Secure Boot and BIOS Setup "Load Defaults"
The BIOS Setup program has a button "Load Defaults". This button loads the default values for all BIOS Setup options, with one exception: Secure Boot. This is to prevent a user from clicking "Load Defaults" and then no longer being able to boot his UEFI/Secure Boot-supported OS.
If Secure Boot is disabled, clicking "Load Defaults" exhibits no special behavior - the user is asked for confirmation and then all BIOS Setup default values are loaded.
If Secure Boot is enabled, a second confirmation box is presented to the user notifying him that Secure Boot will be disabled. If the user selects "yes", all BIOS Setup default values are loaded, including Secure Boot; that is, Secure Boot is disabled. If the user selects "no", Secure Boot is left enabled and all other Setup defaults are reset to their default values.
There are two BIOS Setup options tightly coupled with Secure Boot: "Enable Legacy Option ROMs" and the Boot Sequence page's "UEFI" boot paths setting. In order to support Secure Boot, "Enable Legacy Option ROMs" must be disabled and the Boot Sequence page must default to a "UEFI" boot path. Therefore, to prevent a user from getting into a situation where Secure Boot is enabled, but "Enable Legacy Option ROMs" is enabled, or the Boot Sequence does not default to "UEFI", the Secure Boot SMM driver will automatically disable "Enable Legacy Option ROMs" and set the Boot Sequence to "UEFI" if it detects Secure Boot enabled. This behavior mitigates the situation where the user clicks "Load Defaults", enabling "Enable Legacy Option ROMs", even though Secure Boot is enabled.