Using Microsoft Health Attestation Reports
The Health Attestation feature provides administrators with the security health overview of their Windows Modern devices. This involves capturing several security measurements during boot time and protecting the reported data in the device's Trusted Platform Module (TPM). The boot measurements are then forwarded to the Health Attestation Service (HAS) to confirm the reported measurement’s authenticity and integrity. If a device report fails to meet the enterprise security compliance criteria, administrators can take preventative actions. They can perform actions such as unenrolling the device or removing its Virtual Private Network (VPN) configurations.
This section includes the following topics:
Process Flow
SOTI MobiControl requests a health status report each time a Windows Modern device checks in. Devices send reports to the HAS after which SOTI MobiControl pulls from HAS and checks them to make sure they are compliant.
Viewing and Configuring a Health Attestation Policy
You can view the details of a device's compliance in its Device Information panel. Health Attestation compliance information resides in the Health Attestation Details section of the Device Details tab. The database stores historical data on compliance for future reporting. Additionally, you can design a tailored Health Attestation policy to choose available parameters according to their significance for your organization. For example, if the Test Signing parameter’s compliance status is not crucial for your organization’s security, you can disable it in your Health Policy. This way, your devices report compliance based solely on the parameters that matter to you. See Using Health Policies and Security Parameters for more details.