EnforceSecureboot=false or SecureBoot=Disabled does not work.

[jclab-joseph]

EnforceSecureboot=false does not work.

When EnforceSecureboot=false, Boot to PBA does not work.
Also, Boot to PBA does not work when Secure Boot is Disabled in the BIOS settings.

• (BIOS) Secure Boot = Enabled & (AMT) EnforceSecureboot = false → Not working (changeBootOrder ReturnValue = 2)
• (BIOS) Secure Boot = Disabled & (AMT) EnforceSecureboot = false → Not working (changeBootOrder ReturnValue = 2)
• (BIOS) Secure Boot = Enabled & (AMT) EnforceSecureboot = true → Working
• (BIOS) Secure Boot = Disabled & (AMT) EnforceSecureboot = true → Not working (All commands succeed, but it boots into Windows instead of OemPba)

PC Information

• AMT : 16.1.30
• Chipset: Q670
• CPU: i5-14500

CIM Classes:

AMT_BootCapabilities

Item #0: 
    AMTSecureBootControl = true
    BIOSPause = false
    BIOSReflash = true
    BIOSSecureBoot = true
    BIOSSetup = true
    ConfigurationDataReset = true
    ElementName = Intel® AMT: Boot Capabilities
    ForceCDorDVDBoot = true
    ForceDiagnosticBoot = false
    ForceHardDriveBoot = true
    ForceHardDriveSafeModeBoot = false
    ForcePXEBoot = true
    ForceUEFIHTTPSBoot = true
    ForceUEFIPBABoot = true
    ForceWinREBoot = true
    ForcedProgressEvents = true
    IDER = true
    InstanceID = Intel® AMT:BootCapabilities 0
    KeyboardLock = true
    PlatformErase = 100728901
    PowerButtonLock = false
    ResetButtonLock = false
    SOL = true
    SecureErase = true
    SleepButtonLock = false
    UEFIWiFiCoExistenceAndProfileShare = true
    UserPasswordBypass = true
    VerbosityQuiet = false
    VerbosityScreenBlank = false
    VerbosityVerbose = false

AMT_BootSettingData

Item #0: 
    BIOSLastStatus = 
        Item #0: 0
        Item #1: 0
    BIOSPause = false
    BIOSSetup = false
    BootMediaIndex = 0
    BootguardStatus = 119
    ConfigurationDataReset = false
    ElementName = Intel® AMT Boot Configuration Settings
    EnforceSecureBoot = true
    FirmwareVerbosity = 0
    ForcedProgressEvents = false
    IDERBootDevice = 0
    InstanceID = Intel® AMT:BootSettingData 0
    LockKeyboard = false
    LockPowerButton = false
    LockResetButton = false
    LockSleepButton = false
    OptionsCleared = true
    OwningEntity = Intel® AMT
    PlatformErase = false
    RPEEnabled = true
    RSEPassword = 
    ReflashBIOS = false
    SecureBootControlEnabled = true
    SecureErase = false
    UEFIHTTPSBootEnabled = true
    UEFILocalPBABootEnabled = true
    UefiBootNumberOfParams = 0
    UseIDER = false
    UseSOL = false
    UseSafeMode = false
    UserPasswordBypass = false
    WinREBootEnabled = true

CIM_BootConfigSetting

Item #0: 
    ElementName = Intel® AMT: Boot Configuration
    InstanceID = Intel® AMT: Boot Configuration 0

CIM_BootService

Item #0: 
    CreationClassName = CIM_BootService
    ElementName = Intel® AMT Boot Service
    EnabledState = 32769
    Name = Intel® AMT Boot Service
    OperationalStatus = 0
    RequestedState = 32769
    SystemCreationClassName = CIM_ComputerSystem
    SystemName = Intel® AMT

CIM_BootSettingData

Item #0: 
    BIOSLastStatus = 
        Item #0: 0
        Item #1: 0
    BIOSPause = false
    BIOSSetup = false
    BootMediaIndex = 0
    BootguardStatus = 119
    ConfigurationDataReset = false
    ElementName = Intel® AMT Boot Configuration Settings
    EnforceSecureBoot = true
    FirmwareVerbosity = 0
    ForcedProgressEvents = false
    IDERBootDevice = 0
    InstanceID = Intel® AMT:BootSettingData 0
    LockKeyboard = false
    LockPowerButton = false
    LockResetButton = false
    LockSleepButton = false
    OptionsCleared = true
    OwningEntity = Intel® AMT
    PlatformErase = false
    RPEEnabled = true
    RSEPassword = 
    ReflashBIOS = false
    SecureBootControlEnabled = true
    SecureErase = false
    UEFIHTTPSBootEnabled = true
    UEFILocalPBABootEnabled = true
    UefiBootNumberOfParams = 0
    UseIDER = false
    UseSOL = false
    UseSafeMode = false
    UserPasswordBypass = false
    WinREBootEnabled = true

CIM_BootSourceSetting

Item #0: 
    BIOSBootString = 
    BootString = 
    ElementName = Intel® AMT: Boot Source
    FailThroughSupported = 2
    InstanceID = Intel® AMT: Force Hard-drive Boot
    StructuredBootString = CIM:Hard-Disk:1
Item #1: 
    BIOSBootString = 
    BootString = 
    ElementName = Intel® AMT: Boot Source
    FailThroughSupported = 2
    InstanceID = Intel® AMT: Force PXE Boot
    StructuredBootString = CIM:Network:1
Item #2: 
    BIOSBootString = 
    BootString = 
    ElementName = Intel® AMT: Boot Source
    FailThroughSupported = 2
    InstanceID = Intel® AMT: Force CD/DVD Boot
    StructuredBootString = CIM:CD/DVD:1
Item #3: 
    BIOSBootString = 
    BootString = 
    ElementName = Intel® AMT: Boot Source
    FailThroughSupported = 2
    InstanceID = Intel® AMT: Force OCR UEFI HTTPS Boot
    StructuredBootString = Intel®AMT:OCR-UEFI-Boot-Option-HTTPS:1
Item #4: 
    BIOSBootString = OEM PBA
    BootString = \OemPba.efi
    ElementName = Intel® AMT: Boot Source
    FailThroughSupported = 2
    InstanceID = Intel® AMT: Force OCR UEFI Boot Option 1
    StructuredBootString = Intel®AMT:OCR-UEFI-Boot-Option:1
Item #5: 
    BIOSBootString = One Click RecoveryWinRe
    BootString = PciRoot(0x0)/Pci(0x1D,0x0)/Pci(0x0,0x0)/NVMe(0x1,F5-A1-A2-75-68-B7-26-00)/HD(1,GPT,EC97FEB8-BBF0-4B01-BB1A-15EC9959BA6F,0x800,0x100000)/\EFI\Microsoft\Boot\bootmgfw.efi
    ElementName = Intel® AMT: Boot Source
    FailThroughSupported = 2
    InstanceID = Intel® AMT: Force OCR UEFI Boot Option 2
    StructuredBootString = Intel®AMT:OCR-UEFI-Boot-Option:2

[jclab-joseph]

On the NUC13Pro:

• (BIOS) Secure Boot = Enabled & (AMT) EnforceSecureboot = false → Not working (changeBootOrder success)
• (BIOS) Secure Boot = Disabled & (AMT) EnforceSecureboot = false → Not working (changeBootOrder success)
• (BIOS) Secure Boot = Enabled & (AMT) EnforceSecureboot = true → Working

HTTPS download packets occur but reboot occurs shortly.