We've managed to get to the bottom of this. I hope this post helps others...
For the Lenovo devices: X1, X270, X280 etc, we had to:
1. Go into the BIOS settings
2. Within the BIOS, choose Secure Boot settings
3. Within the Secure Boot settings, choose "Reset to Setup Mode"
NB: This puts the Platform mode into "Setup Mode" and the Secure Boot Mode into "Custom Mode"
4. At this point deploy the image via iPXE with WinPE boot (this time, no BSOD was experienced).
5. After the OS was deployed, go back to the Secure Boot settings in the BIOS and choose "Restore Factory Keys".
NB: This puts the Platform mode into "User Mode" and the Secure Boot Mode into "Standard Mode".
6. Boot into the OS, open 'System Information' app, and confirm Secure Boot State = On