This isn't going to be just Lenovo. Microsoft requires that the certificate in question is not part of the Secure Boot database for any device meeting/utilising the "Device Guard" functionality.
And as others have said, as long as you can enroll your own keys this isn't really a bad thing. It improves security by default for the default OS shipped with the device. You have to go away from the defaults to use Linux anyways, so one more toggle isn't going to kill anyone.
And as others have said, as long as you can enroll your own keys this isn't really a bad thing. It improves security by default for the default OS shipped with the device. You have to go away from the defaults to use Linux anyways, so one more toggle isn't going to kill anyone.