What’s new Explore More info
User Guide

UEFI BIOS

UEFI BIOS is the first program that the computer runs. When the computer turns on, UEFI BIOS performs a self test to make sure that various devices in the computer are functioning.

Enter the UEFI BIOS menu

Restart the computer. When the logo screen is displayed, press F1 to enter the UEFI BIOS menu.

Navigate in the UEFI BIOS interface

You can navigate in the UEFI BIOS interface by pressing the following keys:

  • F1: General Help
  • F9: Setup Defaults
  • F10: Save and Exit
  • F5 / F6: Change boot priority order
  • ↑↓ or PgUp / PgDn: Select / Scroll page
  • ← →: Move keyboard focus
  • Esc: Back / Close dialog
  • Enter: Select / Open submenu

Set the system date and time

  1. Restart the computer. When the logo screen is displayed, press F1.
  2. Select Date/Time and set the system date and time as desired.
  3. Press F10 to save changes and exit.

Change the startup sequence

  1. Restart the computer. When the logo screen is displayed, press F1.
  2. Select Startup ➙ Boot. Then, press Enter. The default device order list is displayed.
    Note: No bootable device is displayed if the computer cannot start from any devices or the operating system cannot be found.
  3. Set the startup sequence as desired.
  4. Press F10 to save the changes and exit.

To change the startup sequence temporarily:

  1. Restart the computer. When the logo screen is displayed, press F12.
  2. Select the device that you want the computer to start from and press Enter.

UEFI BIOS passwords

You can set passwords in UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/Output System) to strengthen the security of your computer.

Password types

You can set a power-on password, supervisor password, system management password, or NVMe password in UEFI BIOS to prevent unauthorized access to your computer. However, you are not prompted to enter any UEFI BIOS password when your computer resumes from sleep mode.

Power-on password

If you set a power-on password, a window is displayed on the screen when you turn on the computer. Enter the correct password to use the computer.

Supervisor password

The supervisor password protects the system information stored in UEFI BIOS. When entering the UEFI BIOS menu, enter the correct supervisor password in the window prompted. You also can press Enter to skip the password prompt. However, you cannot change most of the system configuration options in UEFI BIOS.

If you have set both the supervisor password and power-on password, you can use the supervisor password to access your computer when you turn it on. The supervisor password overrides the power-on password.

System management password

The system management password can also protect the system information stored in UEFI BIOS like a supervisor password, but it has lower authority by default. The system management password can be set through the UEFI BIOS menu or through Windows Management Instrumentation (WMI) with the Lenovo client-management interface.

You can enable the system management password to have the same authority as the supervisor password to control security-related features. To customize the authority of the system management password through the UEFI BIOS menu:

  1. Restart the computer. When the logo screen is displayed, press F1 to enter the UEFI BIOS menu.
  2. Select Security ➙ Password ➙ System Management Password Access Control.
  3. Follow the on-screen instructions.

If you have set both the supervisor password and the system management password, the supervisor password overrides the system management password. If you have set both the system management password and the power-on password, the system management password overrides the power-on password.

NVMe passwords

The NVMe password prevents unauthorized access to the data on the storage drive. When an NVMe password is set, you are prompted to type a correct password each time you try to access the storage drive.

  • Single Password
    When a Single NVMe password is set, the user must enter the user NVMe password to access files and applications on the storage drive.
  • Dual Password (User + Admin)
    The admin NVMe password is set and used by a system administrator. It enables the administrator to access any storage drive in a system or any computer connected in the same network. The administrator can also assign a user NVMe password for each computer in the network. The user of the computer can change the user NVMe password as desired, but only the administrator can remove the user NVMe password.

When prompted to enter an NVMe password, press F1 to switch between the admin NVMe password and user NVMe password.

Notes: The NVMe password is not available in the following situations:

  • A Trusted Computing Group (TCG) Opal-compliant storage drive and a TCG Opal management software program are installed in the computer, and the TCG Opal management software program is activated.
  • An eDrive storage drive is installed in the computer preinstalled with the Windows operating system.

Set, change, and remove a password

Before you start, print these instructions.

  1. Restart the computer. When the logo screen is displayed, press F1 to enter the UEFI BIOS menu.
  2. Select Security ➙ Password by using the arrow keys.
  3. Select the password type. Then, follow the on-screen instructions to set, change, or remove a password.

You should record all your passwords and store them in a safe place. If you forget any of your passwords, any potential repair actions required are not covered under warranty.

What to do if you forget your power-on password

If you forget your power-on password, do the following to remove the power-on password:

  • If you have set a supervisor password and remember it:
    1. Restart the computer. When the logo screen is displayed, immediately press F1.
    2. Type the supervisor password to enter the UEFI BIOS menu.
    3. Select Security ➙ Password ➙ Power-On Password by using the arrow keys.
    4. Type the current supervisor password in the Enter Current Password field. Then, leave the Enter New Password field blank, and press Enter twice.
    5. In the Changes have been saved window, press Enter.
    6. Press F10 to save changes and exit the UEFI BIOS menu.
  • If you have not set a supervisor password, contact a Lenovo authorized service provider to have the power-on password removed.

What to do if you forget your NVMe password

If you forget your NVMe password (Single password) or both user and admin NVMe passwords (Dual password), Lenovo cannot reset your passwords or recover data from the storage drive. You can contact a Lenovo authorized service provider to have the storage drive replaced. A fee will be charged for parts and service. If the storage drive is a CRU (Customer Replaceable Unit), you can also contact Lenovo to purchase a new storage drive to replace the old one by yourself. To check whether the storage drive is a CRU and the relevant replacement procedure, see “CRU replacement”.

What to do if you forget your supervisor password

If you forget your supervisor password, there is no service procedure to remove the password. You have to contact a Lenovo authorized service provider to have the system board replaced. A fee will be charged for parts and service.

What to do if you forget your system management password

If you forget your system management password, do the following to remove the system management password:

  • If you have set a supervisor password and remember it:
    1. Restart the computer. When the logo screen is displayed, immediately press F1.
    2. Type the supervisor password to enter the UEFI BIOS menu.
    3. Select Security ➙ Password ➙ System Management Password by using the arrow keys.
    4. Type the current supervisor password in the Enter Current Password field. Then, leave the Enter New Password field blank, and press Enter twice.
    5. In the Changes have been saved window, press Enter.
    6. Press F10 to save changes and exit the UEFI BIOS menu.
  • If you have not set a supervisor password, contact a Lenovo authorized service provider to have the system management password removed.

Associate your fingerprints with passwords (for selected models)

Do the following to associate your fingerprints with the power-on password and NVMe password:

  1. Turn off and then turn on the computer.
  2. When prompted, scan your finger on the fingerprint reader.
  3. Enter your power-on password, NVMe password, or both as required. The association is established.

When you start the computer again, you can use your fingerprints to log in to the computer without entering your Windows password, power-on password, or NVMe password. To change settings, press F1 to enter the UEFI BIOS menu, and then select Security ➙ Fingerprint.

Attention: If you always use your fingerprint to log in to the computer, you might forget your passwords. Write down your passwords, and keep them in a safe place.

BIOS features

View UEFI BIOS Event log

  1. Restart the computer. When the logo screen is displayed, press F1.
  2. Select Main ➙ BIOS Event log. Then, press Enter. The BIOS Event log interface is displayed.
  3. Navigate the interface by pressing the following keys, and then see details by selecting each item.
    • ↑↓: Move keyboard focus
    • PgUp / PgDn: Scroll page
    • Enter: Select
    • F3: Exit

The following BIOS Event logs might be listed on your screen depending on the UEFI BIOS activities. Each log consists of date, time, and a description of the event.

  • Power On event: this log shows Power On Self Test (POST) routine has started with power-on process. It includes power on reason, boot mode and shutdown reason.
  • Subcomponent Code Measurement event: this log shows subcomponent code measurement has worked. It includes validation result of each component.
  • System Preboot Authentication event: this log shows what credential was provided to gain preboot authentication. It includes installed password, password type, input device and authentication result.
  • BIOS Password Change event: this log shows changes of the UEFI BIOS passwords. It includes password type, event type and result.
  • Subcomponent Self-healing event: this log shows information about the subcomponent where the recovery event occurred. It includes event cause, recovered firmware version and result.
  • BIOS Setup Configuration Change event: this log shows changes of UEFI BIOS Setup configuration. It includes item name and value.
  • Device Change event: this log shows changes of devices. It includes event cause and event type.
  • System Boot event: this log shows which boot device was utilized to boot the system. It includes boot option, description and file path list.
  • System Tamper event: this log shows occurrence of system tamper events. It includes event cause and event type.
  • POST Error event: this log shows occurrence of errors during POST routine. It includes the error code.
  • Flash Update event: this log shows occurrence of flash update. It includes event cause, updated firmware version and result.
  • Set On-Premise event: this logs shows changes of on-premise boot setting. It includes on-premise setting value and change method.
  • Capsule Update event: this log shows occurrence of UEFI capsule firmware update. It includes event cause, updated firmware version and result.
  • Log Cleared event: this log shows clearing BIOS event log has executed. It includes event cause and result.
  • Shutdown / Reboot event: this log shows UEFI BIOS is successfully shut down or the system is rebooted. It includes event cause and event type.

Switch the security chip

Your computer may come with 2 types of security chips (Discrete TPM 2.0 and Pluton TPM 2.0). The Pluton TPM 2.0 security chip is only applicable on Windows 11. Before you switch to other operating systems, you should also switch security chip from Pluton TPM 2.0 to Discrete TPM 2.0.

Note: when you switch the security chip, the content in the security chip will be cleared, such as BitLocker encryption key.

  1. If you are using the Windows BitLocker® Drive Encryption feature, ensure that you have disabled the feature.
  2. Select the security chip for your purpose.
    1. Restart the computer. When the logo screen is displayed, press F1 to enter the UEFI BIOS menu.
    2. Select Security ➙ Security Chip and press Enter. The Security Chip submenu opens.
    3. Select security chip from the menu. Ensure that the security chip for Discrete TPM 2.0 is set to Active.
    4. Press F10 to save the settings and exit.

Reset system to factory default

This feature allows you to initialize the UEFI BIOS to the factory default state, including all UEFI BIOS settings and internal data. It helps you wipe user data in case that you want to dispose of or reuse your computer.

Note: If you permanently disable Intel AMT control and Absolute Persistence(R) Module in UEFI BIOS, you can not reset even if you reset the system to factory default.

How to reset system to factory default

  1. Restart the computer. When the logo screen is displayed, press F1 to enter the UEFI BIOS menu.
  2. Select Security ➙ Reset System to Factory Defaults and press Enter.
  3. A series of warning windows might pop up. Your might be required to do the following before resetting the system to factory default.
    • Deactivate the Absolute Persistence Module.
    • Remove the NVMe password if your have set one.
  4. For computer model with RAID settings, a window pops up to remind you of data damage.
  5. If you select Yes, a window pops up to confirm your current operation.
  6. If you select Yes, a windows pops up. Enter your supervisor password, system management password or power-on password.
  7. Then, your computer will restart immediately. It take several minutes to complete the initialization.

Note: This initialization process may require the screen to be blank. This is normal and you should not interrupt the process.

Recover the UEFI BIOS

If the UEFI BIOS is corrupted or maliciously attacked, it can self-recover and restore your computer from the last uncorrupted and secure backup. This function protects your computer data.

During the UEFI BIOS self-recovery, the screen might be blank. You can check the progress based on blinking modes of the LED indicators on Esc, F1, and F4. For details, refer to the following table.

Note: Do not press the power button to interrupt the progress. Wait a few minutes until the logo screen is displayed.

Blinking modes Self-recovery progress
LED indicator on Esc blinks 0% to 32%
LED indicators on Esc and F1 blink simultaneously 33% to 65%
LED indicators on Esc, F1 and F4 blink simultaneously 66% to 100%

Update UEFI BIOS

When you install a new program, device driver, or hardware component, you might need to update UEFI BIOS.

Download and install the latest UEFI BIOS update package by one of the following methods:

  • Open the Vantage app to check the available update packages. If the latest UEFI BIOS update package is available, follow the on-screen instructions to download and install the package.
  • Go to https://pcsupport.lenovo.com and select the entry for your computer. Then, follow the on-screen instructions to download and install the latest UEFI BIOS update package.

To know more about UEFI BIOS, visit Knowledge Base of your computer at https://pcsupport.lenovo.com.

FIDO (Fast ID) Online authentication

Your computer support FIDO (Fast ID) Online authentication which works as an alternative of password-based authentication to help you achieve passwordless authentication. This new BIOS feature only works when power-on password is set in UEFI BIOS and FIDO2 USB device is registered in ThinkShield™ Passwordless Power-On Device Manager. With this feature, you can input power-on password or use the registered USB FIDO2 device to power on your computer.

Register your FIDO2 USB device in ThinkShield™ Passwordless Power-On Device Manager

  1. Turn on the computer.
  2. Press F12 during power on process.
  3. If you set a power-on password, a window pops up on the screen when you turn on the computer. Enter the correct password to use the computer.
  4. Select App Menu ➙ ThinkShield Passwordless Power-On Device Manager and press Enter.
  5. Insert FIDO2 device to register the FIDO2 device by following steps:
    • Select the available FIDO2 device that you want to register in the Discovered Devices area.
    • The first window pops up to confirm the device your selected. Click Yes.
    • If you set a power-on password, a window pops up. Enter the correct password.
    • The User operation request window pops up. You are required to press a button on the connected FIDO2 device, and then follow the on-screen instruction to close the window.
    • Press ESC to exit and restart your computer.

Notes:

  • If you want to unregister your devices, click available FIDO2 device that you want to unregister in My Device area and enter the correct power-on password for verification.
  • If you use more than one FIDO2 devices with common identifier for registration, only one device could be available.

Log in to the System with Passwordless Power-On Authentication

  1. Restart the computer.
  2. ThinkShield Passwordless Power-On Authentication window appears.
  3. Insert your registered FIDO2 device for detection.
  4. Then follow the on-screen instruction to press the button on your FIDO2 device for verification.
  5. After your device is verified, the power-on process continues.

Note: You should insert the FIDO2 device or enter power-on password within 60 seconds. Otherwise, your computer will shut down automatically.

Install a Windows operating system and drivers

This section provides instructions on installing a Windows operating system and device drivers.

Install a Windows operating system

Microsoft constantly makes updates to the Windows operating system. Before installing a particular Windows version, check the compatibility list for the Windows version. For details, go to Lenovo windows support.

Attention:

  • It is recommended that you update your operating system through official channels. Any unofficial update might cause security risks.
  • The process of installing a new operating system deletes all the data on your internal storage drive, including the data stored in a hidden folder.
  1. If you are using the Windows BitLocker® Drive Encryption feature and your computer has a Trusted Platform Module, ensure that you have disabled the feature.
  2. Ensure that the security chip is set to Active.
    1. Restart the computer. When the logo screen is displayed, press F1 to enter the UEFI BIOS menu.
    2. Select Security ➙ Security Chip and press Enter. The Security Chip submenu opens.
    3. Ensure that the security chip for TPM 2.0 is set to Active.
    4. Press F10 to save the settings and exit.
  3. Connect the drive that contains the operating system installation program to the computer.
  4. Restart the computer. When the logo screen is displayed, press F1 to enter the UEFI BIOS menu.
  5. Select Startup ➙ Boot to display the Boot Priority Order submenu.
  6. Select the drive that contains the operating system installation program, for example, USB HDD. Then, press Esc.
    Attention: After you change the startup sequence, ensure that you select the correct device during a copy, a save, or a format operation. If you select the wrong device, the data on that device might be erased or overwritten.
  7. Select Restart and ensure that OS Optimized Defaults is enabled. Then, press F10 to save the settings and exit.
  8. Follow the on-screen instructions to install the device drivers and necessary programs.
  9. After installing the device drivers, apply Windows Update to get the latest updates, for example the security patches.

Install device drivers

You should download the latest driver for a component when you notice poor performance from that component or when you added a component. This action might eliminate the driver as the potential cause of a problem. Download and install the latest driver by one of the following methods:

  • Open the Vantage app to check the available update packages. Select the update packages you want, and then follow the on-screen instructions to download and install the packages.
  • Go to https://pcsupport.lenovo.com and select the entry for your computer. Then, follow the on-screen instructions to download and install necessary drivers and software.