Here again your favorite Random Dude,
I am creating this post because I mentioned this here , but I think there are no other articles about it (may be wrong :) ). So as you all know KACE/Quest is struggling to get their certificate for PXE Secure Boot due to some bureaucracy from Microsoft (source), but we all know how frustrating it is to keep going to the BIOS to disable and then enable secure boot so encryption can actually work.
Well after testing and talking with some other friends from the industry we confirmed that if you create a USB KBE (follow this guide) machines will boot with Secure Boot On, just fine. Now you don't need to keep going to the Bios, you only need keep some USB sticks around. The good thing is that as soon as you get to the KBE menu you can disconnect the stick and go to the next machine, or just after you start the deployment.
Sorry for the super short post but I just wanted to keep it separated from the other one about Bitlocker being enabled on its own.
I hope this helps someone. If you have any questions or comments put them down there.