Security Parameters

The following parameters are checked for compliance by the Health Attestation Service.

Parameter Description Compliant Status
Early launch anti-malware Protects computers in your network when they start up and before third-party drivers initialize Enabled
Attestation Identity Key (AIK) Indicates that the device has an endorsement key certificate. Present on device
Boot Manager Version Indicates the version of the Boot Manager and facilitates tracking of the security of the boot sequence and environment Running latest version
Code Integrity Restricts code execution to integrity verified code. Enabled
Code Integrity Version Helps in ensuring latest code is used for performing integrity checks during the boot sequence Running latest version
Data Execution Prevention (DEP) DEP policy defines a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Enabled

Boot debug is disabled

Indicates a device used for development and testing, which is typically less secure. Disabled
Bitlocker Status Protects data on the device drive from unauthorized access. Enabled
OS Kernel Debugging Indicates a device used for development and testing, which is typically less secure. Disabled
Platform Configuration Register[0] Represents a consistent view of the Host Platform between boot cycles
  • Is not present on the device (default policy is in place) or
  • Is present on device and is using a whitelisted value
Safe Mode Starts your computer in a limited state. Disabled
Secure Boot Forces system to boot to a factory trusted state. Enabled
Test Signing Does not enforce signature validation during boot and allows unsigned drivers to load Disabled
Virtual Secure Mode A container that protects high value assets from a compromised kernel. Enabled
Windows Pre-Installation Environment Minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup. Disabled