No key is kept in the bios. What you are thinking is the checksum that the UEFI uses to verify that OS is valid (MS wisdom to make an attempt to not allow Linux on PC's. & Laptops).
The machines can be ordered with the SSD's already installed, no OS if you are using a MS Volume license. You basically connect all of the machines up to a Lab LAN and go through the process of loading them up with the company Master copy of the OS with all updates on it and other software that is used during the course of users performing their duties.
You're confusing two different things and getting them both wrong.
First, the thing you refer to that you think tries to prevent Linux is called SecureBoot. And Linux systems are perfectly capable of using it, in fact most of the major versions have SecureBoot support, and there is package to add it to those that don't.
Second, Yes, OS Keys can be embedded in the firmware, in something called a SLIC or Software Licensing Description Table. Most OEM computers come with the keys embedded this way.