Monday, April 4, 2016

Health attestation in ConfigMgr Current Branch (1602)

Within ConfigMgr Current Branch (1602) a new feature called Health Attestation is available. It can be found in 'Client Settings > Enable communication with Health Attestation Service = Yes' and in 'Monitoring > Security > Health Attestation'.

With Health Attestation lets the administrator ensure that client computers have the following trustworthy BIOS, TPM, and boot software configurations enabled:

-Early-launch antimalware (ELAM) - protects your computer when it starts up and before third-party drivers initialize.
-BitLocker - software that lets you encrypt all data stored on the Windows operating system volume.
-Secure Boot - a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.
-Code Integrity - a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory.

Very nice to see there's a new dashboard to, which shows the following information:
-Health Attestation Status - share of devices in compliant, noncompliant, error, and unknown states
-Devices Reporting Health Attestation - percentage of devices reporting Health Attestation status
-Noncompliant Devices by Client Type - share of mobile devices and computers that are noncompliant
-Top Missing Health Attestation Settings - number of devices missing the health attestation setting, listed per setting

Unfortunately the functionality is not working yet. Hope it will be available in a later release. Very nice to see new functionality every few months! Microsoft is doing a good job here :-)

Update 5-4: After some time waiting there is something visible now. A mobile device is added, which misses BitLocker and Early-launch antimalware. Not as much as expected.. Hope to see more soon!

1 comment:

  1. Hello Henk!

    Do you've experience in Configuration of Device Health Attestation Services with an on premise Windows Server 2016?
    I've installed and configured the DHA Service Role on Windows Server 2016. After that I've added the Service URL into the Client Settings Policy. But I can't see any Information in the Configuration Manager Console - Dashboard...

    Thanks for your reply.
    Best Regards