Page History

Problem

Some devices may fail to boot Blancco Drive Eraser if "Allow Microsoft 3rd Party UEFI CA" is not enabled or "Enable MS UEFI CA Key" BIOS/UEFI option is disabled under the " Secure Boot Key Management" settings in Secure Boot Configuration.

Image Removed

Boot  settings.

This setting is named differently between the vendors but is normally located under Security and specifically Secure Boot settings section. Refer to below screenshots to identify the setting for different vendors:

This issue affects most of the latest generation devices and some examples listed belowA list of devices mentioned below are known to be affected by this issue:

Cause

Cause

If Microsoft 3rd party UEFI CA is not allowed With the mentioned setting disabled it is not possible to authenticate the Drive Eraser ISO leading the booting to booting the failfail.

This is due to a Microsoft requirement which instructs vendors to disable 3rd party certificates by default on newer devices. 

Lenovo offers an official statement for this behavior.

Resolution

Starting from Blancco Preinstall 3.0 it is possible to disable the Secure Boot on selected Lenovo Secured-core devices automatically before booting to Blancco Drive Eraser. Below requirements need to be met in order to use this feature: 

• An existing supervisor password needs to be set on the device and passed to Blancco Preinstall.
• This feature is supported on all Lenovo ThinkPad models from 2020 or newer. Select models released before 2020 may support the feature but this cannot be guaranteed.

Alternatively you can opt to fully disable Secure Boot manually or allow the Microsoft 3rd party UEFI CA from the device UEFI settings to resolve this issueIf Secure Boot cannot be fully disabled make sure that the "Enable MS UEFI CA Key" option is enabled as well to allow Drive Eraser to boot successfully.