Skip to content

Instantly share code, notes, and snippets.

@Chester-Gillon

Chester-Gillon/HP_Z6_G4_BIOS_settings.md

Last active January 25, 2025 22:41
Show Gist options
  • Save Chester-Gillon/9d81150df134783cab87bf01a0d0f0ea to your computer and use it in GitHub Desktop.
Save Chester-Gillon/9d81150df134783cab87bf01a0d0f0ea to your computer and use it in GitHub Desktop.
Download ZIP
HP Z6 G4 BIOS settings
Raw
HP_Z6_G4_BIOS_settings.md

0. Introduction

Some notes about BIOS settings for a HP Z6 G4.

Came with Windows 11 Pro for Workstations 24H2 installed. Updated to Version 24H2 (OS Build 26100.2894).

Windows Control Panel -> System and Security -> BitLocker Drive Encryption reports for the Operating system driver C:BitLocker off. There are currently no other drives fitted. The reason for checking if BitLocker was enabled was that when checking for a BIOS update within the BIOS got a warning that BitLocker should be disabled prior to updating the BIOS.

The Windows System Information reports BIOS Version/Date HP P60 v02.94, 17/05/2024

Downloaded sp143621.exe from HP BIOS Configuration Utility (BCU) and installed.

1. Save initial BIOS settings

From an Administrator Command Prompt saved the BIOS settings as delivered:

C:\SWSetup\SP143621>BiosConfigUtility64.exe /get:01_settings_as_delivered.txt
<BIOSCONFIG Version="" Computername="DESKTOP-BVUMP11" Date="2025/01/25" Time="19:18:03" UTC="0">
        <SUCCESS msg="No errors occurred" />
        <Information msg="BCU return value" real="0" translated="0" />
</BIOSCONFIG>

2. Update BIOS to 02.95

In the BIOS checked for updates, and updated to BIOS Version/Date HP P60 v02.95, 21/11/2024

Saved the settings after the update:

C:\SWSetup\SP143621>BiosConfigUtility64.exe /get:02_update_to_bios_v02.95.txt
<BIOSCONFIG Version="" Computername="DESKTOP-BVUMP11" Date="2025/01/25" Time="20:03:19" UTC="0">
        <SUCCESS msg="No errors occurred" />
        <Information msg="BCU return value" real="0" translated="0" />
</BIOSCONFIG>

Excluding version information, only change to settings is that the DNS Addresses is now 192.168.0.1, whereas previously was blank. That is the IP address of the DNS server used on the network, and presumably get set as part of updating the BIOS version from inside the BIOS.

3. Enable VTd

VTd was disabled by default. Enabled with:

C:\SWSetup\SP143621>BiosConfigUtility64.exe /setvalue:"Virtualization Technology for Directed I/O (VTd)","Enable"
<BIOSCONFIG Version="" Computername="DESKTOP-BVUMP11" Date="2025/01/25" Time="20:15:01" UTC="0">
        <SETTING changeStatus="pass" name="Virtualization Technology for Directed I/O (VTd)" returnCode="0">
                <OLDVALUE><![CDATA[Disable]]></OLDVALUE>
                <VALUE><![CDATA[Enable]]></VALUE>
        </SETTING>
        <SUCCESS msg="No errors occurred" />
        <Information msg="BCU return value" real="0" translated="0" />
</BIOSCONFIG>

Due to the issue in Windows 11 not booting after update to 24H2 on a HP Z4 G4 on the 1st reboot after enabling VTd checked could boot the Windows 11 24H2 install media, since that also failed on the HP Z4 G4 when VTd was enabled.

On the HP Z6 G4 with VTd enabled:

  • The Windows 11 24H2 install media could boot.
  • The Windows 11 24H2 on the NVMe could still boot.
  • Booting AlmaLinux 9 from a live image and adding intel_iommu=on to the command line showed the IOMMU was enabled.

4. Enable other security / virtualisation options

Before enabling these options System Information reported (Kernel DMA Protection was off but omitted to copy the output):

  • App Control for Business policy Enforced
  • App Control for Business user mode policy Off
  • Automatic Device Encryption Support Elevation Required to View
  • Hyper-V - VM Monitor Mode Extensions Yes
  • Hyper-V - Second Level Address Translation Extensions Yes
  • Hyper-V - Virtualisation Enabled in Firmware No
  • Hyper-V - Data Execution Protection Yes

And in this state the option to install the Windows Sandbox feature is grayed out, with a tooltip:

Windows Sandbox cannot be installed: Virtualisation support is disabled in the firmware.

Enable VTx and TXT:

C:\SWSetup\SP143621>BiosConfigUtility64.exe /setvalue:"Virtualization Technology (VTx)","Enable"
<BIOSCONFIG Version="" Computername="DESKTOP-BVUMP11" Date="2025/01/25" Time="20:44:27" UTC="0">
        <SETTING changeStatus="pass" name="Virtualization Technology (VTx)" returnCode="0">
                <OLDVALUE><![CDATA[Disable]]></OLDVALUE>
                <VALUE><![CDATA[Enable]]></VALUE>
        </SETTING>
        <SUCCESS msg="No errors occurred" />
        <Information msg="BCU return value" real="0" translated="0" />
</BIOSCONFIG>

C:\SWSetup\SP143621>BiosConfigUtility64.exe /setvalue:"Trusted Execution Technology (TXT)","Enable"
<BIOSCONFIG Version="" Computername="DESKTOP-BVUMP11" Date="2025/01/25" Time="20:45:03" UTC="0">
        <SETTING changeStatus="pass" name="Trusted Execution Technology (TXT)" returnCode="0">
                <OLDVALUE><![CDATA[Disable]]></OLDVALUE>
                <VALUE><![CDATA[Enable]]></VALUE>
        </SETTING>
        <SUCCESS msg="No errors occurred" />
        <Information msg="BCU return value" real="0" translated="0" />
</BIOSCONFIG>

After a reboot System Information reported:

  • Kernel DMA Protection Off
  • Virtualisation-based security Not enabled
  • App Control for Business policy Enforced
  • App Control for Business user mode policy Off
  • Automatic Device Encryption Support Elevation Required to View
  • Hyper-V - VM Monitor Mode Extensions Yes
  • Hyper-V - Second Level Address Translation Extensions Yes
  • Hyper-V - Virtualisation Enabled in Firmware Yes
  • Hyper-V - Data Execution Protection Yes

I.e. Virtualisation is now Enabled in Firmware, but Kernel DMA Protection is still Off.

Was able to install Windows Sandbox, and after installing System Information reports the following showing a hypervisor is running:

  • Kernel DMA Protection Off
  • Virtualisation-based security Running
  • Virtualisation-based security required security properties
  • Virtualisation-based security available security properties Base Virtualisation Support, Secure Boot, DMA Protection, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control, APIC Virtualisation
  • Virtualisation-based security services configured
  • Virtualisation-based security services running
  • App Control for Business policy Enforced
  • App Control for Business user mode policy Off
  • Automatic Device Encryption Support Elevation Required to View
  • A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Device Security in the Windows Security App explains to enable Core Isolation. Enabled Memory Integrity which was the only disabled option. Kernel DMA Protection Off was still reported after a reboot.

Kernel DMA Protection :

  1. Shows a Memory Access Protection section on the Core Isolation settings. However, threre is no Memory Access Protection shown on the PC.
  2. Says if after enabling VTx and VTd:

    If the state of Kernel DMA Protection remains Off, then the system doesn't support Kernel DMA Protection.

Not dure if Memory Access Protection is only related for Thunderbold and USB4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment