Hardware Audit Documentation

Part 2: Dynamic Staging Handshake (The "Hibernation" State)

Use this section to explain why machines might look like they are "stuck" or waiting in Phase 1.

Understanding the 3-Step Deployment Handshake

When managing updates across our school network, the operating system moves through three distinct phases. The script tracks this path dynamically:

• Phase 0: Dormant / Unstarted

• The security patches are downloaded to the computer's hard drive, but they are completely asleep. The machine is unpatched and vulnerable.

• Phase 1: Staged / Handshake In Progress (The "Hibernation" State)

• The script has successfully run once. The new certificate keys have been physically written to the motherboard, but the actual Windows boot files are sitting in a dormant hibernation mode. They are waiting for one final system sweep to safely swap over.

• Phase 2: Fully Restructured (Success)

• The final system sweep is complete. The old, vulnerable Windows boot manager files have been permanently deleted, the new ones are active, and the machine is 100% compliant. No further action is required.

Part 3: Dashboard Property Breakdown Index

Create a new section on your site for this. You can use Google Sites' "Collapsible Group" feature for each item below to keep the page clean and scannable.

Live Dashboard Property Reference Directory

[01] Boot Mode

• Target State: UEFI (Modern Mode)

• Failure State: Legacy / BIOS (Obsolete Mode)

• Operator Action Required: If a machine flags as Legacy, it is running a 20-year-old protocol that cannot accept modern security keys. You must back up the user's data, enter the BIOS to disable CSM/Legacy mode, wipe the drive to convert the partition style to GPT, and reinstall Windows.

[02] Secure Boot

• Target State: ENABLED / ACTIVE

• Failure State: DISABLED / INACTIVE

• Operator Action Required: Secure Boot is turned off in the hardware layer. Reboot the computer, press the manufacturer's setup key (F10 for school HP hardware, F2/Del for others), navigate to the Security tab, and switch Secure Boot to Enabled.

[03] 2023 Cert (db)

• Target State: Installed

• Failure State: Missing

• Operator Action Required: The motherboard is missing the updated Microsoft Windows UEFI CA 2023 digital signature. If NVRAM space is clear, run the Staging Script to execute the automated key injection.

[04] Migration Phase

• Target State: Phase 2 (Fully Restructured)

• Warning State: Phase 1 (Staged / Handshake In Progress)

• Failure State: Phase 0 (Unstarted / Dormant)

• Operator Action Required: If Phase 0, execute the primary deployment script. If Phase 1, simply re-run the script one final time to force the final bootloader swap task and prompt the final reboot.

[05] NVRAM Space

• Target State: Good Space Clear

• Failure State: NVRAM Choked / Storage Full

• Operator Action Required: STOP IMMEDIATELY. The physical storage chip on the motherboard is full of old crash logs or duplicate data. Trying to force a key injection on a choked chip can cause the system to freeze or crash entirely. Manually flash the computer's BIOS to the newest vendor version to run an automatic chip clean-up.

[06] Active GPO Block

• Target State: No GPO Restrictions Found

• Failure State: GPO Restriction Active / Registry Locked

• Operator Action Required: An Active Directory Group Policy is locking out registry modifications. Move the target computer asset into an exempt testing Organizational Unit (OU) in your directory manager, then run gpupdate /force in an elevated command prompt.

[07] BitLocker State

• Target State: Off / Suspended (Safe to Flash)

• Warning State: ON / ACTIVE (Lockout Risk!)

• Operator Action Required: The script automatically handles this by pausing encryption for 2 reboots. However, if running manually on standalone or personal student devices, always ensure the user has verified access to their 48-digit recovery key before modifying motherboard firmware.

[08] TPM Chip State

• Target State: Active / Healthy (Ver: 2.0)

• Failure State: Missing / Disabled / Ver: 1.2

• Operator Action Required: Verify the Trusted Platform Module (TPM) device is enabled in the physical BIOS settings. If the motherboard is locked at an obsolete 1.2 standard, it will fail modern Windows enterprise compliance metrics.

Part 4: Official Verification & Reference Center

Add this to the bottom of your Google Site page as a "Resources" or "Links" section so other technicians or administrators can verify the data.

Official Technical Documentation & Reference Library

• Microsoft Servicing Blueprint & Phase Guidelines (KB5025885)

• Review the official step-by-step rollout timelines, registry configuration keys, and exact behavior patterns of the Secure Boot revocations associated with CVE-2023-24932.

• https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41ac9404-8558-4435-246b-8365efec01d5

• Microsoft Windows Post-Enforcement Secure Boot Recovery Guide

• Official confirmation and step-by-step documentation detailing how to manually recover unbootable devices if they miss the automated deployment window and hit the hard enforcement deadline.

• https://learn.microsoft.com/en-us/windows/deployment/support/secure-boot-recovery-guide

• HP Enterprise & Business PC Motherboard Configuration Index

• Official guide on managing HP UEFI architectures, deploying BIOS updates via corporate packages, and handling motherboard NVRAM allocations safely.

• https://support.hp.com/us-en/document/ish_4123913-3971208-16

• Microsoft Learn: OEM Secure Boot Key and Database Specifications

• Deep-dive hardware engineering documentation detailing how digital signature databases (db), Key Exchange Keys (KEK), and firmware architectures guard the pre-boot infrastructure.

• https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot