HP Sure Start

Protect against any unauthorized changes to the BIOS
or critical firmware

  • A self-healing BIOS that now protects critical firmware that antivirus solutions can't protect.

    HP Sure Start automatically detects malware attacks, notifies the user, securely logs the event for IT and restores the most recent good version of the BIOS or firmware.

  • Unique Firmware Protection

    • Protection both before firmware is executed and at runtime
    • Protects CODE and DATA
    • Intel Manageability Engine firmware / AMD Secure Processor / CPU microcode
    • Cryptographically protected storage of settings and secrets
    • Dedicated/isolated policy and recovery firmware storage
    • Active even when PC is off
    • Closed and Open Chassis Direct Memory Access attack protection

Feature Availability

Included in select EliteBook, ZBook PCs


HP Sure Start is enabled by default for all applicable platforms shipped from the HP factory. There is no need to enable or otherwise “deploy” the feature. If your device ships with HP Sure Start, you are protected from the very first time you start it.

HP Sure Start is hardware enforced and exists in the BIOS. Reimaging a machine does not delete it or disable its monitoring and self-healing protection of your BIOS and critical firmware. Certain OS-dependent features of HP Sure Start (such as remote runtime monitoring or in-OS notifications in Windows® Event Viewer) can be changed or disabled depending on the OS used.

HP Sure Start protects against any unauthorized changes to the BIOS & critical firmware code or BIOS settings, both for the boot time code and the runtime code. These capabilities protect you from a variety of different attacks, including new firmware attacks that may surface in the future.

A DMA attack is one where an attacker uses peripheral hardware to bypass all existing OS memory access controls to read or write the OS main memory directly. Systems with HP Sure Start use virtualization hardware to block malicious DMA.

HP uses unique technology, backed by the HP Endpoint Security Controller, to isolate the HP Sure Start clean copy of the BIOS & critical firmware from the copy of the BIOS & critical firmware that are in use by the machine. It is hardware protected and inaccessible to hackers.

Compare Products
Select Store
HP employees: Report website issues