Secure Boot mode has two options: Standard and Custom.

• Standard mode uses factory default Secure Boot keys and policies. It is simpler and more restrictive, automatically validating boot components against pre-installed keys to prevent unauthorized or malicious software from loading at boot.
• Custom mode allows for user configuration of Secure Boot keys and policies. This is useful if you need to add or remove specific keys, such as when using unsigned or out-of-box drivers, or with operating systems like some Linux distributions. Custom mode requires physical presence to authorize changes and is more flexible for advanced users but requires careful management of keys.

In summary, use Standard mode for typical users who want secure default protection. Choose Custom mode if you need to manage keys manually for specialized software/hardware scenarios or non-standard OS setups.