Health attestation for Configuration Manager
Applies to: Configuration Manager (current branch)
You can view the status of Windows 10 Device Health Attestation in the Configuration Manager console. Device health attestation lets you make sure that client computers have the following trustworthy BIOS, TPM, and boot software configurations enabled:
Early-launch antimalware (ELAM) protects your computer when it starts up and before third-party drivers initialize. For more information, see theOverview of Early Launch AntiMalware.
Windows BitLocker Drive Encryption encrypts all data stored on the OS and data volumes, including removable disks. For more information, see Plan for BitLocker management.
Secure Boot is a security standard to help make sure that a device boots using only software that's trusted by the PC manufacturer. For more information, see Secure Boot.
Code Integrity improves OS security by validating the integrity of a driver or system file each time it's loaded into memory. For more information, see Enable virtualization-based protection of code integrity.
This functionality is available for on-premises resources managed by Configuration Manager and mobile devices managed with Microsoft Intune. You can specify whether reporting is done via the cloud or on-premises infrastructure. On-premises device health attestation monitoring enables you to monitor client PCs without internet access.
Enable health attestation
Requirements
Client devices running a supported version of Windows 10 or Windows Server 2016 or later, with Device health attestation enabled.
TPM 1.2 or TPM 2 enabled devices.
When using cloud management, communication between the Configuration Manager client agent and the management point with
has.spserv.microsoft.com(port 443) health attestation service. When on-premises, the client needs to communicate with the device health attestation-enabled management point.
How to enable health attestation service communication on Configuration Manager client computers
Use this procedure to enable device health attestation monitoring for devices that connect to the internet.
In the Configuration Manager console, choose Administration > Overview > Client Settings. Select the tab for Computer Agent settings.
In the Default Settings dialog box, select Computer Agent and then scroll down to Enable communication with Health Attestation Service.
Set Enable communication with Health Attestation Service to Yes, and then select OK.
Target the collections of devices that should report device health.
How to enable on-premises health attestation service communication on Configuration Manager client computers
Use this procedure to enable device health attestation monitoring for on-premises devices that don't connect to the internet.
You can configure the on-premises device health attestation service URL on the management point to support client devices without internet access.
In the Configuration Manager console, navigate Administration > Overview > Site Configuration > Sites.
Right-click the primary or secondary site with the management point that support on-premises device health attestation clients, and select Configure site components > Management Point. The Management Point Component Properties page opens.
On the Advanced Options tab, select Add and specify a valid on-premises device health attestation service URL. You can add multiple URLs. If multiple on-premises URLs are specified, clients receive the full set and randomly choose which to use.
In the Configuration Manager console, choose Administration > Overview > Client Settings. Select the tab for Computer Agent settings.
Scroll down to Enable communication with Health Attestation Service, and set to Yes.
Select the Use on-premises Health Attestation Service option, and set to Yes.
Target the collections of devices that should report device health with the client agent settings to enable device health attestation reporting.
You can also Edit or Remove device health attestation service URLs.
Monitor device health attestation
To view the device health attestation status, in the Configuration Manager console go to the Monitoring workspace, expand the Security node, and then select Health Attestation.
Configuration Manager device health attestation displays the following information:
Health Attestation Status - Shows the share of devices in compliant, noncompliant, error, and unknown states
Devices Reporting Health Attestation - Shows the percentage of devices reporting Health Attestation status
Noncompliant Devices by Client Type - Shows share of mobile devices and computers that are noncompliant
Top Missing Health Attestation Settings - Shows the number of devices missing the health attestation setting, listed per setting
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for