Intune/Detect-LenovoBIOSSetting.ps1 at main · jamesvincent/Intune · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<#
    Script to check the status of Secure Boot on Lenovo (2017+) devices, by querying WMI.
    Script will check for "SecureBoot" and "Secure Boot" variations.
    Script will then check that the Current Status contains "Enabl" as some report Enable, or Enabled.

    Can be used as a Remediation within Intune

    James Vincent
    July 2026
#>

# Define the setting prefixes to match
$settingPrefixes = @(
    "SecureBoot",
    "Secure Boot"
)

# Get matching CurrentSetting entries
try {
$currentSettings = Get-WmiObject -Class Lenovo_BiosSetting -Namespace root\wmi |
    Where-Object {
        $prefix = $_.CurrentSetting.Split(',')[0].Trim()
        $settingPrefixes -contains $prefix
    } |
    Select-Object -ExpandProperty CurrentSetting

if (-not $currentSettings -or $currentSettings.Count -eq 0) {
    throw "Defined BIOS setting not found"
}
    else {
        # Whole string: e.g., "SecureBoot,Enabled" or "Secure Boot,Enable"
        $BIOSSetting = $currentSettings

        # Trim the string first, then split on the FIRST comma only
        $parts = $BIOSSetting.Trim() -split ',', 2

        # Get the BIOS Setting, and it's current value - neatly.
        $setting = $parts[0].Trim()
        $currentValue  = ($parts[1] -split ';')[0].Trim()  # Strip anything after semicolon
    }
}
catch {
    Write-Host $_
    Write-Host "NonCompliant"
    exit 1
}

# Check if value is "Enable" or "Enabled" (case-insensitive)
if ($currentValue -ieq "Enable" -or $currentValue -ieq "Enabled") {
    Write-Host "Compliant"
    exit 0
} else {
    Write-Host "NonCompliant"
    exit 1
}