BIOS to UEFI SecureBoot on Lenovo Desktops Gotcha!

Been working with several IT departments trying to get our BIOS to UEFI solution qualified on as many OEM hardware models as possible, but unfortunately we have hit a snag that will affect Lenovo customers who need to move from BIOS to UEFI with SecureBoot using automated tools.

Lenovo does have an WMI API for programmatically making changes to the BIOS from within Windows (either the full OS or WinPE). That’s great! Unfortunately there are two areas where their implementation is lacking compared to Dell or HP:

  1. On Lenovo Laptops, we can change from BIOS to UEFI with SecureBoot, but they don’t offer the ability to move from BIOS to UEFI without SecureBoot. Why would we want to do that? Well if we were installing Windows 7 in UEFI mode (with anticipation of upgrading to Windows 10 with SecureBoot in the future).
  2. On Lenovo Desktops, the opposite problem, we can change from BIOS to UEFI without SecureBoot, but we can’t change to BIOS to UEFI with SecureBoot. And this is a problem.

I did contact Lenovo directly, and their official response is that they are aware of the issue, but the lack of support for API access to/from SecureBoot on desktop models is “by-Design”. Lenovo is only half right, Disabling Secure Boot must always require physical presence, that is clearly documented by UEFI spec:

http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

 DISABLING SECURE BOOT 

[…]

Users may disable Secure Boot entirely, using a system setup screen enabled at boot time. Each manufacturer has its own interface for this option. In all cases, end user must be physically present to establish proof of possession (POP) associated with the changes.

However, Enabling secure boot has no such requirement (that I can find), and Dell, HP, and Lenovo ThinkPad devices do support enabling SecureBoot programmatically.

I have tried to explain this point to Lenovo, but to no success. This sucks for customers that need to use tools to make changes at scale. Manually enabling SecureBoot can be a labor intensive process.

Recommendation:

Therefore, I have to unfortunately make the recommendation:

Guidance: Enterprise customers should avoid Lenovo Desktops if they are still using Windows 7 and have plans to upgrade to Windows 10 with SecureBoot in the near future. Lenovo does not have any enterprise management tools to support this.

-Keith

Advertisements

One thought on “BIOS to UEFI SecureBoot on Lenovo Desktops Gotcha!

  1. Pingback: BIOS to UEFI SecureBoot on Lenovo Desktops Gotcha! Part II | Keith's Consulting Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s