Hi Lieben, please review your script: your BIOS password management is legacy (pre 2020 Lenovo models). You need to invoke the new method WmiOpcodeInterface

I modified yours like this (added also “Allow3rdPartyUEFICA” which must require a supervisor password):

#set to $true if your implementation of bitlocker requires suspend before enabling secureboot to avoid bugging users with locked machines until they unlock. This is normally not needed! (Tested on multiple Lenovo devices)
$suspendBitlocker = $true

$setBios = (gwmi –class Lenovo_SetBiosSetting –namespace root\wmi)
$WmiOpcodeInterface= (gwmi –class Lenovo_WmiOpcodeInterface –namespace root\wmi)
$commitBios = (gwmi –class Lenovo_SaveBiosSettings –namespace root\wmi)

if(!$biosPasswords){
    Write-Host “Enabling secureboot without bios password”
    try{
        $setBios.SetBiosSetting(“SecureBoot,Enable”)
        $setBios.SetBiosSetting(“Allow3rdPartyUEFICA,Enable”)
        $commitBios.SaveBiosSettings()
    }catch{
        Write-Error $_ –ErrorAction Continue
        Exit 1
    }
}else{
    $passwordWorked = $false
    if($biosPasswords.Count -gt 2){
        Write-Host “WARNING: Using 3 or more passwords could lock you out of the bios, use at your own risk!”
    }
    foreach($biosPassword in $biosPasswords){
        try{
            Write-Host “Enabling secureboot using bios password”
            $setBios.SetBiosSetting(“SecureBoot,Disable”)
            $setBios.SetBiosSetting(“Allow3rdPartyUEFICA,Enable”)
            $WmiOpcodeInterface.WmiOpcodeInterface(“WmiOpcodePasswordAdmin:$biosPasswords;”)
            $commitBios.SaveBiosSettings()
            $passwordWorked = $true
            break
        }catch{
            Write-Host “Bios password <redacted> did not work, trying next password $($_.Exception.Message)“
        }  
    }
    if($passwordWorked -eq $false){
        Write-Error “None of the configured bios passwords worked, aborting” –ErrorAction Continue
        Exit 1
    }
}

Write-Host “Secureboot enabled”