Windows 10 version 1703 also known as the Creators Update is now out of support. For those using 1709 known as the Fall Creators edition it will be supported until April 2019.
While 1809 has been a problem for many, 1803 was not problematic in our shop. Microsoft has fixed some of the issues with 1809 and they are now slowly trickling it out with careful consideration of the user’s settings.
We are more mainstream and install the updates as they are released. Our Lenovo T500 was bricked but we have experience fixing machines. The Lenovo machines have an UltraBay and they can have a second hard disk installed which is faster for decrypting disks. More recently USB 3.0 cables are lower cost and our Lenovo X230 can now decrypt disks with acceptable speed.
Lenovo have TPM chips on our T and X series machines so they are secure from theft etc. The BIOS passwords are vulnerable but erasing them does not help with bitlocker disk encryption.
So far Bitlocker has not been a problem with our X230 which we use to test insider builds on the fast ring, The X230 has a 480GB SSD so it has lots of room for multiple redundant backups of windows.old folders. Disk cleanup is not able to remove the .old folders so to clean up a SSD requires a backup and reformat.
Lenovo users should set a supervisor password so that malware cannot attack the UEFI. This will allow secure boot to reach the security layer safely. This will block rootkits. RAM has a small table (SPD) with the timings and this bus also has other devices that could potentially be insecure.
Windows 10 has been hardened significantly against malware. Older machines can benefit but more recent machines are at best advantage with secure boot.
Lenovo does not like tutorials on security which is stupid in the extreme. To reset the BIOS needs the keyboard removed so a USB keyboard is needed. This is due to the keyboard being awkwardly placed to reach the BIOS chip. With a small screwdriver you can short out the pins and force an error as the machine boots and eventually the BIOS will reset. This allows the machine to be refurbished but the disk is secure so unauthorized data is accessed, the disk can be wiped with a fresh install of Windows.
Lenovo would rather sell a new motherboard which is very hard to install and very expensive. Here are Hardcore Games we would rather fix the offending hardware.
More than once we had to reset a machine after it was bricked by problems. Removal of the TPM device is very difficult and requires a specialized tools. The TPM with the BIOS, ACPI and other factors make it very difficult to attempt to break into the TPM.