Sometimes someone forgets to enable SecureBoot, boo!
For Lenovo devices built after 2018, this can be remediated using PowerShell without any dependencies whatsoever.
So here’s a simple remediation solution using Intune that reads the SecureBoot status from the Lenovo_BiosSetting WMI class and then uses the Lenovo_SetBiosSetting and Lenovo_SaveBiosSettings WMI classes to enable SecureBoot as needed.
Source code:
https://github.com/jflieben/assortedFunctionsV2/tree/main/LenovoSecurebootRemediation
Example:
Warning:
Tested only on Thinkpads (multiple models between 2018 and 2025)
I tried this but notworking. All my laptops are configured with bios password. will that a problem ?
Hi Lieben, please review your script: your BIOS password management is legacy (pre 2020 Lenovo models). You need to invoke the new method WmiOpcodeInterface I modified yours like this (added also “Allow3rdPartyUEFICA” which must require a supervisor password): #set to $true if your implementation of bitlocker requires suspend before enabling secureboot to avoid bugging users with locked machines until they unlock. This is normally not needed! (Tested on multiple Lenovo devices) $suspendBitlocker = $true $setBios = (gwmi –class Lenovo_SetBiosSetting –namespace root\wmi) $WmiOpcodeInterface= (gwmi –class Lenovo_WmiOpcodeInterface –namespace root\wmi) $commitBios = (gwmi –class Lenovo_SaveBiosSettings –namespace root\wmi) if(!$biosPasswords){ Write-Host “Enabling secureboot… Read more »
[…] Remediating secureboot on Lenovo devices through Intune […]