Deployment Guide
System BIOS
55 Setting up BIOS on 15th Generation (15G) Dell EMC PowerEdge Servers | 508
• UEFI drivers and executables from mass
storage devices
• Operating System boot loaders
Note: Secure Boot is not available unless the Boot
Mode (in the Boot Settings menu) is UEFI.
Note: Secure Boot is not available unless the “Load
Legacy Video Option ROM” setting (in the
Miscellaneous Settings menu) is disabled.
Note: A Setup password is recommended to be
enabled for Secure Boot.
Secure Boot Policy
• Standard
• Custom
When Secure Boot Policy is Standard, the BIOS uses
the system manufacturer’s key and certificates to
authenticate pre-boot images. When Secure Boot
Policy is Custom, the BIOS uses the user-customized
key and certificates.
Note: If Custom mode is selected, the Secure Boot
Custom Policy Settings menu is displayed.
Note: Changing the default security certificates may
cause the system to fail booting from certain boot
options.
Secure Boot Mode
• User mode
• Deploy Mode
Configures how the BIOS uses the Secure Boot
Policy Objects (PK, KEK, db, and dbx). In Setup
Mode and Audit Mode, PK is not present, and BIOS
does not authenticate programmatic updates to the
policy objects. In User Mode and Deployed Mode,
PK is present, and BIOS performs signature
verification on programmatic attempts to update
policy objects.
Deployed Mode is the most secure mode. Use Setup,
Audit, or User Mode when provisioning the system,
then use Deployed Mode for normal operation.
Available mode transitions depend on the current
mode and PK presence. For more information about
transitions between the four modes, see Figure 77
in the UEFI 2.6 specification.
In Audit Mode, the BIOS performs signature
verification on pre-boot images and logs results in
the Image Execution Information Table but executes
the images whether they pass or fail verification.
Audit Mode is useful for programmatically
determining a working set of policy objects.
Authorize Device
Firmware
• Enabled
• Disabled
When set to Enabled, this field adds the SHA-256
hash of each third-party device firmware to the
Secure Boot Authorized Signature Database. After