when you start your computer the bios loads and if you'd like to gain access to the bios configuration then you'll have to press the key associated with the bios setup during that startup process often this is the delete key or one of the function keys but occasionally it's a combination of keys that get you access to the bios configuration if you're in windows and using some virtualization software like hyper-v you can gain access to the bios using hyper-v instead of changing the bios of your actual computer you can do the same thing with vmware's workstation player in windows but if you're using virtualbox there's no access to the bios in that virtualization software so you may have to look around for some other options for example online you might want to search for uefi bios simulator and you'll find a number of options out there for offline bio simulation one problem you might run into if you're running windows 8 windows 10 or windows 11 is when you start your computer there's no option to press a key to start the bios instead windows simply starts immediately that's because in these versions of windows there's a feature called fast startup that's turned on by default and when you power down your system you're actually putting your system into a hibernated state where windows is not completely shut down so when you start your system up it's not starting from the beginning of a boot process instead it's simply waking up from where it left off there are a number of different ways to bypass this fast startup process one is that you could hold down the shift key when clicking restart in the windows desktop or you can enable and disable this capability from settings update and security recovery advanced startup and then restart now there's also a system configuration setting for restarting your system and you'll find that under ms config but if you don't have access to the desktop or you're not able to use any of these other options you can simply interrupt the normal boot process three times after that third interruption windows realizes that you would really like to start this system from the very beginning it disables the fast startup process and allows you access to the normal boot process it's very possible to make changes to your bios that could cause your system to have boot failures or not start at all that's why it's very important before you make any changes to the bios that you have a backup of all of those bios settings some bios implementations allow you to download a copy of the configuration but you can also make notes of what you're changing so you know exactly what to change it back to if there's any problems and of course you probably have your phone with you so you can always take a picture of the screen to make sure you know what the settings are there are a lot of settings inside of the bios and it's very easy to make a change that could cause the system to have a problem so you want to be sure if you're making any modifications to the bios that you know exactly what those changes will do and if you end up making a change and there's a problem you've got a backup and you have pictures of what it was originally so you can always go back to your bios configuration change the configuration back to the original settings and restart your system when we power on our system the bios is in control has a lot of different configuration settings that determine what the bios should do next inside of the bios there are some settings that can disable some of the hardware of your computer so if you'd like to prevent your operating system from having access to any of your systems hardware you can disable that hardware in the bios and it will be invisible to the operating system you can also configure where the bios should go to boot your system you can tell the bios to look for a bootable usb drive if it doesn't find a bootable usb drive then go to the ssd if the ssd is not available then try booting from the hard drive you can determine which boot devices are available to your system and in which order these boot devices should be checked here are some of these boot options from a lenovo ue5 bios this is the startup option and you can see there is an option for a primary boot sequence and it will be used when the system is powered up normally if we click on the primary boot sequence it brings us to a number of options and you can see exactly which order the storage drives use it starts with the sata 2 drive it then moves to the m.2 drive and then the sata one drive there are other options in here as well such as the network usb cd-rom and others you can enable or disable any of these boot up options or modify the order in which they're used i mentioned earlier that you can use this bios configuration to enable or disable certain hardware that's on your system a good example of this is the configuration you have for usb connections this can be especially important in environments that are highly secure because the usb drive allows you to connect external storage drives flash drives and other storage devices so that if somebody wanted to take that data out of your facility they could do it very easily from that usb interface imagine having top secret information that is stored in very large databases and being able to transfer all of that information in a matter of seconds and simply walk out the door that usb interface could also be a way for someone to gain access to your systems in 2008 the united states department of defense had to disable all of the usb interfaces on their systems and disallow the use of any type of flash media that's because someone connected a usb drive that was infected with the silly fdc worm and they plugged it in to their department of defense computer from there the worm was able to gain access and move between systems that were within the department of defense network this resulted in a ban of usb connected storage devices and the it team had to disable all of the usb interfaces on the department of defense computers to disable these usb interfaces in the bios you would find the devices section of your bios and in this bios you can disable usb access completely or you can modify exactly which usb interface you would like to enable or disable our computing systems create a lot of heat and there's usually fans inside of our computers that help keep everything cool you can usually control what those fans are doing through a number of different bios configurations there may be many fans inside of your system you might have a fan dedicated for cooling the cpu and other fans that help cool everything else in the chassis many motherboards have an integrated fan controller that's able to look at the temperature inside of your system and either increase or decrease how much airflow may be going through your computer so as you use your system more this fan controller can help compensate by pulling more cool air through your computer to be able to use this controller you need to connect directly to the fan connections on the motherboard those are usually well marked and you can plug directly in with your existing fans in the bios you may have an option for configuring this particular setting in this lenovo it's under the power option under intelligent cooling and you can decide whether you would like better performance or whether you would like to have a quieter system and have the best experience we spend a lot of time managing malware and making sure that we have anti-virus software running in our operating system but we also have to think about protecting the bios before your system boots to make sure that it does not become corrupted with any type of malware one way that we can monitor for this is through secure boot this is part of the ue5 specification so every system running a ue5 bios has the ability to run secure boot this uses digital signatures to be able to verify that the boot process it's going through has not been modified by a third party this can keep malware from making any changes to your system and if changes are identified it can stop the boot process and limit the scope of that malware this is supported with most operating systems so if you're running windows or linux or other operating systems there's probably an option there to use that operating system with secure boot to be able to use secure boot your operating system has to have a digital signature associated with it that is checked during the startup process this means that the public key for the manufacture of that operating system already has to be available in the bios itself the bios also has fail-safes built in to prevent anyone from making changes to this important information secure boot verifies the digital signature associated with the bootloader with the public key that's already embedded within the bios and if that verifies the system has not been modified and it can continue with the boot process if you're using an operating system that doesn't support secure boot then you may need to modify that in the bios itself and you can see in this lenovo bios there is a secure boot option under the security tab and you have the ability to enable or disable secure boot your bios can also limit who might be able to start your computer and who might be able to make changes to the bios if you add a user password to your bios then the system will not start unless you provide the correct password to be able to gain access to the system this would prevent any unauthorized users from starting your operating system you can also set a supervisor password in your bios that will restrict anyone from changing any of the bio settings this would be especially important if you were disabling certain types of hardware or requiring additional passwords during the startup process you want to be sure that no one else can modify those changes so you might set a supervisor password to gain access to the bios config this password is built into the bios it's not part of your operating system so if you forget any of these passwords you'll need to reset the bios to regain access to your system this password information is stored in your bios configuration along with all of your other configuration settings and this is usually on a flash memory that is on the motherboard itself you may see some legacy references to this as the cmos of your system or the complementary metal oxide semiconductor and indeed that was a type of memory that we used to use that was associated with your bios but these days all of your bios configurations are stored in flash memory that's connected to the motherboard because it's in flash memory but you're not able to access the system through that flash memory you have to completely delete your configuration or reset the bios config this is commonly done with a jumper you would short two pins on the motherboard power up your system and that would clear any of those configuration settings in your bios let's see how we might do this on a motherboard this is an asus motherboard and if we look down at the bottom of the motherboard we have the bios and we have a jumper that's labeled clrtc this stands for clear real-time clock here are two pins on the motherboard you can see they're not touching each other so currently those two pins are not jumpered or not shorted we would use a jumper to be able to push down onto those pins that would then connect the two pins together here's a better picture showing the connection between those two pins we would push that jumper onto the two pins so that we've created a short between both of those pins we would power on our system and that would reset the bios configuration you may also notice on your motherboard that there is a battery on the motherboard this is one of these flat batteries this one's labeled cr2032 it's a three volt lithium ion battery on most modern motherboards this battery is simply there to maintain the date and time configuration when your system is not connected to a power source if the battery goes bad you'll notice that the date and time on your system will reset back to the original settings when you start your computer on older systems that did not save the bios configuration into flash memory you could reset the bios by removing and then reinserting this battery onto the motherboard these days this is only keeping the date and time and removing and reinserting the battery will not have any change to your bios configuration here's a view of the battery on the motherboard it's very easy to find and it's very simple to replace if the battery happens to become discharged your motherboard might also support additional hardware in the form of a trusted platform module or a tpm this tpm is designed to provide cryptographic functions this is especially important if you're using full disk encryption on your system because you'll need a cryptographic key to be able to decrypt all of the data stored on that storage device you can see that this tpm does have a processor on it that's used for cryptographic functions so if you need to create cryptographic keys or perform other cryptographic functions it's commonly done through the tpm that's on your motherboard this also has persistent memory on it so that certain keys can be burned into the tpm and never be changed as long as they're connected to your computer this allows us to verify keys that might be on our system already or we can use this to be able to digitally sign data and send it to a third party and verify that that information originated on that tpm you might think that you'd be able to hack into the tpm and gain access to this data but this is a secure environment and it's already designed to prevent attacks such as a brute force from gaining access to that data and back in the bios configuration you can make changes to the tpm configuration for example you can enable or disable all of the tpm features that are running on your motherboard in many organizations you may find there are many cryptographic keys that need to be managed to be able to provide this management you might want to use a hardware security module or an hsm this is very often a stand-alone device or purpose-built appliance that's able to provide this cryptographic function this hsm could also be an adapter card that you install into a server that provides this hsm functionality this hsm might be used as a key backup for all of the servers you might have in your environment all of those keys are stored securely on this hsm and no one has direct access to those keys you might also find lightweight hsms that are in the form of a smart card or a usb drive those are commonly used to store personal keys that you would be able to take with you and another nice feature of an hsm especially one that is a purpose-built appliance is the ability to have cryptographic accelerators built into the hardware of this system this means that you could offload some of the cryptographic functions used by your servers onto the hsm which would increase the overall throughput of your applications