UEFI pre-boot guidelines and Microsoft® Windows® 8 UEFI Secure Boot for HP Business PCs PPS business notebooks, desktop, and workstations - Technical White Paper
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations 
10 
To complete the process, you are required to type in a random four-digit verification code that is displayed in the message 
generated by the BIOS. 
Secure Boot Key management for notebooks 
Figure 6. HP Platform Key Management for notebooks. 
Factory-default HP BIOS will have the HP platform key (PK), Microsoft key exchange key (KEK), Microsoft database (db), an 
empty blacklist database (dbx) populated, and the system will be in User Mode. No new PK enrollment is allowed. The HP 
Platform Key is different from the HP firmware-signing key. For the first implementation (starting with 2012), the HP PK is a 
certificate named “
Hewlett-Packard UEFI Secure Boot Platform Key” issued by HP. The BIOS signing key is RAW-CMIT-
BIOS2012. The Microsoft KEK is a certificate named “
Microsoft Corporation KEK CA 2011.” 
The User Mode section will be grayed out. The information will be listed but not changeable. The Clear Secure Boot Keys 
selection will also be grayed out. After the user disables Secure Boot, the Clear Secure Boot Keys option will be available.  
Simply disabling Secure Boot will not change the mode. While still in User Mode, the keys currently enrolled in the system 
are preserved and the remainder of the section is grayed out. The user then has to then select 
Clear Secure Boot Keys. Then 
the BIOS goes to “Setup User Mode” (Figure 7) and the mode section becomes available. 
Now that the system is in Setup Mode, the user can choose HP Factory keys versus Customer Keys. When the user selects 
Customer Keys, there is actually no key in the BIOS database. The user has to use an application in the OS to get the keys 
(PK, KEK, dbx) into the BIOS. 
Note 
If the user tries to import the HP PK again when the selection is the Customer Keys, the BIOS will reject the PK. 
Operating System Boot Mode Change  
A change to the operating system Secure Boot mode is pending. Please enter the pass code displayed below to 
complete the change. If you did not initiate this request, press the ESC key to continue without accepting the pending 
change.  
Operating System Boot Mode Change (021) 
XXXX + ENTER - to complete the change 
ESC – continue without changing 
For more information, please visit: 
www.hp.com/go/techcenter/startup










