Created dateUpdated dateAffects versionFix version



Drive Eraser - 7.8.1 SB (and newer)Preinstall - 3.0


Some devices may fail to boot Blancco Drive Eraser if "Allow Microsoft 3rd Party UEFI CA" is not enabled or "Enable MS UEFI CA Key" BIOS/UEFI option is disabled under the Secure Boot  settings.

This setting is named differently between the vendors but is normally located under Security and specifically Secure Boot settings section. Refer to below screenshots to identify the setting for different vendors:



This issue affects most of the latest generation devices and some examples listed below:

LenovoX1 Yoga
ThinkPad T14 Gen 3
HPProBook 650 G8
Latitude 5540
Latitude 7310


If Microsoft 3rd party UEFI CA is not allowed it is not possible to authenticate the Drive Eraser ISO leading the booting to fail.

This is due to a Microsoft requirement which instructs vendors to disable 3rd party certificates by default on newer devices. 

Lenovo offers an official statement for this behavior.


Starting from Blancco Preinstall 3.0 it is possible to disable the Secure Boot on selected Lenovo Secured-core devices automatically before booting to Blancco Drive Eraser. Below requirements need to be met in order to use this feature: 

  • An existing supervisor password needs to be set on the device and passed to Blancco Preinstall.
  • This feature is supported on all Lenovo ThinkPad models from 2020 or newer. Select models released before 2020 may support the feature but this cannot be guaranteed.

Alternatively you can opt to fully disable Secure Boot manually or allow the Microsoft 3rd party UEFI CA from the device UEFI settings to resolve this issue.