For the average consumer machine, users can get the most out of it without ever having to contemplate these advanced setup procedures. A ThinkPad, however, requires the user to take a peek at them at least, because the default settings certainly do not fit all usage scenarios. From hardware settings, performance and power setup, to security, OS installation and enterprise deployment, almost everything is configurable. Having your ThinkPad wrongly configured in BIOS can slow down OS booting, disabled features you need are not showing up in OS and enabled features you don‘t need will produce unwanted activity / battery drainage etc.
For every ThinkPad I‘ve ever bought, sold or maintained through the years, the BIOS setup is the first thing I ever perform. This is particularly vital today, even before loading up any OS on it, because of the default legacy pre-installed Windows 7 or UEFI BIOS pre-installed Windows 8/8,1 OS, which like in the case of the former, upgrading your Windows 7 pre-installation to Windows 8 instead of clean installing will give you a legacy installed Windows 8 and thus fail to take advantage of some of the UEFI features that are built into the OS. I‘ll get into some of the differences between Legacy/UEFI installations in Part 3 as well as the main only and secondary hard drive dual booting.
NB. Although this setup is for the W540/T540p, most of the options are identical to other ThinkPad models and serve the same function, but being a fully loaded W540, it has several options that other models don‘t have, and thus a perfect machine demonstrate this on.
To enter the ThinkPad UEFI BIOS there are several methods you can use.
Press F1 on the Lenovo screen to bring up the BIOS setup instantly. (Only possible during restart or when started up again from a full shutdown, which you can have your machine enter if you hold down Shift while clicking Shutdown in Windows 8/8.1).
Press Enter on the Lenovo screen, again, only possible using the same restart methods as above, to bring up the Startup Interrupt Menu, and then select F1 for the BIOS setup.
From within Windows 8/8.1:
Open the Charm Bar by pressing Win+C key combination.
Click on Settings
Click on Change PC Settings
Click on General (Win 8) Update and Recovery (Win 8.1)
Scroll to the bottom and click on Advanced Startup -> Restart Now (Win 8) Select Recovery -> Advanced Startup -> Restart Now (Win 8.1)
Click on Troubleshoot
Click on Advanced Options
Click on UEFI Firmware Settings
Click on Restart
NB. By default, a Windows 8/8.1 shutdown is not a real shutdown. Instead, it is hybrid shutdown where contents of memory are saved to disk. This allows for a faster startup. However, turning on the PC after a hybrid shutdown does not allow for pressing F1 or F12 during startup. To disable this behaviour and for further information on booting Windows 8/8.1 pre-installed machines head over to this page: Windows 8/8.1 boot instructions - Lenovo.
If you have a ThinkPad with a Legacy BIOS, just press F1 on the ThinkPad screen.
On the main screen you can see various important information about your ThinkPad such as the serial and MTM numbers, information on your installed CPU and RAM, OS Licence and Secure Boot status. On the image above, I‘ve annotated where you can find the various categories of settings for your machine.
My W540 is setup as non-enterprise, standalone workstation, so the first things I do is turn off AMT (Intel Active Management Technology) and all Wake/Boot from LAN settings, as my machine won‘t be either booted up from LAN nor managed remotely.
To turn these settings off, open up your Config screen and select Network and toggle your preferred settings between Enabled / Disabled. I disable all options. The Intel AMT settings are also found on the Config screen, which I set to disabled. NB, do not select Permanently Disabled if you plan on reselling your machine later on, as permanently disabled means just that.
There are a couple of other features that I disable in the Config section, which is the Intel Smart Connect Technology, which powers on your machine on regular intervals to check for mail and social media updates and the Power – Intel Rapid Start Technology, which I don‘t need on my W-series machines, but I do keep it enabled on my ThinkPad travelmates, such as the T440s.
Walking through the other settings I change on the Config screen, on USB I have everything set to Enabled and USB 3.0 set to Auto. I am particularly fond of the USB always on and Charge in battery mode, as my ThinkPads that have large 9 cell batteries have managed to save my phone from running out of power on countless occasions. Finally, I set my display options for standalone operation, but if you have your machine docked and connected to one or more external monitors, you need to set these accordingly.
On to the Security screen, where many mission critical options reside. Many of these options should not be played with, as setting them wrongly can have serious consequences. Particular care should be taken when setting one or more Passwords for access control, as there is no fallback or fix that can reset a forgotten password.
Leaving the Security settings at their default is fine in most usage scenarios, but some features are disabled by default, like Virtualization, and need to be enabled for them to work. The Security Chip is initially set to Inactive, which means it is visible in your OS, but inactive. I set mine to Active as it is required by the Security Reporting Options, which I do monitor if something comes up as well as enabling the Intel Trusted Execution Technology (TXT) options, which I also have set to Enabled.
The UEFI BIOS Update Option is self-explanatory and in addition you can prevent older BIOS flashing by turning the Secure Rollback Prevention to Enabled. Memory Protection and I/O Port Access are all enabled by default and no restrictions or access control to your hardware is set. The Internal Device Access option is for the Bottom Cover Tamper Protection, which works in conjunction with the Supervisor Password, so if no Supervisor Password is set, the Tamper Protection won‘t take effect even if set to Enabled. The Anti-Theft module is active by default, and thus you‘ll get popups in your Windows OS regarding enrollment. If you do not wish to see those or you won‘t be using the feature, just set the AT Module to Disabled. Same as with the Intel AMT Control, the AT Module can be permanently disabled as well.
Lastly, the Secure Boot option is something that is always enabled by default on all machines that come with a Windows 8/8,1 sticker from manufacturer. Secure boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system. Secure boot prevents “unauthorized” operating systems and software from loading during the startup process.
Quick summary of the Secure Boot feature:
UEFI allows firmware to implement a security policy.
Secure boot is a UEFI protocol not a Windows 8 feature.
UEFI secure boot is part of Windows 8 secured boot architecture.
Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure.
Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components.
OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform.
Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows.
I will go deeper into the Secure Boot settings and functionality in Part 3, where the OS installation will be the topic, but unless you‘re clean installing a new OS or upgrading from Windows 7 to Windows 8, these settings as well as the OS Optimized Default setting on the Restart screen can be left at their defaults.
The Startup section is one that I always clean up and only leave the boot devices I regularly use active on the Boot Priority Order. Don‘t use it? Lose it. This eliminates your machine having to go through all possible boot options on cold boot / restart but a temporary boot device can always be selected through the F12 Boot Menu if you need to boot your machine from a device you don‘t regularly use.
I use my machine as UEFI OS only, as setting it up as dual booted Windows / Linux in UEFI mode has become much simpler, and effective in the last couple of years. However, dual booting a UEFI and a legacy OS, or legacy only is also an option, and will be further discussed in my next instalment.
For detailed information on the W540 System Setup, refer to the User Guide available here: