As a Workspace ONE UEM admin, you can configure the compromised status definitions for Windows Desktop devices.

What can you do with the Windows Desktop Windows Health Attestation page?

The path to the settings page in the Workspace ONE UEM console is Groups & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Windows Health Attestation.

With the Windows Health Attestation page, you can:
  • Configure a custom server for your Device Health Attestation service.
  • Select compromised status definitions, that when present, trigger a compromised status on your Windows devices.

Determine your Organization Group hierarchy

Before you review and modify the settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choice.
  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Health Attestation Server Configuration

  • Use Custom Server - Select to configure a custom server for Health Attestation. This option requires a server running Windows Server 2016 or later. Enabling this option displays the Server URL field.
  • Server URL - Enter the URL for your custom Health Attestation server.

Compromised Status Definition

  • Secure Boot Disabled - Enable to flag compromised device status when Secure Boot is deactivated on the device.

    Secure Boot forces the system to boot to a factory trusted state. When Secure Boot is enabled, the core components used to boot the machine must have the correct cryptographic signatures that the OEM trusts. The UEFI firmware verifies the trust before it allows the machine to start. Secure boot prevents the start-up if any it detects any tampered files.

  • Attestation Identity Key (AIK) Not Present - Enable to flag compromised device status when the AIK is not present on the device.

    Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that does not have an EK certificate.

  • Data Execution Prevention (DEP) Policy Disabled - Enable to flag compromised device status when the DEP is deactivated on the device.

    The Data Execution Prevention (DEP) Policy is a memory protection feature built into the system level of the OS. The policy prevents running code from data pages such as the default heap, stacks, and memory pools. DEP is enforced by both hardware and software.

  • BitLocker Disabled - Enable to flag compromised device status when BitLocker encryption is deactivated on the device.
  • Code Integrity Check Disabled - Enable to flag compromised device status when the code integrity check is deactivated on the device.

    Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity checks for unsigned drivers or system files before they load into the kernel. The check also scans for users with administrative privileges running system files modified by malicious software.

  • Early Launch Anti-Malware Disabled - Enable to flag compromised device status when the early launch anti-malware is deactivated on the device.

    Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

  • Code Integrity Version Check - Enable to flag compromised device status when the code integrity version check fails.
  • Boot Manager Version Check - Enable to flag compromised device status when the boot manager version check fails.
  • Boot App Security Version Number Check - Enable to flag compromised device status when the boot app security version number does not meet the entered number.
  • BIOS Verification - Enable to flag compromised device status when the BIOS verification check fails on select Dell, Windows devices.

    This option requires the BIOS Verification Utility from Dell. This setting only works for select Dell devices.

  • Advanced Settings - Enable to configure advance settings in the Software Version Identifiers section.