Lenovo ThinkShield SE350 System Lockdown¶
Complete procedure for managing Lenovo ThinkEdge SE350 servers with ThinkShield Key Vault Portal, including system registration and lockdown mode deactivation.
Overview¶
The Lenovo ThinkEdge SE350 features System Lockdown Mode - a security feature that ensures the system is only used by its intended recipient. When activated, the server cannot boot until authorized through the ThinkShield Key Vault Portal.
Prerequisites¶
| Item | Details |
|---|---|
| Portal Access | ThinkShield Key Vault Portal account |
| Customer ID | Organization's unique customer ID (in portal URL) |
| Network | Server must have network connectivity for online activation |
| Browser | Access to server's IMM/XCC web interface |
ThinkShield Key Vault Portal¶
Portal URL¶
https://portal.naea1.uds.lenovo.com/<CUSTOMER_ID>
Customer ID
The number at the end of the URL is your organization's Customer ID. This is critical - using the wrong ID will prevent you from managing your devices.
Authorized Users¶
| User | |
|---|---|
| Jeff Brooks | jeff.brooks@hamilton.co.uk |
| Stuart Taylor | stuart.taylor@hamilton.co.uk |
| Jacky Yung | jacky.yung@hamilton.co.uk |
| Gary Farquharson | gary.farquharson@hamilton.co.uk |
Part 1: Registering a New SE350¶
When receiving a new Lenovo SE350, it must be registered to the portal before deployment.
Steps¶
- Log into the ThinkShield Key Vault Portal
- Navigate to Devices or Systems
- Click Add Device or Register New System
- Enter the server's:
- Serial Number
- Machine Type Model (MTM)
- UUID (if required)
- Assign to appropriate device group
- Save registration
Bulk Registration
Multiple devices can be registered via CSV upload if processing a large batch.
Part 2: Checking System Lockdown Status¶
Access via IMM/XCC Web Interface¶
- Connect to the server's management IP address
- Log into the Integrated Management Module (IMM) or XClarity Controller (XCC)
- Navigate to: BMC Configuration → Security → System Lockdown Mode
Lockdown Status Indicators¶
| Status | Meaning |
|---|---|
| Asserted | System is locked - cannot boot OS |
| De-asserted | System is unlocked - normal operation |
| ThinkShield Portal | Activation via portal required |
| XClarity Controller | Can be unlocked locally via XCC |
Part 3: Deactivating System Lockdown Mode¶
Use this procedure when a server shows "System Lockdown Mode: Asserted".
Step 1: Generate Challenge Code¶
- Log into the server's IMM/XCC web interface
- Navigate to: BMC Configuration → Security → System Lockdown Mode
- Move the slider from Asserted to De-asserted
- A popup appears with a Challenge Code
- Copy this code - you'll need it for the portal
Challenge Code Validity
The challenge code is time-sensitive. Complete the activation process promptly.
Step 2: Get Response from Portal¶
- Open the ThinkShield Key Vault Portal in a new browser tab
- Find and click on the correct system (match serial number)
- Click Manually Activate
- Enter the Challenge Code from Step 1
- Click Generate Response
- Copy the Response Code displayed
Step 3: Complete Activation¶
- Return to the IMM/XCC popup (still showing challenge code)
- Enter the Response Code from Step 2
- Click OK
- Click Apply
- System Lockdown Mode is now De-asserted
System Lockdown Mode Options¶
Lockdown Triggers¶
From the IMM/XCC interface, you can configure automatic lockdown triggers:
| Trigger | Description |
|---|---|
| Motion Detection | Locks if server is moved/tilted |
| Chassis Intrusion | Locks if cover is opened |
| Network Disconnect | Locks if management network lost |
| Manual Assertion | Administrator manually locks system |
Control Mode Settings¶
| Mode | Description | Security Level |
|---|---|---|
| ThinkShield Portal | Requires portal activation | Highest |
| XClarity Controller | Can unlock locally via XCC | Medium |
Portal Mode is Permanent
Once System Lockdown Mode Control is set to ThinkShield Portal, it cannot be changed back to XClarity Controller. This is by design for security.
Troubleshooting¶
Challenge Code Verification Failed¶
If the portal cannot verify the challenge code:
- Check the system clock is accurate on both server and your computer
- Request a counter reset from IT administrator
- Generate a new challenge code and try again
Cannot Access IMM/XCC¶
- Verify network connectivity to management port
- Try default credentials if recently reset
- Use the USB/Serial console for recovery
Device Not Found in Portal¶
- Verify you're using the correct Customer ID in the URL
- Check the device was properly registered
- Confirm serial number matches exactly
Lockdown Asserted After Power Loss¶
- This is expected behavior if motion/intrusion triggers are enabled
- Follow the deactivation procedure above
- Consider disabling sensitive triggers if causing frequent lockouts
Quick Reference Commands¶
XCC CLI Commands (if available)¶
# Check lockdown status
show system lockdown
# View security settings
show security
# Display system information
show system
BMC Navigation Path¶
BMC Configuration → Security → System Lockdown Mode
Security Best Practices¶
- Limit Portal Access - Only authorized personnel should have portal credentials
- Use Strong Passwords - Both for portal and IMM/XCC interfaces
- Enable UEFI PAP - Prevents unauthorized XCC reset when in XClarity Controller mode
- Document Registrations - Keep records of all registered devices and their status
- Regular Audits - Periodically review portal for unauthorized devices