[KB8389] Enable 3rd party certificates in Secure Boot for ESET Endpoint Encryption and ESET Full Disk Encryption

Issue

Solution

Affected models

The default Secure Boot mode is set to load Microsoft bootloader files only. Update the UEFI BIOS settings to allow third-party configuration, including ESET Endpoint Encryption and ESET Full Disk Encryption files. 

Microsoft Surface
  1. Open the UEFI Security page

  2. Click Change configuration.

    Figure 1-1
  3. Select Microsoft & 3rd-party CA and click OK

    Figure 1-2
Lenovo
Lenovo versions

The steps below apply to the following versions of Lenovo:

  • E14
  • L14
  • T14
  • P15 generation 3 models
  • P16/P16s
Some P15 and P16 models may not include the option outlined below.
  1. Open ThinkPad Secure Boot Configuration.

  2. Click Security. Click the toggle next to Allow Microsoft 3rd Party UEFI CA.

    Figure 2-1

Boot loading loop

Users with Secured Core enabled may experience a boot loading loop. Disable Secured Core to boot the machine normally. 
 
Affected versions:
  • Microsoft Surface Laptop 5 Firmware version 9.101.143 and later
  • Microsoft Surface Pro 9 Firstware version 12.200.143.0 and later