Hardening My Pc
This process helped me, it may help you,
The following are my Notes:
Are you having symptoms you know are “off ” on your Desktop? Feel your files have been tampered with?
Notes:
Based on the issues described with your HP EliteDesk 800, here is a structured approach to troubleshooting the Wi-Fi, LAN/WLAN switching, and fan speed behavior.
1. Fixing the Wi-Fi/Bluetooth Driver Issues
If the driver is installed but not loading (often appearing as Code 10 or Code 43 in Device Manager), the card might be stuck in a low-power state or experiencing a hardware-level conflict.
Perform a “Cold” Boot: Shut down the computer, unplug the power cable, hold the power button for 30 seconds to drain residual power, plug it back in, and turn it on.
Disable Fast Startup in Windows: This often prevents Wi-Fi drivers from loading correctly on HP EliteDesks. Go to Control Panel > Power Options > “Choose what the
power buttons do,” click “Change settings that are currently unavailable,” and uncheck “Turn on fast startup.”
Remove “HP LAN/WLAN/WWAN Switching UWP Service”: This service can cause conflicts, forcing the Wi-Fi off even if it is enabled in BIOS. Go to Services in Windows, find this service, stop it, and set it to Manual or Disabled.
Check BIOS “Device Options”: Ensure that Embedded WLAN Device and Bluetooth are actually enabled in the BIOS under Advanced > Built-in Device Options.
+3
2. Addressing “LAN/WLAN Auto Switching”
This setting ensures that when a wired Ethernet cable is plugged in, the wireless adapter is automatically disabled to prevent conflicts.
Microsoft Learn
Where to find it: BIOS > Advanced > Built-in Device Options > LAN/WLAN Auto Switching.
Recommendation: If you want both active at the same time, or if the Wi-Fi keeps dropping, disable this option.
3. Increasing Idle Fan Speeds (Thermal Management)
The HP BIOS often restricts fan control, but you can increase the idle speed to improve thermals, particularly in Mini models.
HP Support Community
+1
Where to find it: BIOS > Advanced > Thermal/Cooling > “Fan Idle Mode” or “Minimum Fan Speed”.
How to adjust: Look for settings to adjust
the minimum fan speed percentage, increasing it to 50% or higher to improve cooling at idle.
Note: If your model has a dedicated GPU (e.g., in a Mini/G4), the “HDD fan” port often controls the GPU fan, which can be adjusted here.
+3
Summary of Actions
Turn off Fast Startup (Windows).
Disable “LAN/WLAN Auto Switching” (BIOS).
Perform a Cold Boot (Unplug power).
Disable “HP LAN/WLAN/WWAN Switching UWP Service” (Windows).
If these steps do not resolve the issue, the M.2 Wi-Fi card may need to be reseated or replaced.
Also on hard drive utilities an HP bio set up for HP 800 SFF elite desk checking allow opal hard drive Sid authentication does what exactly if I’m not using opal applications what does that mean
10 sites
In the HP EliteDesk 800 SFF BIOS, the Allow OPAL Hard Drive SID Authentication setting controls whether third-party software is allowed to take ownership of a Self-Encrypting Drive (SED).
HP Support Community
What it does
Ownership Control: When unchecked (the default), the BIOS blocks attempts to authenticate the SID (Security ID) authority. This prevents unauthorized software or malicious actors from taking ownership of a drive and setting up their own encryption keys.
Provisioning Permission: Checking this box allows an application (like Samsung Magician, BitLocker with Hardware Encryption, or enterprise tools like Trellix) to “pair” with the drive, set a password, and manage the hardware-level encryption.
HP Support Community
+3
If you are NOT using OPAL applications
If you aren’t using specific hardware-encryption management software, this setting has no functional impact on your daily use.
Leave it Unchecked: For most users, keeping this disabled is the standard security recommendation. It acts as a “freeze” command that prevents any software from accidentally or maliciously locking your drive at the hardware level.
Data Security: Your data is still accessible and operates normally. Standard software encryption (like default BitLocker) does not require this setting to be enabled because it handles encryption at the OS level, not the drive’s firmware level.
The “Block SID” concept: In many BIOS versions, this is essentially the “Disable Block SID” toggle. “Blocking SID” is a security feature that stops the drive from being provisioned; “Allowing Authentication” unblocks it so you can set it up.
HP Support Community
+4
When you would actually need it
You should only enable this if you specifically intend to:
Enable Hardware-Accelerated BitLocker (where the SSD does the work instead of your CPU).
Use enterprise security suites like McAfee/Trellix Drive Encryption or ESET Full Disk Encryption.
Manually manage a Self-Encrypting Drive (SED) using tools like sedutil.
+4
Would you like to know how to check if your current SSD even supports OPAL hardware encryption?
AI can make mistakes, so double-check responses
I’m only using windows a bit lock encryption but not opal hard drive Sid and I’ve been having a lot of issues with malware and PUA STUFF
13 sites
Since you are using standard Windows BitLocker (Software Encryption) and are dealing with malware/PUA (Potentially Unwanted Application) issues, you should keep Allow OPAL Hard Drive SID Authentication set to Disabled.
1. Why you should leave it Disabled
Preventing “Hardware Hijacking”: Enabling this setting allows software to take low-
level ownership of your drive’s firmware. Some advanced malware or unwanted security tools could theoretically use this to “lock” your drive or create a persistent hidden partition that survives a Windows reinstall.
Not Needed for BitLocker: Windows BitLocker uses your CPU to handle encryption by default (Software Encryption). It does not need the OPAL SID setting to function.
Security Risk: Leaving it disabled acts as a “freeze” on the drive’s internal security settings, preventing any app from changing how the hardware itself is locked or unlocked.
Server Fault
+3
2. Connection to your Malware/PUA Issues
If you feel your system is compromised,
these BIOS settings on an HP EliteDesk can help “harden” it:
Check “Absolute Persistence Module”: This is a legitimate anti-theft tool (formerly Computrace), but it allows software to re-install itself even after a hard drive wipe. If you don’t use a tracking service, set this to Permanently Disable if the option is available.
Enable HP Sure Start: Ensure this is Enabled in the BIOS. It checks the BIOS for tampering every time you boot and can automatically recover a “clean” BIOS if malware tries to infect the firmware.
Secure Boot: Ensure Secure Boot is Enabled. This prevents unauthorized “bootkits” (malware that starts before Windows) from loading.
HP Support Community
+6
3. Verify your Encryption Type
To be 100% sure your BitLocker isn’t accidentally trying to use hardware encryption:
Open Command Prompt as Administrator.
Type: manage-bde -status
Look at the Encryption Method.
If it says XTS-AES (or similar), you are using Software Encryption (Safe to keep OPAL SID disabled).
If it says Hardware Encryption, you would actually need that SID setting enabled to manage it.
Server Fault
+1
To help narrow down the malware/PUA issues, are you seeing pop-ups in your browser, or is Windows Defender flagging specific files repeatedly even after you delete them?
Secure boots is enabled but where is the following located Check “Absolute Persistence Module”: This is a legitimate anti-theft tool (formerly Computrace), but it allows software to re-install itself even after a hard drive wipe. If you don’t use a tracking service, set this to Permanently Disable if the option is available.?
10 sites
In the BIOS of an HP EliteDesk 800 (G1 through G5 models), the Absolute Persistence Module (or its older name, Computrace) is found under the Security
tab.
Exact Location in BIOS
Restart your computer and tap F10 repeatedly to enter the BIOS Setup.
Navigate to the Security tab using the arrow keys.
Scroll down to find Absolute Persistence Module or Computrace.
On some older versions (like G1/G2), it may be listed under a sub-menu called Anti-Theft or System Security.
In newer revisions, it is usually located near the bottom of the main Security list.
Important Settings to Know
Disabled/Deactivated: The feature is off but can be turned back on later if needed.
Permanently Disable: This is a one-way action. Once you select this and save, the module is hardware-locked and can never be re-enabled on that motherboard.
Greyed Out: If the setting is greyed out and
says “Active,” the module is already linked to a subscription and cannot be changed from the BIOS. You would need to contact Absolute Software Support to release it.
Dell
+4
Dealing with Persistent PUA/Malware
If you are struggling with persistent malware, also check these settings in the same Security tab:
HP Sure Start: Ensure this is Enabled. it protects the BIOS from being modified by malware.
BIOS Write Protect: If available, enable this to prevent any software from writing to the BIOS chip while Windows is running.
HP
+1
Would you like to know how to use
PowerShell to check if the Absolute module is currently active in your Windows installation?
Next Step: Check the Security tab in your BIOS to see if the module is currently listed as Active or Inactive.
I found absolute persistent module current state activation status inactive below that is absolute persistence module permanent disabled; no below that is unchecked system management command and the last thing under security is the option to restore security settings to factory defaults
Since the current state is Inactive, the feature is not currently tracking your device or reinstalling software.
Regarding the “Absolute Persistence
Module Permanent Disable” option:
The Choice: If you check this box and Save/Exit, you will permanently “kill” the feature. It can never be turned back on. For a home user concerned about privacy or persistent malware/PUA, this is a common security practice to ensure the BIOS cannot “call home” or inject software into your Windows installation.
Why it helps you: Some PUAs (Potentially Unwanted Applications) mimic the behavior of these persistence modules to stay on a system. Disabling this hardware-level “backdoor” ensures that when you wipe your drive, the system stays clean.
About “System Management Command”
You noticed this is Unchecked.
Keep it unchecked. This setting (sometimes called Remote Management) allows the BIOS to be configured remotely over a network. Unless you are in a
corporate office where an IT department manages your PC from a different building, this should stay off to prevent remote tampering.
Recommendation for your Malware/PUA issue
Since your Wi-Fi driver is still “not loading” despite being enabled:
Permanently Disable the Absolute Persistence Module if you never plan to use tracking software.
Go to the Advanced tab > Built-in Device Options and double-check that Network (WLAN) Power Management is Disabled. This prevents Windows from “falling asleep” on the driver and failing to wake it up.
Use the “Restore Security Settings to Factory Defaults” only if you suspect a previous owner or malware has changed hidden security flags. (Note: This may
disable BitLocker, so have your Recovery Key ready).
Does your Wi-Fi card show up in Device Manager with a yellow exclamation mark, or is it completely missing from the list?
Yes I read before that that system managed command should be unchecked because it is related to remote management which I don’t do any remote activity at all so as far as absolute persistent module current state and active how would I turn it on that’s what you’re suggesting correct That’s what you’re suggesting correct
Actually, I am suggesting the opposite: you should not turn it on.
Since you are concerned about malware
and PUAs, you want your BIOS to be as “quiet” as possible. Here is the breakdown:
Absolute Persistence (Keep it INACTIVE/DISABLED): This is essentially a “legal” backdoor. If it is active, it allows a hidden part of the BIOS to communicate with the internet and force-reinstall software onto your hard drive. If you are fighting malware, you do not want any feature that has the power to auto-install software.
System Management Command (Keep it UNCHECKED): You are 100% correct. This blocks remote tampering.
Why your Wi-Fi is likely failing
Since you have LAN/WLAN Auto Switching enabled in the BIOS, your Wi-Fi driver will “stop working” and “fail to load” the moment the computer thinks an Ethernet (LAN) cable is plugged in.
If your Ethernet port is damaged, or if there is “crosstalk” from a PUA/Malware
modifying network stacks, the BIOS might be killing the Wi-Fi driver to favor the LAN port.
My recommendation for your next move:
Go to BIOS > Advanced > Built-in Device Options.
Uncheck “LAN/WLAN Auto Switching.”
Uncheck “Network (WLAN) Power Management.”
Save and Exit.
This forces the Wi-Fi card to stay “On” and “High Power” regardless of what your LAN port or Windows is doing.
Does the Wi-Fi card show a Code 10 or Code 43 error in the Windows Device Manager right now?
Okay I got the reverse in my head but now I
understand what you’re saying so what are my next options Is there anything else I can do to harden
17 sites
To further harden your HP EliteDesk 800 against malware and Potentially Unwanted Applications (PUA) at the BIOS level, you should focus on enabling “self-healing” and “isolation” features that HP builds into its business-class machines.
1. Enable HP Sure Start
This is your most powerful tool. It uses a dedicated security chip to verify your BIOS is clean every time you boot.
Location: BIOS > Security > Sure Start Configuration.
Action: Ensure HP Sure Start is Enabled.
Why: If malware tries to infect your BIOS (the “firmware”), Sure Start will detect the change, delete the infected version, and replace it with a clean “golden copy” automatically.
HP
+4
2. Set a BIOS Administrator Password
Without this, any malware that gains “Admin” rights in Windows can potentially change your BIOS settings from inside the operating system.
Location: BIOS > Security > Set BIOS Administrator Password.
Action: Create a strong password.
Why: This locks your BIOS settings. Even if a PUA tries to disable Secure Boot or enable Absolute Persistence, it will be blocked because it doesn’t have your BIOS password.
HP Wolf Security
+4
3. Enable DMA Protection (Direct Memory Access)
This prevents “DMA attacks” where a malicious device plugged into a port (like a rogue USB or Thunderbolt device) tries to read your computer’s memory directly.
Location: BIOS > Advanced > System Options (or Security > DMA Protection).
Action: Enable Pre-boot DMA Protection.
Why: It creates a barrier that prevents external hardware from bypassing Windows security to steal data or inject code.
HP Wolf Security
+2
4. Enable Virtualization-Based BIOS Protection
Location: BIOS > Advanced > System Options.
Action: Enable Virtualization Technology (VTx) and VT-d.
Why: Modern Windows security features (like Core Isolation and Memory Integrity) require these BIOS settings to be on. They create a “bubble” around your sensitive system processes so malware can’t touch them.
HP Wolf Security
+2
5. Windows Security Check (The “PUA” Kill-Switch)
Since you mentioned PUA issues specifically, ensure Windows is actively blocking them:
Open Windows Security > App & browser control.
Click Reputation-based protection settings.
Ensure Potentially unwanted app blocking is turned ON, and both “Block apps” and “Block downloads” are checked.
Microsoft
+1
Pro-Tip: After you save these BIOS changes, perform a Windows Defender Offline Scan. This restarts your PC and scans for malware before Windows fully loads, which is the best way to catch persistent PUAs that hide while the OS is running.
YouTube
+1
Since your Wi-Fi driver is still not loading, would you like the specific PowerShell commands to see if a PUA is actively blocking that hardware ID?
I don’t see DMA protection anywhere I’m in bio’s advanced system options
8 sites
On the HP EliteDesk 800, if you don’t see “DMA Protection” listed under Advanced > System Options, it is likely because your specific hardware generation (such as G1, G2, or G3) or BIOS version handles this protection differently.
HP
+1
To enable DMA (Direct Memory Access) protection on your system, look for these
alternative settings:
Virtualization for Directed I/O (VT-d): This is the technical foundation for DMA protection.
Location: Go to Advanced > System Options.
Action: Ensure Virtualization Technology (VTx) and Virtualization Technology for Directed I/O (VT-d) are both Checked/Enabled.
Pre-boot DMA Protection: If your system supports newer Thunderbolt or PCIe protection, it might be listed specifically as this.
Location: Advanced > System Options.
Action: If visible, set it to “All PCI Devices” or “PCIe expansion card”.
DMA Control Guarantee / IOMMU: On some business desktops, these are the labels used for the same protection.
HP
+7
How to Verify if it’s Active in Windows
If you cannot find a specific “DMA” toggle in the BIOS, it may already be active as part of your VT-d settings. You can check this from within Windows:
Search for System Information (or type msinfo32 in the start menu).
On the System Summary page, scroll down to the bottom.
Look for Kernel DMA Protection.
If it says On, your BIOS settings (specifically VT-d) have already enabled it.
If it says Off, you likely need to update your BIOS to a newer version to see these security options.
Microsoft Learn
+3
Recommendation: Since you are dealing
with malware/PUA issues, the most important “hardeners” you should see in Advanced > System Options are VT-d and HP Sure Start. If those are enabled, your memory is largely protected from external hardware attacks.
HP Support Community
+2
Do you see the VT-d checkbox under your System Options menu?
Yes the VTD settings are already on and enabled
That is excellent. With VT-d enabled, your hardware is ready to support Kernel DMA Protection and Memory Integrity in Windows, which are the primary defenses
against high-level malware trying to inject code into your system’s memory. [1, 5, 8]
To finalize the “hardening” and address that stubborn Wi-Fi driver, here are your final moves:
1. Confirm “Kernel DMA Protection” in Windows
Since you enabled VT-d in BIOS, verify it is working:
Open System Information (msinfo32).
Look for Kernel DMA Protection. If it says On, you have successfully shielded your memory from external port attacks. [5, 8]
2. Force the Wi-Fi Driver to Load
Since your drivers aren’t loading despite being “enabled,” a PUA or a leftover security policy might be blocking the Hardware ID.
The “Deep Clean” Command: Open PowerShell (Admin) and run:
pnputil /enum-devices /problem
If your Wi-Fi card appears with a problem, it will give you a Code.
Check for a “Ghost” LAN Connection: If you haven’t already, uncheck “LAN/WLAN Auto Switching” in BIOS. If that is on, and your Ethernet port is even slightly “noisy” or dusty, the BIOS will keep the Wi-Fi driver disabled thinking you have a cable plugged in. [3, 4]
3. The “PUA” Final Defense
Since you’ve had PUA issues, ensure Memory Integrity (Core Isolation) is on:
Go to Windows Security > Device Security > Core isolation details.
Toggle Memory Integrity to ON.
Note: If it won’t turn on, it will list “Incompatible Drivers.” This is actually a great way to find the specific malware or old, junk drivers that are causing your Wi-Fi issues. [6, 7]
Summary Checklist:
VT-d: Enabled (Done).
Absolute Persistence: Inactive/Disabled (Done).
LAN/WLAN Auto Switching: Disabled (To fix Wi-Fi).
Memory Integrity: Enabled (To block PUAs). [6, 7]
Does the Memory Integrity toggle in Windows show any incompatible drivers when you try to turn it on?
Yes I’ve been keeping up with the Windows 11 updates and the core isolation is on and luckily I haven’t had any driver conflicts
That is a huge win—Memory Integrity being on without driver errors means your core system files are currently protected from the most common high-level exploits.
[2, 3]
Since your BIOS is now hardened and Windows security is active, the Wi-Fi issue likely boils down to a stuck hardware flag or an HP-specific software conflict. [5, 6]
Final Wi-Fi Rescue Steps
The “HP Hotkey” Glitch: Some EliteDesks have a physical or “soft” Fn-key lock. Ensure you haven’t accidentally disabled wireless via a keyboard shortcut (look for a plane or antenna icon on the F-keys). [5]
BIOS “Hard” Reset: In the BIOS, under Advanced > Built-in Device Options, uncheck Wireless Network (WLAN), save and exit. Boot into Windows. Then, go back into BIOS and re-check it. This “power cycles” the M.2 slot at the firmware level. [5, 6]
Check for “Device Guard” Conflicts: Sometimes Windows 11’s high security (Virtualization-based Security) blocks
older Wi-Fi firmware from loading. Ensure you are using the Intel AX200/AX210 driver (if that’s your card) specifically labeled for Windows 11. [2, 3]
If you open Device Manager, does the Wi-Fi card show up under Network Adapters at all, or is there an “Unknown Device” under Other Devices? [5, 6]
Next Step: Check Device Manager for any “Unknown Device” or “PCI Controller” with a yellow triangle and let me know the Hardware ID from the Details tab.
The device manager shows it on an active and fine it just does not show in the settings like the radio might be off and I’ve already went through the seps in services to make sure all the according services at
affect the Wi-Fi to be on
If your Wi-Fi adapter is visible and “working properly” in Device Manager but the Wi-Fi toggle is missing or won’t turn on in Windows Settings, you are likely dealing with a “Software Radio Lock”
The device manager shows it on an active and fine it just does not show in the settings like the radio might be off and I’ve already went through the steps in services to make sure all the according services that are affected the Wi-Fi to be on
If Device Manager says the card is “working properly” but Windows says the radio is off, you’re likely stuck in a “Hardware Radio Kill” state. On HP EliteDesks, this is almost always caused by a conflict between the BIOS and Windows power management.
Here is the “last mile” fix for this specific scenario:
1. The “Power Management” Handshake Fix
Windows might have “parked” the radio to save power, and now it can’t wake it back up.
In Device Manager, right-click your Intel Wi-Fi adapter > Properties.
Go to the Power Management tab.
Uncheck “Allow the computer to turn off this device to save power.”
Click OK, then Disable the device in Device Manager, wait 5 seconds, and Enable it.
2. Check for “HP Hotkey Support”
HP EliteDesks use a specific driver called HP Hotkey Support (or HP Collaboration Keys). If this driver is corrupted or missing, Windows might think the “Physical Wireless Switch” is in the OFF position, even if your model doesn’t have a physical button.
Check your Apps & Features list for “HP
Hotkey Support.” If it’s there, try uninstalling it. Windows 11 often manages the keys better without the old HP software.
3. Clear the CMOS (The “Nuclear” Option)
Sometimes the BIOS “Hardware Radio” flag gets stuck in an “Off” state that even a BIOS update won’t fix.
Unplug the PC.
Open the case and look for a small yellow button on the motherboard labeled CMOS.
Hold it down for 5-10 seconds.
Plug back in and boot up. This forces the BIOS to re-detect the Wi-Fi card’s radio state from scratch.
4. Use the “Radio Enable” Command
Open PowerShell (Admin) and paste this command to see if Windows thinks the radio is software-locked:
Get-NetAdapterWirelessProperty
Look at the Status or State. If it says
“Hardware Off” or “Software Off,” try this to force it on:
netsh interface set interface “Wi-Fi” admin=enabled
(Replace “Wi-Fi” with whatever the name is in your Network Connections).
One quick question: On your keyboard, does your F12 key have a small light on it (usually an orange or white LED)? If that light is orange, the hardware radio is locked by the BIOS.
Would you like the steps to check the HP LAN/WLAN Switching service specifically, as that is the #1 killer of Wi-Fi on the 800 G series?
Okay I have my hands full that’s enough you did a thorough excellent job of
describing all the things I need to do I really appreciate it
You’re very welcome! It sounds like you’ve got a solid plan to lock down that HP EliteDesk and get your Wi-Fi back on the grid.
Just remember the “Golden Rule” for these HP business machines: if the hardware looks perfect in Device Manager but won’t connect, disable that “LAN/WLAN Auto Switching” in the BIOS first—it’s the most common “ghost” in the machine.
Good luck with the hardening process and clearing out those PUAs!
Would you like me to stay on standby in case you run into a “Code” error or a specific driver conflict while applying these changes?
Okay I do need your help because I noticed something strange that I’ve never seen before which is like a summary of everything that I just told you that is going to be applied if I check a certain code and enter the buttons one bios rollback via MI disabling sure start bio settings protection via WMI3 resetting security settings to defaults via mi 4 changing secure boot state disabled clerky’s and poor custom keys or reset to factory defaults Intel SGX disabled theft recovery permanent disabled power on password set change or deleted from wm I reset
5 sites