Reinventing Endpoint Security through Hardware-Enforced Resiliency and Zero Trust Endpoint Architecture

The digital landscape continues to change, and cybersecurity risks are evolving. In response to these trends, advanced security solutions are engineered directly into HP Business PCs and designed to protect your business. For almost two decades, HP has been committed to advancing hardware-enforced security to provide a deeply resilient and secure Business PC. Such a hardware-enforced approach is something only device manufacturers can accomplish.  

From the moment your PC is switched on, HP Wolf Security for Business7 solutions are working to protect, detect, and recover against malicious cyberattacks.  The hardware-enforced security starts below the Operating System (OS) with the HP Endpoint Security Controller, a physically isolated and cryptographically protected hardware microcontroller creating the hardware root of trust.  This enables hardware-enforced self-healing, with manageable security solutions providing Firmware, Application, OS, and physical intrusion resiliency.  

Zero Trust is the foundation of the HP Wolf Security for Business7 PC architecture, as an extension of the traditional concepts based on segmentation, identity, and access management.  These Zero Trust design principles may be found across the entire spectrum of HP Wolf Security solutions on select HP PCs.  Let’s examine the hardware-enforced solutions more closely, in the context of a Zero Trust approach.

The latest generation of HP Sure Start1 builds on a legacy of over seven years of HP firmware resilience, which spans products from both HP PCs and HP Printers.  Firmware runs at the highest level of privilege within a PC, and it is essential to protect this code.  Zero Trust is at the heart of HP’s approach to firmware security, in that HP believes the CPU should not execute any line of firmware code until it has been verified for authenticity.  Certainly, the PC should not be allowed to boot into the OS until the firmware has been checked and corrected, if corrupted or compromised.

HP Sure Recover2 uses the same hardware-enforced mechanism to replace the corporate image onto the storage drive if the PC is unable to boot.  Under Zero Trust principles, Sure Recover will validate the image authenticity to ensure it has not been tampered with before the image is deployed to the drive. HP Sure Recover also provides a major resiliency function to speedily restore the OS after it is corrupted or compromised.

If someone opens the PC’s cover unbeknownst to the owner, they can extract critical data or manipulate the components, and the integrity of the PC should no longer be trusted.  HP Tamper Lock4 helps protect the device by locking it down after a physical intrusion event.

Protecting BIOS security settings is critical as these settings protect security and the functioning of a PC.  A simple BIOS admin password is no longer a safe method of securing access.  HP Sure Admin4 uses modern cryptographic keys to securely access the BIOS settings, either locally or remotely.

Users are asked to make security decisions every day.  

  • Do I open this email attachment?
  • Do I click on this link?  

Just one wrong decision risks the entire business.  HP Sure Click5 solves this by placing the risky activity inside an isolated container.  Any malware will be trapped in the isolated container safe from the rest of the PC and destroyed when the application or browser tab is closed.

In light of growing Cybersecurity challenges, HP Wolf Security for Business6 solutions provide a way for organizations to extend their Zero Trust protection abilities into the endpoint and deliver an advanced level of security and resiliency to their organizations.


  1. HP Sure Start Gen6 is available on select HP PCs.
  2. HP Sure Recover Gen4 requires Windows 10 and an open network connection. You must back up important files, data, photos, videos, etc. before use to avoid loss of data. Network based recovery using Wi-Fi is only available on PCs with Intel Wi-Fi Module.
  3. HP Sure Admin requires Windows 10, HP BIOS, HP Manageability Integration Kit from http://www.hp.com/go/clientmanagement and HP Sure Admin Local Access Authenticator smartphone app from the Android or Apple store.
  4. HP Tamper Lock is an optional feature that must be configured at the factory and requires a supervisor password be established prior to use.
  5. HP Sure Click is available on most HP PCs and supports Microsoft® Internet Explorer, Google Chrome, and Chromium™. Supported attachments include Microsoft Office (Word, Excel, PowerPoint) and PDF files in read only mode, when Microsoft Office or Adobe Acrobat are installed.
  6. HP Wolf Security for Business includes HP Sure Start Gen, HP Sure Click, HP Sure Sense, HP Sure Admin, HP Sure Run, HP Sure Recover. See product data sheet for details.