architecture, but supports much of the legacy BIOS functionality.

Like the legacy BIOS, the UEFI BIOS provides an interface to display the system information and configuration settings and to change the configuration of your computer before an OS is loaded. BIOS provides a secure run-time environment that supports a Graphic User Interface (GUI). In this environment, you can use either a pointing device (Touchscreen, TouchPad, pointing stick, or USB mouse) or the keyboard to navigate and make menu and configuration selections. The UEFI BIOS also contains basic system diagnostics.

The UEFI BIOS provides functionality beyond that of the legacy BIOS. In addition, the UEFI BIOS works to initialize the computer’s hardware before loading and executing the OS; the run-time environment allows the loading and execution of software programs from storage devices to provide more functionality, such as advanced hardware diagnostics (with the ability to display more detailed system information) and advanced firmware management and recovery software.

HP has provided options in Computer Setup (BIOS) to allow you to run in legacy BIOS, if required by the operating system. Examples of this requirement would be if you upgrade or downgrade the OS.
Where does the UEFI BIOS reside?

The UEFI BIOS resides on a flash memory chip. A utility is required to write to the chip.
What kind of configuration data is stored on the DIMM Serial Presence Detect (SPD) memory module? How would this data be written?

The DIMM SPD memory contains information about the memory module, such as size, serial number, data width, speed/timing, voltage, and thermal information. This information is written by the module manufacturer and stored on an EEPROM. This EEPROM cannot be written to when the memory module is installed in a computer. Third-party tools do exist that can write to the EEPROM when the memory module is not installed in a computer. Various third-party tools are available to read SPD memory.
What is meant by “Restore the nonvolatile memory found in Intel-based system boards”?

This message relates to clearing the Real Time Clock (RTC) CMOS memory that contains computer configuration data.
How can the BIOS security be reset to factory defaults and data erased?

note:
Resetting will result in the loss of information.

These steps will not reset Custom Secure Boot Keys. See question and answer 7 for information about resetting the keys.
1. Turn on or restart the computer, and then press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
2. Select Main, and then select Reset Security to Factory Defaults.
3. Follow the on-screen instructions.
4. Select Main, select Save Changes and Exit, and then follow the on-screen instructions.
How can the Custom Secure Boot Keys be reset?

Secure Boot is a feature to ensure that only authenticated code can start on a platform. If you enabled Secure Boot and created Custom Secure Boot Keys, simply disabling Secure Boot will not clear the keys. You must also select to clear the Custom Secure Boot Keys. Use the same Secure Boot access procedure you used to create the Custom Secure Boot Keys, but make the selection to clear or delete all Secure Boot Keys.
1. Turn on or restart the computer, and then press esc while the “Press the ESC key for Startup Menu” message is displayed at the bottom of the screen.
2. Select the Security menu, select Secure Boot Configuration, and then follow the on-screen instructions.
3. At the Secure Boot Configuration window, select Secure Boot, select Clear Secure Boot Keys, and then follow the on-screen instructions to continue.

Using HP Sure Start (select models only)

Select computer models are configured with HP Sure Start, a technology that continuously monitors your computer's BIOS for attacks or corruption. If the BIOS becomes corrupted or is attacked, HP Sure Start restores the BIOS to its previously safe state, without user intervention. Those select computer models ship with HP Sure Start configured and enabled. HP Sure Start is configured and already enabled so that most users can use the HP Sure Start default configuration. The default configuration can be customized by advanced users.

To access the latest documentation on HP Sure Start, go to http://www.hp.com/support. Select Find your product, and then follow the on-screen instructions.

Statement of memory volatility

Nonvolatile memory usage

Questions and answers

Using HP Sure Start (select models only)

Additional support options

Enter a topic to search our knowledge library