Health attestation for System Center Configuration Manager


Administrators can view the status of Windows 10 Device Health Attestation in the Configuration Manager console. This functionality is available for PCs and on-premises resources managed by Configuration Manager and mobile devices managed with Microsoft Intune. Administrators can specify whether reporting is done via the cloud or on-premises infrastructure. This enables client PCs without internet access to enable and monitor devices using health attestation. Device health attestation lets the administrator ensure that client computers have the following trustworthy BIOS, TPM, and boot software configurations enabled:

  • Early-launch antimalware - Early launch anti-malware (ELAM) protects your computer when it starts up and before third-party drivers initialize. How to turn on ELAM

  • BitLocker - Windows BitLocker Drive Encryption is software that lets you encrypt all data stored on the Windows operating system volume. How to turn on Bitlocker

  • Secure Boot - Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer. Learn more about Secure Boot

  • Code Integrity - Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Learn about Code Integrity

Este artigo contém informações sobre uma nova funcionalidade introduzida na versão 1602 de O System Center Configuration Manager (current branch). Para utilizar a nova funcionalidade, terá de instalar a atualização 1602. Se não tiver atualizado para a versão mais recente do Gestor de configuração, pode transferir a documentação da versão utilizada na Galeria do TechNet.

Configuration Manager Device Health Attestation displays the following:

  • Health Attestation Status - Shows the share of devices in compliant, noncompliant, error, and unknown states

  • Devices Reporting Health Attestation - Shows the percentage of devices reporting Health Attestation status

  • Noncompliant Devices by Client Type - Shows share of mobile devices and computers that are noncompliant

  • Top Missing Health Attestation Settings - Shows the number of devices missing the health attestation setting, listed per setting


  • Client devices running Win10

  • TPM 2 enabled

  • The Configuration Manager client agent must be enabled to communicate Health Attestation service

How to enable Health Attestation service communication on Configuration Manager client computers

  1. In the Configuration Manager console, choose Administration > Overview > Client Settings. Select the tab for Computer Agent settings.

  2. In the Default Settings dialog box, select Computer Agent and then scroll down to Enable communication with Health Attestation Service

  3. Set Enable communication with Health Attestation Service to Yes, and then click OK.

How to enable on-premises Health Attestation service communication on Configuration Manager client computers

  1. In the Configuration Manager console, navigate Administration > Overview > Client settings, and then set Use on-premises Healthy Attestation Service to Yes.
  1. Specify the On-premise Health Attestation Service URL, and then click OK.
  1. To view the device health attestation view, in the Configuration Manager console go to the Monitoring workspace of, click Security node, and then click Health Attestation.

  2. Device Health Attestation is displayed.

Client device Health Attestation status can be used to define rules for conditional access in compliance policies for devices managed by Gestor de configuração with Microsoft Intune. For details, see Manage device compliance policies in System Center Configuration Manager.

Monitor and maintain System Center Configuration Manager