Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.
If you restore the BIOS to the default settings using the button on the left-most side in the BIOS, and then setup an Administrator password in the Security tab, you’d be able to verify yourself by using a Ventoy flash drive if you want.
Also I feel is important to mention that your BIOS password for that one model of XPS you have can be reset by generating a master key, so I really recommend turning on an option that I cannot remember the name of from the tip of my tongue, but it disables the “master password”, with the disadvantage that if you forget your BIOS password you’d have to replace the motherboard. If I find the name I’ll link it right here.
Edit1:
The option is called Master Password Lockout.
Edit2:
Is worth noting also that resetting the BIOS to default settings and erasing your secure boot keys might render your system unbootable if you use Windows BitLocker.
Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.
If you restore the BIOS to the default settings using the button on the left-most side in the BIOS, and then setup an Administrator password in the Security tab, you’d be able to verify yourself by using a Ventoy flash drive if you want.
Also I feel is important to mention that your BIOS password for that one model of XPS you have can be reset by generating a master key, so I really recommend turning on an option that I cannot remember the name of from the tip of my tongue, but it disables the “master password”, with the disadvantage that if you forget your BIOS password you’d have to replace the motherboard. If I find the name I’ll link it right here.
Edit1: The option is called Master Password Lockout.
Edit2: Is worth noting also that resetting the BIOS to default settings and erasing your secure boot keys might render your system unbootable if you use Windows BitLocker.