/build/static/layout/Breadcrumb_cap_w.png

Issue with Lenovo ThinkPads and Secure Boot

Hello guys,

we've been deploying Windows 10 with KACE SDA for quite a while, lately we started to use secure boot. Everything worked fine for workstations (ASUS Mainboard). But we figured out, that we got some problems with deploying to Lenovo ThinkPads. 

Without secure boot everything is working as intended, but we would like to use it. If we start the PXE-Boot it immediatly disconnects and returns to the bootmenu. 

Do you guys know a proper way to troubleshoot this or is there a known issue with the secure boot keys?

Our DHCP is configured as followed:

Option 67 - ipxe.efi

Option 66 - the ip of the SDA


0 Comments   [ + ] Show comments

Answers (2)

Posted by: ChorreraTownTech 2 years ago
Yellow Belt
0

Hi, You can try with this article:
https://support.quest.com/kace-systems-deployment-appliance/kb/4268644/how-to-troubleshoot-pxe-boot-by-using-the-ipxe_debug-efi-binay

The idea is getting more info of the DHCP/PXE boot process to see if the client is receiving the proper information.

The fact that, without secure boot it works fine, makes me think that there is something missing in the BIOS, maybe a combination of options are needed, so I would check with the vendor (lenovo) to see what they think. See this:
https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T-series-Laptops/Lenovo-T14-Gen-1-PXE-boot-UEFI-Security-boot-failed/m-p/5046869

hope this helps

Posted by: Techman D 5 months ago
Senior Yellow Belt
0

Hello @Nico-123,

I am currently testing Lenovo ThinkPads. Make sure the "Allow Microsoft 3rd Party UEFI CA” option is enabled in the Secure Boot section of the BIOS. It appears that, by default, it is disabled. The cert KACE uses is part of the 3rd party CA list.

This solved the issue with PXE boot problems for me and I can now get to the boot manager screen. BUT... one oddity I'm experiencing is input is dead. You cannot use the keyboard to select the KBE from the boot manager screen when Secure Boot is enabled. Disable Secure Boot and then it works.

I already tried @ChorreraTownTech's idea to use the debug EFI. This works fine with Secure Boot enabled. I can type and use arrow keys. Switch it back to the primary ipxe.efi and keyboard is dead again. Hopefully tech support will have answer to this one.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ