I want to enable Secure Boot, but there is another option under the Secure Boot menu within the UEFI firmware section that I don't know what it means and my question is, should I enable the Expert Key Management options as well when enabling Secure Boot?
That option is if you want to install your own secure boot keys - by default the Microsoft (and probably Dell) keys are already installed. You would need to install your own keys if you are using a non-Microsoft/non-Dell bootloader or UEFI drivers.
I want to keep it as it is if that would be possible and ONLY enable Secure Boot. Would that be fine?
Or, do I need to enable the Expert Key Management option as well?
I don't plan on adding my own keys and I would not even know how to do that.
Another concern when enabling Secure Boot. Sometimes, Windows 10 downloads driver updates for Intel related stuff like network cards and maybe some display drivers as well. Since Intel is not Microsoft or Dell related, would this cause issues with Secure Boot?
Thanks!
Do not enable Expert Key Management it if you don't have your own keys, though I don't think it'll hurt anything if you enable it and don't load any certificates.
3rd party drivers are still signed by Microsoft.
So let me just confirm one last time just to be sure.
Is it fine to leave the Expert Key Management options alone and only enable Secure Boot?
Please confirm.
Yes. Leave it alone.
If you want to install some boot loader that isn't signed by Microsoft (or on their list of approved ones) then you might have to temporarily disable Secure boot until you can install your own key.
If you are just running Windows then forget it.
If you want to install something else that is unsigned then you must disable secure boot first. You can then self sign later if you really want to use secure boot.
There is some more good reading here if you are interested - Secure Boot - ArchWiki
Quote
