Secure Boot Customization

Under most circumstances, it is not necessary to change the Secure Boot Customization from its default settings. The most common case when this might be necessary is when the OS is Linux and there are drivers that are not part of the distribution being installed. This is sometimes called an out-of-box driver, vs in-the-box drivers that are part of standard Linux distributions. In these cases, it may be necessary to customize the secure boot policy.

To set the Secure Boot Customization in the System Setup Utility, do the following:

Start the System Setup Utility. See Get started.
On the Security menu, select Secure Boot > Secure Boot > Secure Boot Customization. Ensure that Secure Boot Customization is set to Custom or Standard.

To add or delete Secure Boot Keys for Secure Boot, do the following:

Start the System Setup Utility. See Get started.
On the Security menu, select Secure Boot > Secure Boot > Secure Boot Customization. Ensure that Secure Boot Customization is set to Custom.
If you are using an “out-of-box driver” you likely will need to add your own keys to the Secure Boot database using a Secure Boot Custom. The keys that you need are usually required include the Platform Key (PK), the Key Exchange Key (KEK), the Authorized Signature Database and the Forbidden Signature Database (DBX). These keys are used by the UEFI firmware to validate the components of the system being loaded during the boot process.
Delete Unnecessary Secure Boot Keys.
When the secure boot policy is set to Custom, you can delete secure boot keys that are stored in the database if you do not require the existing key. You can also reset all keys back to the factory defaults if required.

Give feedback