I recently onboarded a couple of Lenovo machines where Secure Boot was disabled in BIOS. This would mark the device as non-compliant because of our compliance policies.
The following script helped remediate the situation.
Please note, the machine will need a reboot for the change to take effect.
$Data = gwmi -class Lenovo_BiosSetting -namespace root\wmi | Where-Object {$_.CurrentSetting.split(",",[StringSplitOptions]::RemoveEmptyEntries) -eq "SecureBoot"} | Select-Object CurrentSetting
If ( $Data.CurrentSetting -eq "SecureBoot,Disable" ) {
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecureBoot,Enable")
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
} Else {
Exit
}