What is the difference between Provision Factory Default Keys and Enroll all Factory Default Keys in UEFI?
What is the difference between Provision Factory Default Keys and Enroll all Factory Default Keys in UEFI when enabling secure boot? Almost all motherboard manuals state that:
- Provision Factory Default Keys - Install factory default Secure Boot Keys when system is in setup mode (disabled/enabled)
- Enroll all Factory Default Keys - Install all Factory Default Keys. Changes takes effect after reboot.
So when you choose option 1 from disabled to enabled factory keys get installed without reboot. But if you press option 2 instead...keys get installed without reboot anyway. It looks like option 1 just forces option 2 for you. What's the difference?
I'm understanding it like this:
-
Enroll all Factory Default Keys - simply insert ( enroll ) all default keys and certificates into the storage
-
Provision Factory Default Keys - is different, this option automatically provisions keys into the storage when the system is in setup mode, so eg when you clear the tpm or delete all keys from storage, default platform keys will be provisioned automatically and because of this, you can guarantee a secure boot every time, because you will never have empty key storage. ( on ms windows platforms of course ). This option comes into play during the process which might be referred to as taking ownership of secure boot.