list systems with secure boot enabled or disabled
i would like to find a list of systems with secure boot enabled or disabled. Can this be done with smart labels? How?
Answers (1)
This task is in theory really easy but complicated due to the limitations of the platform.
If you want a list, you should use a report. But yes, you can also get a smart label with that so you can link special tasks etc to these systems.
You can do it differently, but I like it "wizardable".
I assume that you know how to create Custom Inventory Rules (CIR) and smart labels / reports over the wizard.
1. you create Custom Inventory Rules
2. you use the results in Smart Labels or Reports
There are two different boot functions, UEFI and Legacy (the "old" BIOS).
With Legacy no Secure Boot is possible, so it is not implemented to check this in one command.
1. At first we get the info if we have a UEFI or Legacy. This step is optional but if you find legacy systems you may want to change this anyways.
Systems with UEFI boot will populate this:
ShellCommandTextReturn(cmd /c bcdedit | findstr winload.efi)
Systems with Legacy will populate this:
ShellCommandTextReturn(cmd /c bcdedit | findstr winload.exe)
So if you only need one of both use it only or simply use
ShellCommandTextReturn(cmd /c bcdedit | findstr winload)
and determine in a Smart Label what you need.
Now we will ask for the Secure Boot:
ShellCommandTextReturn(cmd /q /c powershell Confirm-SecureBootUFI)
The issue is, as mentioned before, it only works on UEFI platforms.
So you will get an error message like "Cmdlet not supported on this platform: 0xc0000002" on legacy systems and TRUE or FALSE on UEFI platforms.
2. With this info you can go to the report or smart label wizard and create the labels/reports as you need. Since you created the CIR before you can choose them from the Wizard.