How to boot Securaze Work on Lenovo Secured-core PC

Lenovo Secured-core PC's need a BIOS setting to boot Securaze Work. Here’s how to do it.

Secure Boot is supported by many Linux distributions and is an important security
feature for ensuring that your boot loader and kernel have not been tampered with.

Linux distributions use a Microsoft signed ‘shim’ executable that is then able to verify
the subsequent boot stages - that have been signed with the distribution key. The
Microsoft signed shim is signed using the “Microsoft 3rd Party UEFI Certificate”, and
this certificate is stored in the BIOS database.

Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party
Certificate to be disabled by default. This means that for any of these Lenovo
platforms shipped with Windows preinstalled an extra step is needed to allow Linux to boot with secure boot enabled.

To enable secure boot to work with Linux we need to enable the “Allow Microsoft 3rd
Party UEFI CA” option in the BIOS setup. Use the following steps:


  1. Boot into the BIOS setup menu.
    Reboot your PC and when the “To interrupt normal startup, press Enter”
    message is displayed press the F1 key

  2. In the BIOS menu select the “Security” option and the “Secure Boot” sub-menu.
    Toggle the “Allow Microsoft 3rd party UEFI CA” to be “On” as shown below.

  3. Press F10 to save and reboot