Secure Boot Settings#
General#
- Secure Boot
-
Whether to prevent unauthorized operating systems from running at boot time.
Set to On if
OS Optimized Defaults
has value On.Possible options:
- On
- Off – Default
WMI Setting name Values Locked by SVP AMD/Intel SecureBoot Disable, Enable Yes* Both - On systems produced after 2020, Secure Boot setting can only be set to Disable using WMI when an SVP is passed.
- Secure Boot can always be set to Enable without a password.
- Secure Boot Mode
-
Possible modes:
- Setup mode
- User mode - default.
- Secure Boot Key State
-
Possible modes:
- Custom mode
- Standard mode - default.
- Reset to Setup Mode
-
This option is used to clear the current Platform Key and put the system into setup mode.
- You can install your own Platform Key and customize the Secure Boot signature databases in setup mode.
- Secure Boot Mode will be set to Custom Mode.
- Requires additional confirmation.
- Restore Factory Keys
-
Restore all keys and certificates in Secure Boot databases to factory defaults.
- Any customized Secure Boot settings will be erased.
- The default Platform key will be re-established along with the original signature databases including certificate for Microsoft (R) Windows 10 (R).
- Requires additional confirmation.
- Clear All Secure Boot Keys
-
Clear all keys and certificates in Secure Boot databases.
- You can install your own keys and certificates after selecting this option.
- Requires additional confirmation.
- Allow Microsoft 3rd Party UEFI CA
-
Whether to allow installation of Microsoft 3rd Party UEFI CA in Secure Boot DB, and trust it in Secure Boot.
If add-on cards are supported, Microsoft 3rd Party UEFI CA will not be removed until load boot loader.
Options:
- Off - Default.
- On.
WMI Setting name Values SVP or SMP Req'd AMD/Intel Allow3rdPartyUEFICA Disable, Enable yes both
Key Management#
- Platform Key (PK)
-
The platform key establishes a trust relationship between the platform owner and the platform firmware.
The platform owner enrolls the public half of the key into the platform firmware.
The platform owner can later use the private half of the key to change platform ownership or to enroll a Key Exchange Key.
Standard Windows commands are supported:
- Key Exchange Key (KEK)
-
Key exchange keys establish a trust relationship between the operating system and the platform firmware.
Each operating system (and potentially, each 3rd party application that needs to communicate with platform firmware) enrolls a public key into the platform firmware.
Standard Windows commands are supported:
- Authorized Signature Database (DB)
-
Database keys shows the list of allowed certificates.
System will check digital signatures of bootloaders using public keys in the DB.
Only software or firmware which has a bootloader signed with a corresponding private key will be allowed to run.
Standard Windows commands are supported:
- Forbidden Signature Database (DBX)
-
Forbidden Signature Database shows not allowed certificates.
System will block any software or firmware signed with a corresponding private key.
Standard Windows commands are supported: