@vf4wg5fr1, Welcome to the HP Support Community!  

Thanks for reaching out about your query regarding Enabling Secure Boot Enrolment Mode! 

We're thrilled to have the opportunity to assist you and provide a solution.  

To enable Secure Boot Enrolment mode on your HP Pavilion Aero Laptop 13-bg0000, follow these steps:

Access BIOS Setup:

• Turn on or restart your laptop and press the Esc key repeatedly to access the Startup Menu.
• Press F10 to enter BIOS Setup.

Navigate to Secure Boot Configuration:

• In the BIOS Setup utility, use the arrow keys to navigate to the Security tab.
• Scroll down and select Secure Boot Configuration.

Enable Secure Boot:

• If Secure Boot is currently disabled, set Secure Boot to Enabled.

Enable MS UEFI CA key:

• Sometimes, enabling Secure Boot requires configuring the UEFI keys.
• Navigate to Security tab again and ensure Enable MS UEFI CA key is selected.

Switch to Enrolment Mode:

• Locate the option for Secure Boot Mode and set it to Custom.
• Next, navigate to Key Management, select Enrolment Mode, and follow the on-screen instructions.

Save Changes:

• Press F10 to save changes and exit.
• Confirm by selecting Yes when prompted to save configuration changes.  

Hope this helps! 

Take care, and have an amazing day!  

Did we resolve the issue? If yes, Please consider marking this post as "Accepted Solution" and click "Yes" to give us a helpful vote - your feedback keeps us going!  

Regards, 

Thank you for your reply ZOEY7886
The Security tab does not contain Secure Boot options. However, the Boot Options tab does.
I can enable secure boot after I load HP Factory Default Keys.
After enabling secure boot and loading the default keys - I see no option for key management or enabling enrolment mode.
Here is a screenshot:

missing secure boot enrol option

@vf4wg5fr1, Thanks for the screenshot! Based on what you’ve shared and the image of the BIOS, here’s a breakdown of what’s happening and what you can try:

Observations from your BIOS:

Secure Boot is Enabled, and you've successfully loaded the HP Factory Default Keys.

There’s no visible “Custom” mode or “Key Management” option in your current BIOS screen.

You are on the "Boot Options" tab, where Secure Boot settings are present — not under a "Security" tab (as often found on other HP models).

Why you’re not seeing Enrolment Mode / Key Management:

Many HP BIOS versions hide advanced Secure Boot settings (like Key Management or Custom Mode) unless:

Secure Boot is disabled first, and

The BIOS is in Advanced or Custom mode, which may not be shown by default.

Try These Steps:

1. Disable Secure Boot First:

In the Boot Options, set Secure Boot to Disabled.

Save and exit the BIOS (F10).

2. Re-enter BIOS and Check for "Secure Boot Mode" Setting:

Reboot and enter BIOS again (Esc > F10).

See if a new option appears — something like:

Secure Boot Mode: [Standard] / [Custom]

If available, set it to Custom.

3. Load HP Factory Default Keys Again (if prompted):

After setting Secure Boot to Custom, you might need to reload the default keys or enter Key Management.

4. Look for Key Management / Enrolment Mode:

Under Boot Options or sometimes under Security tab (depending on BIOS version), see if you now have access to:

Key Management

Enroll All Factory Default Keys

Install Default Keys

or similar

5. Re-enable Secure Boot:

Once the keys are managed or enrolled, go ahead and enable Secure Boot again.

Did we resolve the issue? If yes, Please consider marking this post as "Accepted Solution" and click "Yes" to give us a helpful vote - your feedback keeps us going!  

Regards,

Thanks Zoey,
The security tab never changes regardless of whether secure boot is enabled or not. The security tab only has TPM settings.
I tried enabled secure boot, disabling secure boot, clearing keys, reloading keys - but I am never given an option to enrol keys. I should be able to clear keys and enable secure boot to activate enrol mode - but when the keys are cleared I can't activate secure boot nor is there an option to enrol keys.

If I boot the OS with the keys cleared and secure boot disabled it confirms secure boot enrolment is not active.
Maybe there is a way to enable advanced settings in the bios?

@vf4wg5fr1, thanks again for the detailed follow-up — really appreciate your patience!

You're absolutely right to expect “Enroll Keys” to appear after clearing keys and setting Secure Boot to Custom, but on certain HP consumer laptops like your Pavilion Aero, advanced BIOS settings — including full key management — are intentionally hidden and unfortunately can’t be unlocked manually (there’s no Advanced BIOS toggle available).

Here’s what you can try instead:

Reset BIOS to Defaults: Sometimes, a clean reset helps expose missing Secure Boot modes.

In BIOS, press F9 to load Setup Defaults → then try again.

Update BIOS Firmware: If you haven’t already, check HP Support Assistant or HP Drivers page for the latest BIOS. An update might unlock or fix Secure Boot behavior.

Use HP Factory Keys Only: Since custom enrolment isn’t supported, stick with "Load HP Factory Default Keys" under Secure Boot and keep Secure Boot Enabled for best compatibility.

I know it’s not ideal, especially if you're trying something like dual-booting or Linux verification — but HP locks down advanced UEFI key management on most consumer models for security and simplicity.

Did we resolve the issue? If yes, Please consider marking this post as "Accepted Solution" and click "Yes" to give us a helpful vote - your feedback keeps us going!  

Regards,

Hey Zoey7886,

I tried resetting the bios and security tab to default settings but that had no effect.

I also tried holding F9 during boot and then F10 to enter bios and reset the defaults again.

I'm concerned I am unable to replace the keys. You said "consumer laptops like your Pavilion Aero, advanced BIOS settings — including full key management — are intentionally hidden and unfortunately can’t be unlocked manually (there’s no Advanced BIOS toggle available)." Is this documented anywhere? Microsoft has details regarding secure boot and their certification requirements. It states:

All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:

• They must allow the user to configure Secure Boot to trust other bootloaders.

So if HP is intentionally hiding key enrolment from users and this feature can't be unlocked manually, HP is violating the Microsoft Windows 11 certification requirements.

@vf4wg5fr1, Welcome to the HP Support Community! 

We're here to help you tackle that Enabling Secure Boot Enrolment Mode! Don't worry, we've got your back! 

To get you the best assistance, we need to take this conversation to a private chat. We're inviting you to a private message to protect your privacy and ensure that any sensitive information remains confidential. 

To access your private message, just click the little blue envelope icon on the upper right corner of your HP Community profile, next to your profile name.  

We're looking forward to helping you resolve this issue! 

Stay tuned, and thanks for your patience! 

Regards,