TSFA Device and Security Posture Status

TSFA Device and Security Posture Status

Status

The Status refers to the platform state of a device and indicates its onboarding stage. Devices can have one of three statuses:
  1. Active: The device is fully onboarded, provisioned, and actively reporting data.
  2. Pending: This status may occur for one three reasons: 

    1. The UEFI/BIOS on the device requires an update. Please update the UEFI/BIOS to ensure that Thinkshield Fimware Assurance can retrieve the BIOS logs. Your can find your device's BIOS version at https://support.lenovo.com/. Enter your device model or machine type to download the appropriate version.  
    2. A license needs to be assigned to the device.
    3. An issue occurred during onboarding or provisioning. In this case, you must onboard the device again.
  1. Unsupported: The device is not on the list of supported models. Please ensure that only supported devices are onboarded. If an unsupported device is added to the platform, it will not report any data.
  2. Eligible: The device does not have a TSFA license but qualifies for one.

Security Posture Status

The Security Posture Status represents the security health of a device. The possible statuses are:
  1. Healthy: No issues have been detected recently.
  2. Unhealthy: Firmware elements are corrupt.
  3. Suspect: A potential issue has been identified. Check the event log.
  4. Uninitiated: No security-related events have been reported yet.


Security Posture Status Calculation

The system calculates the Security Posture Status using the Subcomponent Code Measurement as a baseline, evaluating the most recent events reported by the EC (Embedded Controller).

Status Definitions and Calculation Criteria

1. Display Healthy status if:
  1. The latest Subcomponent Code Measurement reported a Pass for every subcomponent,
    AND
  2. No Subcomponent Self-Healing Events have been detected since the last measurement.
2. Display Unhealthy status if:
  1. One or more subcomponents returned Fail in the latest Subcomponent Code Measurement.
  2. A Device Firmware Failure Event reported a Firmware Corruption Detected status.
  3. A runtime intrusion into SPI Flash was detected (Enhanced EC with SAF).
3. Display Suspect status if:
  1. Any of the following events have been detected in the past 7 days with any status:
    1. BIOS Password Change Event
    2. System Preboot Authentication Event
    3. BIOS Setup Configuration Change Event
    4. Device Change Event
    5. Log Cleared Event
    6. Flash Update Event
    7. POST Error Event
    8. Set On-Premise Event
    9. Capsule Update Event
    10. TPM PCR Change
    11. BIOS Mode Change
    12. BIOS Version Change
    13. Secure Boot Status Change
    14. Drive Encryption Status Change
    15. Disk Drive Firmware Version Change
  2. A System Tamper Event with Event Type: Open was detected.
  3. A System Preboot Authentication Event with Fail status occurred.
  4. A Device Firmware Failure Event reported Hardware Not Found or Hardware Response Timeout statuses.
  5. One or more successful Subcomponent Self-healing Events occurred,
    AND
  6. The latest Subcomponent Code Measurement reported a Pass for all subcomponents.
4. Display Uninitialized status if:
  1. No logs contributing to this status exist.
  2. No event logs are present yet.
Excluded Events
The following events do not contribute to the Security Posture Status:
  1. Shutdown/Reboot Event
  2. System Boot Event
  3. Power On Event
Reporting Schedule
The system reports the Security Posture Status on a regular schedule:
  1. At boot
  2. Every hour at random intervals
Handling Multiple Entries
If two or more entries of the same event type exist in the database, the system uses the latest event for the calculation.


    • Related Articles

    • Using the Dashboard in TSFA

      Organizations with a ThinkShield Firmware Assurance (TSFA) license see the corresponding TSFA feature widgets directly on the Lenovo Device Orchestration Dashboard. These widgets are fully integrated into the main Dashboard and appear automatically ...

    • TSFA Security Event Log Reference

      This document provides a structured overview of key security-related incidents logged by ThinkShield Firmware Assurance. Events are categorized based on their nature, severity, and potential impact. Each event includes a brief description, its ...

    • About Device Lookup

      The Device Lookup page serves as a comprehensive information source, consolidating all data related to an individual device within the TSFA system. Designed to provide detailed insights, it facilitates the management and troubleshooting of devices. ...

    • Patch Deployment Status Report

      When a patch is successfully installed to a Windows device, it is removed from the Patches section and added to Patch Deployment. This report provides details about the patches deployed. To generate a report, click Reports > Patch Deployment Status. ...

    • System Update Status Report

      This report provides information on system updates for devices across the entire organization. System Update information will be available only if the System Update feature is enabled. To generate a report, click Reports > System Update Status. The ...