Troubleshoot
      Back to home
      1. Sittadel Knowledge Base
      2. UserOps
      3. Troubleshoot

      Fix Device Health

      Fix a Device’s Security Health

      While most security features are applied to your device automatically, there are a few foundational settings and services that must remain active for those protections to function correctly. These settings are typically enabled by default, but if they're found to be disabled—or if key system signals haven’t been recently updated—you may be temporarily denied access to your Microsoft resources until they are re-enabled to maintain a secure environment.

      If you landed on this page from the Check Device Health article, follow the steps below to verify and restore your device’s compliance!

      This guide will accomplish the following:

      • Local Device Sync
      • Check and Enable TPM
      • Check and Enable Secure Boot
      • Check and Enable Virtualization
      • Update Security Intelligence
      • Install Windows Updates

      Procedure Scope: Users

      Required Group Membership: N/A

       Note:
      When attempting to restore Device Compliance; please make sure that you are completing these actions on a dedicated network, meaning that you are not attempting to restore these settings while connected to a Personal Hot Spot or a Guest Wi-Fi Network.

      These actions need a stable line of communication with Intune Servers to properly reflect setting uplift properly and using volatile network connections has been identified as a point of failure when attempting to sync device settings changes with Intune Servers.       

       Local Device Sync on a Windows Device

      1. Using Windows Search, we will want to look for the Settings utility.
      2. Once the utility is opened you will see the Home section, we will want to locate and select the Accounts tab. From this section we will want to select the Access work or school button under the Accounts header.
      3. Within the Access work or school section, we will want to select the dropdown located at the end of Connected by [Your Company Email Address]. From the expanded list we will want to select the Info button next to the Managed by [Your Organizations Microsoft Tenant] header.
      4. Within the Managed by [Your Organizations Microsoft Tenant] section, we will want to locate the Device Sync Status header. Under this subsection, we will want to select the Sync action to perform a local device sync which will force this machine to check-in with Intune servers to verify all device security components are being properly deployed.
      5. Local sync ensures your device’s compliance status is accurately reported to Intune Services. If your device hasn’t checked in recently, its last known posture may be out of date—even if you’ve fixed the underlying issue. This issue typically arises for users that have been on an extended vacation and as a result their machine has not reported into Intune Services for an extended period.
      6. Note: If you attempt to execute a local device Sync and you receive an error that states the 'sync couldn’t be initiated'; this is an indicator that your device record within Intune has become corrupt, and a device reimage will need to be conducted to reconnect your machine to Microsoft Services.

      Checking TPM on a Windows Device

      1. Using Windows Search, we will want to look for the Windows Security utility.
      2. Once the utility is opened you will see the Home section, we will want to locate and select the Device Security tab. From this section we will want to select the Security Processor Details hyperlink under the Security Processor header.
      3. Within the Security Processor page, we will want to verify that the Status is set to Ready, if it is experiencing a state different from Ready this could be an indicator that the TPM chip is locked, or the TPM chip does not meet the hardware requirements specified by the Operating System (Windows 10 requires TPM 1.2 or higher, Windows 11 requires TPM 2.0) which would require additional troubleshooting. If the TPM is set to a Ready state but security processor section is indicating an error, it will be necessary to enable TPM within the BIOS of your respective machine, this can be achieved by referencing the table below to find the BIOS settings to enable this functionality.

      Enabling TPM on a Windows Device

      Common Manufacturer BIOS TPM Settings Location

      Dell

      Latitude, OptiPlex, Precision, Vostro, some XPSs

      F2

      Security > TPM 2.0 Security > TPM On > Apply Changes > Exit, Save Changes or F10 to save and exit.

      Security > TPM State > Apply Changes > Exit, Save Changes or F10 to save and exit.

      Alienware

      F2

      Security > Firmware TPM > Enabled > Exit, Save Changes or F10 to save and exit.

      Inspiron

      F2

       

      Security > Intel Platform Trusted Technology > On > Firmware TPM > Enabled, then press enter key > Apply Changes > F10, select yes to save and exit followed by enter key.

      HP
      The HP support community has a plethora of articles that are sectioned off by the model of computer, it might be useful to initiate a web browser search for enabling TPM on [HP model you have]

       

      F2, F10, Esc, or Del
      If that doesn’t work the exact key depends on your computer model, so watch for on-screen instructions during startup.

      Security > TPM Device Status or Trusted Computing.

      Microsoft Surface

       

      Volume-up button and - button, then press and release power button.

      Security > Trusted Platform Module (TPM) > Enable TPM > Exit, Save Changes.

      Lenovo

      ThinkPad

      F1

      Security > Security Chip > Enabled > Security Chip Type > TPM 2.0 > F10 > Exit, Save Changes.

      IdeaPad

      F2

      Security > Security Chip > Enabled > Security Chip Type > TPM 2.0 > F10 > Exit, Save Changes.

      Desktops & All-in-Ones

      F1

      Security > Security Chip > Enabled > Security Chip Type > TPM 2.0 > F10 > Exit, Save Changes.

      If you can’t find your brand from the list above a quick browser search using the keyword “how do you enable TPM on a [insert device manufacturer or device]”

      Alternative method of entering the BIOS/UEFI settings on a windows machine

      Windows 10 or 11

      System > Windows Update > Recovery > Advanced Startup > Restart Now > Troubleshoot > Advanced options > UEFI Firmware Settings > Restart

      Alternative to access BIOS/UEFI settings.

      Checking Secure Boot on a Windows Device

      1. Using Windows Search, we will want to look for the Windows Security utility.
      2. Once the utility is opened you will see the Home section, we will want to locate and select the Device Security tab. From this section we will want to locate the Secure Boot header, this will provide information on whether the setting is On or Off. If it is set to Off, it will be necessary to enable Secure Boot within the BIOS of your respective machine, this can be achieved by referencing the table below to find the BIOS settings to enable this functionality.

      Enabling Secure Boot on a Windows Device

      Common Manufacturer BIOS Secure Boot Settings Location

      Dell

      OptiPlex, Precision, Wyse, some XPSs

      F2

      Boot Configuration > Secure Boot > Enabled > Deployed Mode > Exit, Save Changes.

      Alienware, Inspiron, and Vostro

      F2

       

      Boot Configuration > Secure Boot Enable > Check box > Apply > Exit, Save Changes.

      HP
       

      F2, F10, Esc, or Del
      If that doesn’t work the exact key depends on your computer model, so watch for on-screen instructions during startup.

      Security > Secure Boot Configuration > Secure Boot > Check Box > Main > Save Changed and Exit > Yes > PIN > Enter

      Microsoft Surface
       

      Volume-up button and - button, then press and release power button.

      Security > Secure Boot > Change Configuration > Enabled with Microsoft Only Key Configuration > Exit, Save Changes.
      Lenovo

      ThinkPad

      F1

      Security > Secure Boot > On > F10 > Exit, Save Changes

      IdeaPad

      F2

      Security > Secure Boot > On > F10 > Exit, Save Changes

      Desktops & All-in-Ones

      F1

      Security > Secure Boot > On > F10 > Exit, Save Changes

      If you can’t find your brand from the list above a quick browser search using the keyword “how do you enable Secure Boot on a [insert device manufacturer or device]”

      Alternative method of entering the BIOS/UEFI settings on a windows machine

      Windows 10 or 11

      System > Windows Update > Recovery > Advanced Startup > Restart Now > Troubleshoot > Advanced options > UEFI Firmware Settings > Restart

      Alternative to access BIOS/UEFI settings.

      Checking Memory Integrity on a Windows Device

      1. Using Windows Search, we will want to look for the Windows Security utility.
      2. Once the utility is opened you will see the Home section, we will want to locate and select the Device Security tab. From this section we will want to select the Core Isolation Details hyperlink under the Core Isolation header.
      3. Within the Core Isolation page, we will want to verify that the Memory Integrity setting is set to On, if it is set to Off it will be necessary to enable Virtualization within the BIOS of your respective machine, this can be achieved by referencing the table below to find the BIOS settings to enable this functionality.

      Enabling Virtualization on a Windows Device

      Common Manufacturer BIOS Virtualization Settings Location

      Dell

       

      F2

      Advanced > Virtualization > Enabled > Virtualization for Direct-IO (or VT-d) > Enabled > Exit, Save Changes.

       

      F2

      Virtualization Support > Virtualization > Enabled > Virtualization for Direct-IO (or VT-d) > Enabled > Exit, Save Changes.
      HP

       

      F10

      Configuration > Virtualization Technology > Enabled > F10, Save and Exit

       

      F10

      Advanced > System Options > Virtualization Technology (VTx) > Check Box > F10, Save and Exit

       

      F10

      Security > System Security > Virtualization Technology (VTx) > Enabled > F10, Save and Exit
      Lenovo

       

      F1

      Security > Intel(R) Virtualization Technology + Intel(R) VT-d Feature > On > F10 > Exit, Save Changes

       

      F1

      Configuration > AMD V(TM) Technology > Enabled > F10 > Exit, Save Changes

       

      F1

      Advanced > Intel(R) Virtualization Technology > Enabled > F10 > Exit, Save Changes

      If you can’t find your brand from the list above a quick browser search using the keyword “how do you enable Virtualization on a [insert device manufacturer or device]”

      Alternative method of entering the BIOS/UEFI settings on a windows machine

      Windows 10 or 11

      System > Windows Update > Recovery > Advanced Startup > Restart Now > Troubleshoot > Advanced options > UEFI Firmware Settings > Restart

      Alternative to access BIOS/UEFI settings.

      Update Security Intelligence on a Windows Device

      1. Using Windows Search, we will want to look for the Windows Security utility.
      2. Once the utility is opened you will see the Home section, we will want to locate and select the Virus & threat protection tab. From this section we will want to select the Protection updates hyperlink under the Virus & threat protection updates header.
      3. Within the Protection updates page, we will want to verify that the Last update reference is a date within the last 7-days, if the date is exceeding this time frame it will be necessary to initiate a manual update to get this record properly reflected and synced with Intune. Select the Check for updates action to initiate this local antivirus signature update.

      Install Windows Updates on a Windows Device

      1. Using Windows Search, we will want to look for the Settings utility.
      2. Once the utility is opened you will see the Home section, we will want to locate and select the Windows Update tab. From this section we will want to select the Check for updates button under the Windows Update header. We enforce a 7-day deferral period for Windows Updates before they will auto update, but some components of a Windows Update will connect directly to some security controls within sections like the BIOS or Windows Defender and without these uplifts, some machines could report in as not compliant. To counteract this misreporting manually initiating a Windows Update Check can alleviate this issue due to the installation and updating of missing components.
      3. Some components will not generate within the Windows Update section since they could be manufacturer specific updates. To install these components, we will want to locate and select the Advances options button.
      4. Within the Advanced options section, we will want to select the Optional updates button. This section will house some manufacturer specific updates that could be tied to components that are required for device compliance.
      5. It might be necessary to initiate these Optional updates, if any are listed to restore functionality for some feature or driver updates that could be directly tied to security components that are within scope of needing to be present and updated to maintain device compliance.

      Need Assistance?

      Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.