Health Attestation

The Health Attestation settings configure and evaluate the health of a Windows device.

Table 1. Health attestation settings
Policy setting Description Supported devices
Enforce device health attestation If this setting is enabled, the device health is evaluated. Devices are regularly monitored based on criteria configured basic and advanced health state definition. The device health attestation state is published in the Device view. You can also use compliance rules to enforce device health.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Device health state definition-basic
Secure boot enabled If this setting is enabled, secure boot evaluates whether the device is loading factory trusted code and that the boot loader has not been tampered with.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Early launch anti-malware driver loaded If this setting is enabled, verifies whether the Windows Defender early launch anti-malware (ELAM) is loaded during the initial boot. ELAM provides protection during device startup. Disable this setting if you are using a third-party antivirus software.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Data execution prevention policy enabled If this setting is enabled, evaluates whether the data execution prevention policy is enabled on the device. The data execution prevention policy uses a set of technologies that perform extra checks on memory to prevent malicious code from running on a system.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Bitlocker encryption enabled If this setting is enabled, BitLocker encryption is evaluated on the device. Disable this setting if you are using third-party software for encryption.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Attestation identity key present If this setting is enabled, evaluates whether a valid endorsement key certificate is present on the device.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Code integrity version Specify the current code integrity version. Leave the field blank to ignore the code integrity version check.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Code integrity enabled If this setting is enabled, evaluates if code integrity is enabled. This setting validates the integrity of the driver and the system file each time those files are loaded into the operating system kernel memory.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Boot manager version Specify the boot manager version. Leave the field blank to ignore the boot manager version check.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Device health state definition-advanced
Boot debug not enabled If this setting is enabled, evaluates that boot debugging is not enabled on the device.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Secure boot configuration policy hash Specify the hash of a custom secure boot configuration policy (SBCP) that is loaded during the boot of a Windows phone.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Windows pre-installation environment not enabled If this setting is enabled, evaluates whether the device is not running Windows preinstallation. The preinstallation is used to prepare a device during Windows installation, copy disk images, and to initiate Windows setup.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Safe mode not enabled If this setting is enabled, evaluates whether a device is not started in safe mode.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Platform configuration register [0] Specify the platform configuration register (PCR) which is a storage register that contains a measurement of the components that are provided by the host platform manufacturer to view the host platform between boot cycles.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Virtual secure mode enabled If this setting is enabled, evaluates whether virtual secure mode (VSM) is enabled.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Test signing not enabled If this setting is enabled, evaluates whether test signing is not enabled. This setting enables signature validation on drivers during boot and prevents unsigned drivers from being loaded on the device.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
OS kernel debugging not enabled If this setting is enabled, evaluates that the operating system kernel is not enabled in debug mode.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Code integrity policy hash Specify the hash integrity policy that controls the security of the booting environment.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team