Using Microsoft Health Attestation Reports

The Health Attestation feature provides administrators with the security health overview of their Windows Modern devices. This involves capturing several security measurements during boot time and protecting the reported data in the device's Trusted Platform Module (TPM). The boot measurements are then forwarded to the Health Attestation Service (HAS) to confirm the reported measurement’s authenticity and integrity. If a device report fails to meet the enterprise security compliance criteria, administrators can take preventative actions. They can perform actions such as unenrolling the device or removing its Virtual Private Network (VPN) configurations.

Restriction: Only Windows Modern devices running Windows 10 or later support Health Attestation. Devices need internet access to the Health Attestation Service (HAS) hosted by Microsoft for the Device Health Attestation report. These devices must support Trusted Platform Module (TPM) 1.2 or 2.0. The report lists incompatible devices, and since users can upgrade the TPM support in the future, incompatibility warnings are not suppressed.

This section includes the following topics:

Process Flow

SOTI MobiControl requests a health status report each time a Windows Modern device checks in. Devices send reports to the HAS after which SOTI MobiControl pulls from HAS and checks them to make sure they are compliant.

Viewing and Configuring a Health Attestation Policy

You can view the details of a device's compliance in its Device Information panel. Health Attestation compliance information resides in the Health Attestation Details section of the Device Details tab. The database stores historical data on compliance for future reporting. Additionally, you can design a tailored Health Attestation policy to choose available parameters according to their significance for your organization. For example, if the Test Signing parameter’s compliance status is not crucial for your organization’s security, you can disable it in your Health Policy. This way, your devices report compliance based solely on the parameters that matter to you. See Using Health Policies and Security Parameters for more details.

Tip: Search for devices with specific Health Attestation properties to triage them as required. See Searchable Health Attestation Properties.