Onboarding Devices in ThinkShield Firmware Assurance

Onboarding Devices in ThinkShield Firmware Assurance

About ThinkShield Firmware Assurance

ThinkShield Firmware Assurance (TSFA) detects and remediates firmware tampering and other security issues that could impact the security of your devices before the operating system boots. The ThinkShield Firmware Assurance agent runs as a plug-in of UDC on each monitored device, and a cloud component where data is collected and made available to IT and Org Admins.

Onboarding devices

ThinkShield Firmware Assurance supports an automated process that simplifies the onboarding of devices into your organization. Users can easily download a .Zip file package with the necessary files and apply it to the devices. Lenovo laptops and PC can be automatically claimed on the ThinkShield Firmware Assurance platform by installing the TSFA provisioning package.

Claiming a Device

Navigate to Onboarding > Instructions and Agents. You can select one of these two methods:

Standard

  1. Select Standard.
  2. Click Start.



  3. Set the configuration of the provisioning package: select the number of devices that will be used and the expiration period of the provisioning pack from the corresponding fields.
  4. Click Download. The package is uploaded to your computer. You will receive a confirmation message.
  5. Execute the file in your devices. You have these options:
  1. Automated: Run udc-setup.exe file which will install TSFA agent plugin.
  2. Manual: Run install-udc.bat, a script that enables the installation of Microsoft Configuration Manager (SCCM) tool to install the TSFA agent on a group of devices. Follow the instructions.

    The package is contained into an organization-setup.zip file, which includes these three files: 
  1. udc_setup_x64.exe (Installer for devices with x64 (64-bit) architecture).
  2. udc_setup_arm.exe (Installer for devices with ARM architecture).
  3. install-udc.bat (a batch script that automates the installation process, detecting the system architecture and executing the appropriate installer (udc_setup_x64.exe or udc_setup_arm.exe).
After the installation is completed, the devices are claimed to the organization, and you can track them on the portal. 

The setup is unique for the organization and should not be shared. 


Microsoft Intune

Info
The following requirements must be met to use Intune:
  1. You must be logged into the system as an Org Admin or IT Admin.
  2. IT Admins can use Intune onboarding only if the Microsoft Entra ID directory is connected and configured by the Org Admin.
  1. Select Microsoft Intune.
  2. Click Start.
Microsoft Entra ID Compliance
If Entra ID is not connected:
  1. Click on Organization Settings > Connectors to connect your Organization to the Entra directory. This will display the Organization Settings page.
  2. Enter the required info from Entra in the text boxes.
  3. Click Save.
The system validates the information and connects to Entra AD.
Notes
If the organization is already linked to Entra, all necessary permissions are pre-granted, the connection is configured, and the Agent is uploaded. In such cases, the system will bypass the initial two steps and directly guide you to the Device Validation window, enabling you to synchronize the devices seamlessly.

Configure Entra ID
Follow the instructions in the screen.
If Entra is not connected, the link will be disabled and you will get this message:  "Please connect your Organization to Entra AD and proceed with device onboarding".



Grant Permissions
If certain permissions are not yet granted, they will be displayed followed with a red cross. To grant permissions:
  1. Go to Entra > API permissions
  2. Click  Add Permission.
  3. Click on Microsoft Graph.
  4. Select Delegated Permissions.
  5. Type part of the name on the Select permissions text box.
  6. Check the box of the permission you wish to add.
  7. Click Add Permission. The new permission will be added to the list under API/Permissions Name.
  8. Repeat these steps to add the other permissions.
  9. Click Next.
After adding a permission, UDS synchronizes with Intune. Once the permission is successfully verified, a green check mark will appear next to it under 'Grant permissions,' indicating that the user can proceed.

Download TSFA Agent
  1. Configure the provisioning package settings by selecting the number of devices to be used and setting the expiration period in the respective fields.
  2. Click Download. The package is uploaded to your computer, the extension of the file is INTUNEWIN. 
  3. Upload TSFA Agent into Applications.
Device Validation
  1. Open TSFA Agent on your browser.
  2. Paste the URL in the input field below.
  3. Paste the Application ID /URL Validation (the last part of the URL).
  4. Click Confirm

Device Onboarding List
The right pane displays the list of the Organization’s devices.
  1. To search for a particular device, enter the device name or part of the name in the Search box.
  2. Check the box(es) next to the device(s) to onboard.
  3. Click Onboard.
    Once the device has been properly onboarded and provisioned, its status will transition to Active.

Troubleshooting

One of the most common issues users may encounter is the device remaining in a "Pending" status. To resolve this, you can try the following alternative solutions. If the first solution does not resolve the issue, proceed to the next one:

  1. Check network connectivity: Ensure the device is connected to the network.
  2. Verify license assignment: Confirm that the device has been assigned a valid license.
  3. Check TSFA plugin installation: Verify that the TSFA plugin is installed successfully by checking for the existence of the folder at C:\Program Files\Lenovo\TSFA.
  4. Restart UDC if plugin is missing: If the TSFA plugin is not installed, restart UDC to attempt downloading the plugin package again.
  5. Reinstall UDC if necessary: If the TSFA plugin still fails to install, uninstall UDC and download a new provisioning package from the portal. After that, reinstall UDC.
  6. Confirm BIOS/EC version compatibility: Ensure that the BIOS/EC version is within the supported range.
  7. Analyze plugin logs for further insights: If all the above conditions are met and the device remains in a "Pending" state, review the plugin logs for additional troubleshooting information.


    • Related Articles

    • Managing Devices within TSFA

      To access devices within your organization's portal, navigate to Devices Manager > Devices. Device Table The Device Table provides regular information pertaining to each device, such as Device Name and Type, Serial Number, License, etc. It also ...

    • TSFA Agent Versioning on the Device Level

      Version Control ensures that all devices within the organization adhere to a universal standard defined by the organization or IT administrators. This feature allows administrators to manage the ThinkShield Firmware Assurance (TSFA) agent version on ...

    • TSFA Agent Versioning on Organization Level

      Version Control ensures that all devices within the organization adhere to a universal standard defined by the organization or IT administrators. This feature allows administrators to manage the ThinkShield Firmware Assurance (TSFA) agent version ...

    • Installing a Sepio Agent

      This article explains how to install and uninstall a Sepio Agent on a Host. The Sepio Agent is a security tool that provides in-depth visibility and enforces policies on assets built into and connected to the Host. The Platform Management system ...

    • Supported Devices in ThinkShield Firmware Assurance

      The following devices are currently supported in v1.2 2023 ThinkPad X1 Carbon Gen 11 (Type 21HM, 21HN) ThinkPad X1 Yoga Gen 8 (Type 21HQ, 21HR) ThinkPad X1 Nano Gen 3 (Type 21K1, 21K2) ThinkPad X13 Gen 4 & NEC (Type 21EX, 21EY) ThinkPad X13 Yoga Gen ...