Jackie Ramsey July 6, 2026 0

A device can look healthy in Intune and still leave you short on audit evidence. I see that gap often with Intune Secure Boot and TPM evidence, because admins trust a live dashboard when they need a dated record.

For CMMC Level 2, I don’t treat Secure Boot and TPM as a box-checking exercise. I treat them as proof that endpoint protections are real, enforced, and retained long enough to stand up in review.

Key Takeaways

  • Secure Boot and TPM are not named CMMC Level 2 controls, yet they support core NIST SP 800-171 requirements tied to cryptographic protection, malware defense, and system integrity.
  • I never rely on one Intune screen alone; I keep policy screenshots, device-level proof, report exports, and retention records together.
  • Intune shows device compliance visibility, but I still validate endpoint security posture and keep separate audit-ready evidence retention.
  • Feature names and report locations can shift in the Intune admin center, so I date every capture and note the path I used.
  • A stronger evidence packet usually combines Intune, BitLocker policy proof, and a small set of local device artifacts for sample endpoints.

Why Secure Boot and TPM matter for CMMC Level 2

Secure Boot and TPM do not appear as stand-alone CMMC Level 2 practices. Still, I treat them as core evidence because they support the security outcome behind several NIST SP 800-171 controls. In plain terms, they help prove that a device starts in a trusted state, protects encryption keys, and resists tampering before Windows fully loads.

That matters most for control areas tied to cryptographic protections, malicious code protection, and flaw remediation. The current CMMC Level 2 model still maps to 110 controls across 14 families from NIST SP 800-171 Rev. 2. Because of that, a TPM 2.0-backed BitLocker deployment and enabled UEFI Secure Boot are practical signals that my endpoint baseline is not loose or ad hoc.

Microsoft’s own material helps frame that baseline. I cross-check the settings available in Windows compliance settings in Intune, and I use Microsoft’s CMMC Level 2 technical reference guide as background when I explain how Microsoft tools support evidence collection.

I also separate three ideas that people often mix together. Device compliance visibility is what Intune marks as compliant or noncompliant. Endpoint security posture is the underlying state of BitLocker, Secure Boot, TPM, antivirus, and patching. Audit-ready evidence retention is the dated proof I can hand over later, even if the live portal has changed since capture day.

A compliant badge is useful, but it is not the same as preserved evidence from the assessment period.

How I collect Intune evidence that stands up

My collection process starts with policy proof, not device proof. First, I open the Intune admin center and capture the Windows compliance policy that applies to the in-scope device group. Depending on the current UI, I may find these settings under Devices, Compliance policies, or another nearby blade. Microsoft moves labels and report locations often enough that I record the date and exact navigation path in my evidence notes.

Next, I capture the setting values that matter. For Windows, that usually includes Secure Boot requirements, BitLocker-related compliance checks, and any health or system security settings tied to device integrity. After that, I capture the group assignment screen, because an unassigned policy is dead weight in an audit packet.

Then I move to device results. I export a report that shows device compliance status for the scoped Windows fleet. I want device name, primary user if relevant, OS version, last check-in, and policy result. If I have a Dell Latitude 7440, HP EliteBook 840 G10, Lenovo ThinkPad X1 Carbon Gen 11, or Surface device in scope, I pull a few representative samples from those families.

A sleek laptop sits on a polished mahogany desk displaying security dashboard analytics. Beside the computer, a mobile phone confirms identity authentication, symbolizing a secure professional environment managed through updated digital policies.

For each sample device, I gather evidence in this order:

  1. I capture the device overview in Intune, including device name, serial number, ownership, and last check-in.
  2. I capture the device compliance state and the policy that evaluated it.
  3. I capture the Endpoint security disk encryption policy that applies to the device, if I manage BitLocker there.
  4. I export or screenshot BitLocker recovery key presence when policy requires escrow.
  5. I add a local corroboration artifact, such as msinfo32 showing “BIOS Mode: UEFI” and “Secure Boot State: On”, plus tpm.msc or Get-Tpm output for TPM status.

That last step matters because Intune can summarize status while hiding the reason behind it. When I need stronger Intune Secure Boot TPM evidence, I want both management-plane proof and endpoint-plane proof.

The evidence packet I keep for audit review

I don’t hand auditors a pile of random screenshots. I keep a small, consistent packet for every collection date, and I store it where retention is controlled. For many teams, that means a Microsoft 365 document library with versioning and restricted access. If your environment already went through an Office 365 Migration, this is a smart place to reuse governance you already trust.

This is the artifact set I keep most often:

ArtifactWhat I captureWhy it matters
Compliance policy screenshotSecure Boot and related Windows settingsProves the requirement existed
Policy assignment screenshotIncluded groups and scopeProves the policy targeted in-scope devices
Compliance exportCSV or report snapshot with status and last check-inShows fleet-wide visibility on a date
Device detail screenshotsDevice identity, OS, compliance resultTies report data to real endpoints
BitLocker policy proofEndpoint security disk encryption settingsConnects TPM-backed encryption to policy
Local validation artifactsmsinfo32, tpm.msc, Get-BitLockerVolumeCorroborates Intune with endpoint facts

The table is the backbone, not the full story. I also save a short evidence memo that explains what each artifact shows, when I collected it, and which systems were in scope. That saves time later when names change in Intune or when staff turnover hits the team.

I watch naming closely for one more reason. Community threads such as secure configuration baselines that passed CMMC L2 show how often teams struggle to explain what their baseline actually was at a point in time. I avoid that problem by naming policies with version numbers and effective dates.

Validation and troubleshooting before the assessment

Before I present anything, I test the evidence against common failure points. Secure Boot may show trouble because the device still runs Legacy BIOS instead of UEFI. TPM evidence can break because the chip is disabled in firmware, not owned, or not exposed correctly after a motherboard replacement. In other cases, the problem is simpler: the device has not checked in, so Intune is showing stale data.

Co-managed devices need extra care. If Configuration Manager, Intune, Defender, and BIOS tooling all touch the same endpoint, I verify who owns the setting and where the latest truth lives. Otherwise, I can end up with a green status in one place and contradictory detail in another.

I also keep the business context in view. In my work with Small Business IT teams, this evidence discipline connects directly to Cloud Infrastructure, Cloud Management, and Secure Cloud Architecture because those endpoints reach CUI in Microsoft 365 and other services. The same habits support Office 365 Migration, Data Center Technology refreshes, and broader Digital Transformation work. They also fit real-world operations that need Restaurant POS Support and Kitchen Technology Solutions, where fixed terminals still need Endpoint Security and Device Hardening. A strong Business Technology Partner can tie that work into Cybersecurity Services, Technology Consulting, Infrastructure Optimization, Tailored Technology Services, and Innovative IT Solutions. For leaders building an IT Strategy for SMBs, that is how Managed IT for Small Business turns into stronger Business Continuity & Security.

Most importantly, I never present a single dashboard screenshot as final proof. I validate report dates, sample device states, and policy scope together. That layered packet is easier to defend, and it is much easier to maintain over time.

Conclusion

When I prepare for CMMC Level 2, I treat Secure Boot and TPM evidence as a chain, not a screenshot. Intune gives me the management view, but evidence retention is what makes that view useful later.

The strongest packet combines policy proof, assignment proof, compliance exports, and sample device validation. If I can show all four cleanly, I walk into the conversation with facts instead of hope.


Discover more from Guide to Technology

Subscribe to get the latest posts sent to your email.

Category: 

Leave a Reply