Sometimes someone forgets to enable SecureBoot, boo!

For Lenovo devices built after 2018, this can be remediated using PowerShell without any dependencies whatsoever.

So here’s a simple remediation solution using Intune that reads the SecureBoot status from the Lenovo_BiosSetting WMI class and then uses the Lenovo_SetBiosSetting and Lenovo_SaveBiosSettings WMI classes to enable SecureBoot as needed.

Source code:

https://github.com/jflieben/assortedFunctionsV2/tree/main/LenovoSecurebootRemediation

Example: