Keep your devices secured by using Windows Health Attestation Service for compromised device detection. This service allows AirWatch to check the device integrity during boot and take corrective actions.

For more information, see the Microsoft TechNet article on Health Attestation.

Note:

Compromised status compliance policy is applicable to Windows 10 Mobile devices with a Trusted Platform Module (TPM) 1.2 or higher.

To use compromised device detection:

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Phone > Windows Health Attestation .
  2. (Optional) Select Use Custom Server if you are using a custom on-premesis server running Health Attestation. Enter the Server URL.
  3. Configure the Health Attestation settings:

    Settings Descriptions
    Compromised Status Definition
    Use Custom Server

    Select to configure a custom server for Health Attestation.

    This option requires a server running Windows Server 2016 or newer.

    Enabling this option displays the Server URL field.

    Server URL Enter the URL for your custom Health Attestation server.
    Secure Boot Disabled

    Enable to flag compromised device status when Secure Boot is disabled on the device.

    Secure Boot forces the system to boot to a factory trusted state. When Secure Boot is enabled, the core components used to boot the machine must have the correct cryptographic signatures that the OEM trusts. The UEFI firmware verifies the trust before it allows the machine to start. Secure boot prevents the startup if any it detects any tampered files.

    Attestation Identity Key (AIK) Not Present

    Enable to flag compromised device status when the AIK is not present on the device.

    Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that does not have an EK certificate.

    Data Execution Prevention (DEP) Policy Disabled

    Enable to flag compromised device status when the DEP is disabled on the device.

    The Data Execution Prevention (DEP) Policy is a memory protection feature built into the system level of the OS. The policy prevents running code from data pages such as the default heap, stacks, and memory pools. DEP is enforced by both hardware and software.

    BitLocker Disabled

    Enable to flag compromised device status when BitLocker encryption is disabled on the device.

    Code Integrity Check Disabled

    Enable to flag compromised device status when the code integrity check is disabled on the device.

    Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity checks for unsigned drivers or system files before they load into the kernel. The check also scans for users with administrative privileges running system files modified by malicious software .

    Early Launch Anti-Malware Disabled

    Enable to flag compromised device status when the early launch anti-malware is disabled on the device.

    Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

    Code Integrity Version Check Enable to flag compromised device status when the code integrity version check fails.
    Boot Manager Version Check Enable to flag compromised device status when the boot manager version check fails.
    Boot App Security Version Number Enable to flag compromised device status when the boot app security version number does not meet the entered number.
    Boot Manager Security Version Number Check Enable to flag compromised device status when the boot manager security version number does not meet the entered number.
    Advanced Settings Enable to configure advance settings including software version identifiers.
    Software Version Identifiers
    Code Integrity Policy Hash Check Enable to define a whitelist of known, valid hash values for the Code Integrity software. If the hash is not a whitelisted value, health attestation compliance fails.
    Secure Boot Config Policy Hash Check Enable to define a whitelist of known, valid hash values for the Secure Boot Config software. If the hash is not a whitelisted value, health attestation compliance fails.
    PCR0 Check Enable to define a whitelist of known, valid measurements for the PRC0 Check software. This measurement checks the BIOS trusted code to ensure that it has not been compromised. If the measurement is not a whitelisted value, health attestation compliance fails.
  4. Select Save.