Fix a Device’s Security Health
While most security is applied to your device automatically, there are a handful of computer settings that allow them to function. These features are nearly always turned on by default, but if they aren’t found to be enabled, you may be temporarily disallowed access to your Microsoft resources until they are re-enabled. If you were referred to this document from the Check Device Health article, follow the three steps below to check the status of each and regain access to your resources!
This guide will accomplish the following:
- Check and Enable TPM
- Check and Enable Secure Boot
- Check and Enable Virtualization
Procedure Scope: Users
Required Group Membership: N/A
Checking TPM on a Windows Device
- Using Windows Search, we will want to look for the Windows Security utility.
- Once the utility is opened you will see the Home section, we will want to locate and select the Device Security tab. From this section we will want to select the Security Processor Details hyperlink under the Security Processor header.
- Within the Security Processor page, we will want to verify that the Status is set to Ready, if it is experiencing a state different from Ready this could be an indicator that the TPM chip is locked, or the TPM chip does not meet the hardware requirements specified by the Operating System (Windows 10 requires TPM 1.2 or higher, Windows 11 requires TPM 2.0) which would require additional troubleshooting. If the TPM is set to a Ready state but security processor section is indicating an error, it will be necessary to enable TPM within the BIOS of your respective machine, this can be achieved by referencing the table below to find the BIOS settings to enable this functionality.
Enabling TPM on a Windows Device
|
Common Manufacturer BIOS TPM Settings Location |
||
|
Latitude, OptiPlex, Precision, Vostro, some XPSs |
F2 |
Security --> TPM 2.0 Security à TPM On --> Apply Changes --> Exit, Save Changes or F10 to save and exit. Security --> TPM State --> Apply Changes --> Exit, Save Changes or F10 to save and exit. |
|
Alienware |
F2 |
Security --> Firmware TPM --> Enabled --> Exit, Save Changes or F10 to save and exit. |
|
Inspiron |
F2
|
Security --> Intel Platform Trusted Technology --> On --> Firmware TPM --> Enabled, then press enter key --> Apply Changes --> F10, select yes to save and exit followed by enter key. |
|
HP |
||
|
|
F2, F10, Esc, or Del |
Security --> TPM Device Status or Trusted Computing. |
|
|
Volume-up button and - button, then press and release power button. |
Security --> Trusted Platform Module (TPM) --> Enable TPM --> Exit, Save Changes. |
|
ThinkPad |
F1 |
Security --> Security Chip --> Enabled --> Security Chip Type --> TPM 2.0 --> F10 --> Exit, Save Changes. |
|
IdeaPad |
F2 |
Security --> Security Chip --> Enabled --> Security Chip Type --> TPM 2.0 --> F10 --> Exit, Save Changes. |
|
Desktops & All-in-Ones |
F1 |
Security --> Security Chip --> Enabled --> Security Chip Type --> TPM 2.0 --> F10 --> Exit, Save Changes. |
|
If you can’t find your brand from the list above a quick browser search using the keyword “how do you enable TPM on a [insert device manufacturer or device]” |
||
|
Alternative method of entering the BIOS/UEFI settings on a windows machine |
||
|
Windows 10 or 11 |
System --> Windows Update --> Recovery --> Advanced Startup --> Restart Now --> Troubleshoot --> Advanced options --> UEFI Firmware Settings --> Restart |
Alternative to access BIOS/UEFI settings. |
Checking Secure Boot on a Windows Device
- Using Windows Search, we will want to look for the Windows Security utility.
- Once the utility is opened you will see the Home section, we will want to locate and select the Device Security tab. From this section we will want to locate the Secure Boot header, this will provide information on whether the setting is On or Off. If it is set to Off, it will be necessary to enable Secure Boot within the BIOS of your respective machine, this can be achieved by referencing the table below to find the BIOS settings to enable this functionality.
Enabling Secure Boot on a Windows Device
|
Common Manufacturer BIOS Secure Boot Settings Location |
||
|
OptiPlex, Precision, Wyse, some XPSs |
F2 |
Boot Configuration --> Secure Boot --> Enabled --> Deployed Mode --> Exit, Save Changes. |
|
Alienware, Inspiron, and Vostro |
F2
|
Boot Configuration --> Secure Boot Enable --> Check box --> Apply --> Exit, Save Changes. |
|
F2, F10, Esc, or Del |
Security --> Secure Boot Configuration --> Secure Boot --> Check Box --> Main --> Save Changed and Exit --> Yes --> PIN --> Enter |
|
|
Volume-up button and - button, then press and release power button. |
Security --> Secure Boot --> Change Configuration --> Enabled with Microsoft Only Key Configuration --> Exit, Save Changes. |
|
| Lenovo | ||
|
ThinkPad |
F1 |
Security --> Secure Boot --> On --> F10 --> Exit, Save Changes |
|
IdeaPad |
F2 |
Security --> Secure Boot --> On --> F10 --> Exit, Save Changes |
|
Desktops & All-in-Ones |
F1 |
Security --> Secure Boot --> On --> F10 --> Exit, Save Changes |
|
If you can’t find your brand from the list above a quick browser search using the keyword “how do you enable Secure Boot on a [insert device manufacturer or device]” |
||
|
Alternative method of entering the BIOS/UEFI settings on a windows machine |
||
|
Windows 10 or 11 |
System --> Windows Update --> Recovery --> Advanced Startup --> Restart Now --> Troubleshoot --> Advanced options --> UEFI Firmware Settings --> Restart |
Alternative to access BIOS/UEFI settings. |
Checking Memory Integrity on a Windows Device
- Using Windows Search, we will want to look for the Windows Security utility.
- Once the utility is opened you will see the Home section, we will want to locate and select the Device Security tab. From this section we will want to select the Core Isolation Details hyperlink under the Core Isolation header.
- Within the Core Isolation page, we will want to verify that the Memory Integrity setting is set to On, if it is set to Off it will be necessary to enable Virtualization within the BIOS of your respective machine, this can be achieved by referencing the table below to find the BIOS settings to enable this functionality.
Enabling Virtualization on a Windows Device
|
Common Manufacturer BIOS Virtualization Settings Location |
||
|
|
F2 |
Advanced --> Virtualization --> Enabled --> Virtualization for Direct-IO (or VT-d) --> Enabled --> Exit, Save Changes. |
|
|
F2 |
Virtualization Support --> Virtualization --> Enabled --> Virtualization for Direct-IO (or VT-d) --> Enabled --> Exit, Save Changes. |
| HP | ||
|
|
F10 |
Configuration --> Virtualization Technology --> Enabled --> F10, Save and Exit |
|
|
F10 |
Advanced --> System Options --> Virtualization Technology (VTx) --> Check Box --> F10, Save and Exit |
|
|
F10 |
Security --> System Security --> Virtualization Technology (VTx) --> Enabled --> F10, Save and Exit |
| Lenovo | ||
|
|
F1 |
Security --> Intel(R) Virtualization Technology + Intel(R) VT-d Feature --> On --> F10 --> Exit, Save Changes |
|
|
F1 |
Configuration --> AMD V(TM) Technology --> Enabled --> F10 --> Exit, Save Changes |
|
|
F1 |
Advanced --> Intel(R) Virtualization Technology --> Enabled --> F10 --> Exit, Save Changes |
|
If you can’t find your brand from the list above a quick browser search using the keyword “how do you enable Virtualization on a [insert device manufacturer or device]” |
||
|
Alternative method of entering the BIOS/UEFI settings on a windows machine |
||
|
Windows 10 or 11 |
System --> Windows Update --> Recovery --> Advanced Startup --> Restart Now --> Troubleshoot --> Advanced options --> UEFI Firmware Settings --> Restart |
Alternative to access BIOS/UEFI settings. |
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.