HP Sure Admin Key Management Services (KMS) depends on a cryptographically secure infrastructure, the Secure Platform Management (SPM), previously released in HP BIOS to support features. HP Sure Admin KMS is a significantly more secure method for communicating with the BIOS than passwords, which can be leaked, stolen, or misused. HP SPM uses public key cryptography where a private key sign a payload and the target system uses the associated public key to verify its legitimacy when downloaded. Enabling KMS requires provisioning of a signed payload, and Secure Platform Management be provisioned in the BIOS.

The KMS tool provides an IT Admin with an environment to manage Keys. The tool is free; KMS Setup – Enhanced Security provides an additional layer of Security with VPN.

Overall steps to send a secure payload to the BIOS (e.g. Feature enablement, BIOS update, BIOS setting change, etc.)

• Payload is developed
• Payload is signed
• Payload is sent to target device
• BIOS checks Payload for validity
• BIOS accepts Payload (or rejects, if not valid)

Please see ‘Plans’ for KMS configuration options.

HP Sure Admin KMS is a feature on many HP Commercial PCs manufactured since 2018 (for several systems a new BIOS release will be required, some arriving by end of 2020).

NOTE: In the BIOS, HP Sure Admin KMS has a setting named ‘Enhanced BIOS Authentication Mode (EBAM) and Enhanced BIOS Authentication Mode Local Access Key1 (LAK). We will use HP Sure Admin KMS and EBAM interchangeably in this guide.

Click here for more information.