Using Microsoft Health Attestation Reports

The Health Attestation feature provides administrators with an overview of the security health of their Windows Modern devices. This is achieved by capturing a number of security measurements during boot time and protecting the reported data in the Trusted Platform Module (TPM) of the device. The boot measurements are then forwarded to the Health Attestation Service (HAS), hosted by Microsoft, to attest to the authenticity and integrity of the reported measurements. If a device report fails to meet the enterprise security compliance criteria, administrators can then take preventative actions, such as unenrolling the device or removing VPN configurations.

A health status report is requested each time a Windows Modern device checks in to SOTI MobiControl. Every report prepared by a device is sent to the HAS and SOTI MobiControl pulls each report down from HAS and checks to make sure all devices are compliant according to the report.

Health attestation is supported on Windows Modern devices running Windows 10 or later.

You can view the details of a device's compliance in its Device Information panel. Health Attestation compliance information resides in the Health Attestation Details section of the Device Details tab. Historical data on compliance is also stored in the database for future reporting.

The Device Health Attestation report requires that devices have internet access to the HAS hosted by Microsoft. Devices must also support Trusted Platform Module (TPM) 1.2 or 2.0. Incompatible devices are reported and because support for TPM on the device can potentially be upgraded in the future, the incompatibility warnings are not suppressed.

You can create a specialized Health Policy that you customize to prioritize parameters based on their importance for your organization. For example, if it is not relevant to your organization's security that the Test Signing parameter is non-compliant, you can disable it in your Health Policy, so that your devices report compliance based only on relevant parameters.

You can also create an alert rule to trigger a notification whenever a security parameter fails or registers a warning.