Hi @Wmatlost,

Welcome to the HP Support Community.
 

Thank you for posting your query. I will be glad to help you.

On HP consumer laptops, including the Pavilion Plus series, Secure Boot can only be enabled using factory default HP keys. Custom secure keys (PK/KEK/DB/DBX) cannot be imported, and the BIOS does not include a “Setup/Enrollment mode” to allow that functionality.

Why This Restriction Exists

HP’s consumer-focused systems are designed for broad compatibility and security with Windows. That means:

• You can enable or disable Secure Boot, but only with HP's embedded keys
• There’s no option to create a custom key store or switch to custom key mode
• The settings to clear or import keys are hidden or grayed out for consumer SKUs

Supported Devices for Custom Secure Boot

To use Secure Boot with your own keys, you need an HP Business-class laptop (ProBook, EliteBook) or a Workstation, which includes the necessary BIOS options and key management menus.

Your Options on Pavilion Plus

• You can enable Secure Boot (HP default) or disable it entirely through the BIOS: 
  • Press Esc, then F10 during boot → go to System Configuration → Boot Options → choose Secure Boot Enabled or Disabled.
• Custom key management is not supported

I hope this helps.

Take care and have an amazing day!
 

Did we resolve the issue? If yes, please consider marking this post as "Accepted Solution" and click "Yes" to give us a helpful vote - your feedback keeps us going!

Regards,

VikramTheGreat

"On HP consumer laptops, including the Pavilion Plus series, Secure Boot can only be enabled using factory default HP keys. Custom secure keys (PK/KEK/DB/DBX) cannot be imported, and the BIOS does not include a “Setup/Enrollment mode” to allow that functionality."

This is in direct violation with Microsofts Secure Boot certification:
https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-...

All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:

• They must have Secure Boot enabled by default.
• They must trust Microsoft's certificate (and thus any bootloader Microsoft has signed).
• They must allow the user to configure Secure Boot to trust other bootloaders.
• They must allow the user to completely disable Secure Boot.

And is probably in violation with one or more antitrust laws as well.

Please provide a BIOS image that has this option unlocked to have proper support for non-Microsoft operating systems and to be in compliance with Microsofts own Secure Boot certification program.

Hi @Wmatlost,

Thank you for taking the time to clearly outline your concern and for referencing Microsoft’s Secure Boot certification documentation. I understand why this is frustrating, especially if you are working with non-Microsoft operating systems or custom bootloaders.

Clarification on Secure Boot implementation

On HP consumer platforms (including Pavilion / Pavilion Plus series), Secure Boot is implemented as an OEM-controlled feature, not a fully user-managed Secure Boot environment.

While Microsoft defines certification requirements, the OEM (HP) is allowed to implement Secure Boot in a way that:

• Trusts Microsoft’s UEFI CA (required)
• Allows Secure Boot to be enabled or disabled (supported on HP consumer systems)
• Uses OEM-managed Secure Boot keys

On these consumer systems:

• Secure Boot can be enabled or disabled
• The Platform Key (PK), KEK, DB, and DBX are factory-provisioned
• Custom key enrollment and Setup/Enrollment mode are intentionally not exposed
• Importing or replacing Secure Boot keys is not supported

This is by design and aligned with HP’s consumer security model, which prioritizes platform integrity, firmware protection, and reduced risk of firmware-level compromise.

About Microsoft certification

Microsoft’s requirements state that:

• The system must trust Microsoft-signed bootloaders ✅
• Secure Boot must be enabled by default ✅
• The user must be able to disable Secure Boot ✅

However, allowing custom Secure Boot key enrollment is not mandatory on consumer-class devices. That level of control is typically provided on:

• HP Business PCs (EliteBook, ProBook, ZBook)
• HP Workstations
• Certain enterprise-focused platforms

These models support:

• Secure Boot key management
• Setup/Enrollment mode
• Custom PK/KEK/DB installation
• Advanced Linux and non-Microsoft OS workflows

About providing a modified BIOS

HP is not able to provide:

• BIOS images with unlocked or altered Secure Boot key management
• Custom firmware builds
• BIOS versions that bypass OEM security design

Doing so would:

• Break firmware integrity guarantees
• Violate platform security policies
• Create significant security and support risks
   

Take care and have an amazing day!

Did we resolve the issue? If yes, please consider marking this post as "Accepted Solution" and click "Yes" to give us a helpful vote - your feedback keeps us going!

Regards,

VikramTheGreat

The certification clearly states "They must allow the user to configure Secure Boot to trust other bootloaders."

Please explain how the end user is supposed to do that when you can't enroll custom keys?

Hi @Wmatlost,

Thank you for getting back. Please note that support for this is limited, as we cannot make any changes.

To get you the best assistance, we need to take this conversation to a private chat. We're inviting you to a private message to protect your privacy and ensure that any sensitive information remains confidential. 

To access your private message, just click the little blue envelope icon on the upper right corner of your HP Community profile, next to your profile name.  

We're looking forward to helping you resolve this issue! 

Stay tuned, and thanks for your patience! 

VikramTheGreat

HP Support

I don't see the point in taking this to a private chat, anyone who has a HP laptop that wants to run linux would benefit from this beeing solved publicly.

But based on your responses so far it seems HP is indeed in violation of the secure boot certification Microsoft offers, and HPs certification should be revoked until this is solved.