I’ve recently taken over the administration of a corporate Microsoft 365 tenant and there are a lot of things that I think can be done better. One of the first things I want to start focusing on is getting all company owned devices into Intune and up to a standard level of compliance.
Turns out that can be difficult to achieve. As I move my way through the different challenges with getting an organization full of devices to a good and compliant state, I hope to be able to share many of the fixes I find with you here.
The first compliance setting I’d like to cover here is Secure Boot.
Secure Boot is a BIOS feature that allows the computer to check the digital signature of a bunch of Operating System files during start-up. Secure Boot is there to ensure that your Windows computer is not infected with a virus that modifies critical files. Secure Boot is a great security feature that should be turned on for all Windows devices.
As a BIOS feature, Secure Boot is kind of a pain to turn on. Are you going to have end-users reboot their own computers, go into their own BIOS, and modify settings? You can’t really set up a remote-control session to adjust BIOS settings, so that doesn’t leave you much in the way of choices to turn Secure Boot on.
Turns out the good folks at Lenovo have a solution for us, PowerShell!
This is a manufacturer specific solution. This will not work to turn on Secure Boot on Dell machines. I do have another solution that works for other devices, but it’s not as friendly so let’s get through this one first.
Based on Lenovo’s documentation, I have written a PowerShell script that will enable Secure Boot on your Lenovo computers. In this blog post I’ll share that script and show you how to set up and deploy it in your Intune environment.
The Script
If you’re not into reading my nonsense and just want the script (don’t worry, I’ve been there), here it is.
<#
.SYNOPSIS
This script enables Secure Boot on Lenovo machines.
.DESCRIPTION
Does not force a reboot (By default. Remove # on line #28 to enable forced reboot.)
Computer must reboot after this script is run for Secure Boot to be enabled.
.NOTES
1.0 - Initial release
Enable-SecureBootOnLenovo.ps1
v1.0
1/28/2025
By Nathan O'Bryan, MVPr|MCSM
nathan@mcsmlab.com
.LINK
https://www.mcsmlab.com/about
https://github.com/MCSMLab/Enable-SecureBootOnLenovo/blob/main/Enable-SecureBootOnLenovo.ps1
#>
$Data = gwmi -class Lenovo_BiosSetting -namespace root\wmi | Where-Object {$_.CurrentSetting.split(",",[StringSplitOptions]::RemoveEmptyEntries) -eq "SecureBoot"} | Select-Object CurrentSetting
$Status = $Data.CurrentSetting
If ( $Status -eq "SecureBoot,Disable" ) {
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecureBoot,Enable")
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
# Restart-Computer -Force
}
Else { Exit }I have also published this script to GitHub.
The Deployment
If you’re still with me, I’m going to assume that you’re looking for more than just the script.
First let me answer questions I assume some of you will have…
• This script can be run on non-Lenovo machines, no harm. It doesn’t do anything, but it doesn’t hurt anything either.
• This script can be run on Lenovo machines that already have Secure Boot turned on, it doesn’t do anything.
• After running this script, the computer in question needs to be rebooted for Secure Boot to be turned on. Removing the # on line #28 will force a reboot after the setting is made. Leaving it there will let the machine be naturally rebooted by the user. I’ve tested a few times, and it all works as intended for me, but maybe be a little careful with that.
I set up this script on Intune. Here’s the configuration I used…
The script shows as “failed” in Intune when run against non-Lenovo machines. I could put in a Try – Catch loop to prevent that, but I don’t see any harm in letting the script fail on those machines.
It shows as successful when running against Lenovo machines whether it turns Secure Boot on or not. You can also assign this script to a dynamic group that only has Lenovo machines that are non-compliant. Maybe even a bit of brilliance could create a dynamic group that only contains Lenovo machines that are non-compliant for Secure Boot.
Does that cover it? Any questions, let me know below.