EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop Technical white paper
8 
Operating System Boot Mode Change 
A change to the operating system Secure Boot mode is pending. Please enter the pass code displayed below to 
complete the change. If you did not initiate this request, press the ESC key to continue without accepting the 
pending change.  
Operating System Boot Mode Change (021) 
XXXX + ENTER - to complete the change 
ESC – continue without changing 
For more information, please visit: www.hp.com/go/techcenter/startup 
For Win7 desktops and earlier, the F10 settings combination of Legacy Support “Enabled” Secure Boot “Disabled”, and 
Fast Boot “Disabled” results in CSM support. This is the desktop equivalent of the notebook “Legacy” setting (There is 
an actual “Legacy Support” setting in the desktop BIOS). 
For Win8 desktops with Secure Boot, the F10 settings combination of Legacy Support “Disabled”, Secure Boot 
”Enabled”, and Fast Boot “Enabled” results in no CSM support. This is the desktop equivalent of the notebook “UEFI 
Native”, but there is no explicit “UEFI Native” setting in the desktop BIOS. 
For Win8 desktops without Secure Boot, the F10 settings combination of Legacy Support “Enabled”, Secure Boot 
“Disabled”, and Fast Boot “Disabled” results in having both EFI and CSM support. The cost of having the CSM support is 
not having Secure Boot. This is the desktop equivalent of the notebook “UEFI Hybrid”, but there is no explicit “UEFI 
Hybrid” setting in the desktop BIOS.  
NOTE: On all HP business platforms, factory settings disable Legacy Support on Secure Boot settings by default. If you 
try to enable Legacy Support with Secure Boot “enabled”, the BIOS will generate a warning. 
After a complete BIOS re-flash the default configuration is as follows: 
  Secure Boot = Disabled 
  Boot Mode = Legacy (Other modes will be set by Preinstall at the factory according to the OS to be preinstalled.)  
The Preinstall should set the Secure Boot/Boot Mode policy to “Enable” and “Legacy,” and to “Disable” for Win8 64/32.  
Table 2: Policy settings and OS supported 
Boot Mode\ Secure Boot 
Disable 
Enable 
Legacy 
Legacy OS: XP, Vista, Windows 7, 
Linux 
 Invalid 
UEFI Hybrid 
Legacy OS: XP, Vista, Windows 7, 
Linux 
 Invalid 
UEFI Native 
Linux, Win8 with Native UEFI but 
no Secure Boot 
Win8 
If the OS and the BIOS policies have a mismatch, the system may fail to boot.  
NOTE: Secure Boot “Enabled” with “UEFI Hybrid” (notebooks only) or “Legacy” selected is an INVALID state. The BIOS 
will ignore this change if it is requested. 
The user can use BIOS Setup (F10) to Enable/Disable Secure Boot or it can be changed remotely using the WMI interface, 
which uses WMI scripts, or by using HP’s BIOSConfig utility. 
When Secure Boot “Disable” command is sent from WMI to BIOS, the status of the Secure Boot doesn’t change 
immediately. At next reboot, the physical presence must be checked to prevent malicious software attacks.  
To complete the process, the customer or technician is required to type in a random four-digit verification code that is 
displayed in the message generated by the BIOS. 










