About Device Statuses

About Device Statuses

Status

The Status refers to the platform state of a device and indicates its onboarding stage. Devices can have one of three statuses:
  1. Active: The device is fully onboarded, provisioned, and actively reporting data.
  2. Pending: The device is either unlicensed or has not reported its provisioning status. This status may occur due to one of two reasons: 

    1. A license needs to be assigned to the device.
    2. An issue occurred during onboarding or provisioning. In this case, the user must onboard the device again.
  1. Unsupported: The enhanced embedded controller is not detected. This means the device lacks the hardware capability to report data for ThinkShield Firmware Assurance. Consequently, the device will never report security data.

Security Posture Status

The Security Posture Status represents the security health of a device. The possible statuses are:
  1. Healthy: No issues have been detected recently.
  2. Unhealthy: Firmware elements are corrupt.
  3. Suspect: A potential issue has been identified. Check the event log.
  4. Uninitiated: No security-related events have been reported yet.


Security Posture Status Calculation

The system calculates the Security Posture Status using the Subcomponent Code Measurement as a baseline, evaluating the most recent events reported by the EC (Embedded Controller).

Status Definitions and Calculation Criteria

1. Display Healthy status if:
  1. The latest Subcomponent Code Measurement reported a Pass for every subcomponent,
    AND
  2. No Subcomponent Self-Healing Events have been detected since the last measurement.
2. Display Unhealthy status if:
  1. One or more subcomponents returned Fail in the latest Subcomponent Code Measurement.
  2. A Device Firmware Failure Event reported a Firmware Corruption Detected status.
  3. A runtime intrusion into SPI Flash was detected (Enhanced EC with SAF).
3. Display Suspect status if:
  1. Any of the following events have been detected in the past 7 days with any status:
    1. BIOS Password Change Event
    2. System Preboot Authentication Event
    3. BIOS Setup Configuration Change Event
    4. Device Change Event
    5. Log Cleared Event
    6. Flash Update Event
    7. POST Error Event
    8. Set On-Premise Event
    9. Capsule Update Event
    10. TPM PCR Change
    11. BIOS Mode Change
    12. BIOS Version Change
    13. Secure Boot Status Change
    14. Drive Encryption Status Change
    15. Disk Drive Firmware Version Change
  2. A System Tamper Event with Event Type: Open was detected.
  3. A System Preboot Authentication Event with Fail status occurred.
  4. A Device Firmware Failure Event reported Hardware Not Found or Hardware Response Timeout statuses.
  5. One or more successful Subcomponent Self-healing Events occurred,
    AND
  6. The latest Subcomponent Code Measurement reported a Pass for all subcomponents.
4. Display Uninitialized status if:
  1. No logs contributing to this status exist.
  2. No event logs are present yet.
Excluded Events
The following events do not contribute to the Security Posture Status:
  1. Shutdown/Reboot Event
  2. System Boot Event
  3. Power On Event
Reporting Schedule
The system reports the Security Posture Status on a regular schedule:
  1. At boot
  2. Every hour at random intervals
Handling Multiple Entries
If two or more entries of the same event type exist in the database, the system uses the latest event for the calculation.


    • Related Articles

    • Managing Devices within TSFA

      To access devices within your organization's portal, navigate to Devices Manager > Devices. Device Table The Device Table provides regular information pertaining to each device, such as Device Name and Type, Serial Number, License, etc. It also ...

    • Using Device Lookup

      The Device Lookup page serves as a comprehensive information source, consolidating all data related to an individual device within the TSFA system. Designed to provide detailed insights, it facilitates the management and troubleshooting of devices. ...

    • Using the Dashboard

      The Dashboard displays data from the entire fleet of devices through various graphs, bar charts, and visual elements, helping users quickly grasp trends and key metrics. As the landing page, it is the first interface users see when accessing the ...

    • Onboarding Devices in ThinkShield Firmware Assurance

      About ThinkShield Firmware Assurance ThinkShield Firmware Assurance (TSFA) detects and remediates firmware tampering and other security issues that could impact the security of your devices before the operating system boots. The ThinkShield Firmware ...

    • Running On-demand Measurements

      This feature introduces the ability to perform on-demand measurements on the device, run the measurement (verify firmware integrity) of each component, and display the latest logs on the Cloud UI. It also enables a two-step attestation of ...