Bonus Round: Enabling Secure Boot on Lenovo Hardware
New Devices Without Secure Boot?
I noticed several of the Lenovo devices in my fleet didn’t have Secure Boot enabled. How did this happen?! These are new devices right from the factory! No time to investigate; let’s get patching!
I read the Lenovo write papers so you don’t have to. Lenovo states that you can make BIOS changes via PowerShell with a Get-WMIObject (gwmi) command, however buried in their docs it states “Some security-related settings cannot be disabled by WMI” and I found that Secure Boot is one of them. [1] Luckily, they provide their own utility. Its written in Visual Basic (gross! AND deprecated.), but its all we have to work with at the moment.
You’ll need to download the script from Lenovo’s website > here. Unzip it and it comes with several .VBS files. You can play around with the ListAll.vbs to see what settings you have in BIOS and what the parameters are to change these settings. Or you can just skip to the next section where I’ll tell you what to do.
Get Crackin’!
For out of prod-testing you can launch a simple command line as admin, change directory (cd) to where you’ve extracted the contents of “script” and run the following:
cscript.exe ListAll.vbs – to list all of your settings
Or for changing the Secure Boot setting just run this:
cscript.exe SetConfig.vbs SecureBoot Enable <password><encoding>
so for example, and example purposes only:
cscript.exe SetConfig.vbs SecureBoot Enable bios123 ascii,usI would never disclose my BIOS password online!
You’ll get confirmation that the change was successful. And don’t worry, if Secure Boot is already enabled, and you run this command, it won’t hurt or break anything.
PMPC Please Hire Me (PowerShell AppDeployToolkit)
Ignore the title. That’s just me desperately begging for an interview at my favorite (and the best) SaaS company, which owns the PSADT now.
From the previous section we’ve got the one-liner cscript.exe SetConfig.vbs SecureBoot Enable <password>,<encoding>, now let’s package this and spice things up.
Even though rerunning this script where Secure Boot is enabled won’t hurt anything, we’re PowerShell gurus, let’s spice it up and add some logic.
I’ll keep this short and sweet, we’ll simply check for whether or not Secure Boot is already enabled, apply the setting if it is disabled, and ask to reboot the PC. This can be performed via a combination of PSADT native commands, a simple PowerShell built-in cmdlet, and our one-liner from above. We’ll put this chunk of code in the “Installation tasks” section of our PSADT template.
$Status = Confirm-SecureBootUEFI
If($Status -eq $false){
Show-ADTInstallationProgress -StatusMessage "SecureBoot is off! Continuing with Installation"
cscript.exe "$($adtSession.DirFiles)\SetConfig.vbs" SecureBoot Enable <password>,<encoding>
Show-ADTInstallationRestartPrompt -CountdownSeconds 600 -WindowLocation Center
}
Else {
Show-ADTInstallationProgress -StatusMessage "SecureBoot is on. No further action needed"
Close-ADTSession -ExitCode 69999
}
If you’re not familiar with PSADT, what are you doing? Leverage this amazing tool to efficiently package applications and scripts. https://psappdeploytoolkit.com/docs/4.1.x/reference
Test this off production a few times and tweak it how you’d like it. When you’re ready, run your PSADT template into the “Microsoft-Win32-Content-Prep-Tool-master” utility, and built your app deployment in Intune. It’s THAT easy.
Ending Thoughts
No witty banter this time. I’ve gotta’ get back to tackling my own Secure Boot strategy. If you need further explanation or assistance with tackling this task. Feel free to reach out to me! Happy to help as always!
Obligatory Disclosure:
This project is provided “as is” without any warranty of any kind, express or implied. Use it at your own risk. The authors and contributors are not responsible for any damage, data loss, or other issues that may arise from using this software. You are solely responsible for any actions taken based on this code.