Health Attestation
The Health Attestation settings configure and evaluate the health of a Windows device.
| Policy setting | Description | Supported devices |
|---|---|---|
| Enforce device health attestation | If this setting is enabled, the device health is evaluated. Devices are regularly monitored based on criteria configured basic and advanced health state definition. The device health attestation state is published in the Device view. You can also use compliance rules to enforce device health. |
|
| Device health state definition-basic | ||
| Secure boot enabled | If this setting is enabled, secure boot evaluates whether the device is loading factory trusted code and that the boot loader has not been tampered with. |
|
| Early launch anti-malware driver loaded | If this setting is enabled, verifies whether the Windows Defender early launch anti-malware (ELAM) is loaded during the initial boot. ELAM provides protection during device startup. Disable this setting if you are using a third-party antivirus software. |
|
| Data execution prevention policy enabled | If this setting is enabled, evaluates whether the data execution prevention policy is enabled on the device. The data execution prevention policy uses a set of technologies that perform extra checks on memory to prevent malicious code from running on a system. |
|
| Bitlocker encryption enabled | If this setting is enabled, BitLocker encryption is evaluated on the device. Disable this setting if you are using third-party software for encryption. |
|
| Attestation identity key present | If this setting is enabled, evaluates whether a valid endorsement key certificate is present on the device. |
|
| Code integrity version | Specify the current code integrity version. Leave the field blank to ignore the code integrity version check. |
|
| Code integrity enabled | If this setting is enabled, evaluates if code integrity is enabled. This setting validates the integrity of the driver and the system file each time those files are loaded into the operating system kernel memory. |
|
| Boot manager version | Specify the boot manager version. Leave the field blank to ignore the boot manager version check. |
|
| Device health state definition-advanced | ||
| Boot debug not enabled | If this setting is enabled, evaluates that boot debugging is not enabled on the device. |
|
| Secure boot configuration policy hash | Specify the hash of a custom secure boot configuration policy (SBCP) that is loaded during the boot of a Windows phone. |
|
| Windows pre-installation environment not enabled | If this setting is enabled, evaluates whether the device is not running Windows preinstallation. The preinstallation is used to prepare a device during Windows installation, copy disk images, and to initiate Windows setup. |
|
| Safe mode not enabled | If this setting is enabled, evaluates whether a device is not started in safe mode. |
|
| Platform configuration register [0] | Specify the platform configuration register (PCR) which is a storage register that contains a measurement of the components that are provided by the host platform manufacturer to view the host platform between boot cycles. |
|
| Virtual secure mode enabled | If this setting is enabled, evaluates whether virtual secure mode (VSM) is enabled. |
|
| Test signing not enabled | If this setting is enabled, evaluates whether test signing is not enabled. This setting enables signature validation on drivers during boot and prevents unsigned drivers from being loaded on the device. |
|
| OS kernel debugging not enabled | If this setting is enabled, evaluates that the operating system kernel is not enabled in debug mode. |
|
| Code integrity policy hash | Specify the hash integrity policy that controls the security of the booting environment. |
|