Intune Device Health Attestation Report

Let’s check the Intune Device Health Attestation Report from the Intune, aka Endpoint Manager portal. The Device Health Attestation DHA-Service provides information to Intune about the health of the device.

DHA is a reporting service that considers the conditions of OS boot which is used to prepare a report. A remote server then attests this report for trust. Based on this, a device management service like Intune can determine if the device is in the trusted state to be marked as compliant.

Device Health Attestation DHA and Intune integrate to offer a more secured device compliance evaluation to provide you with the peace of mind that the devices in your organization are not only compliant with required security but are also running on a trusted device state.

Joy has explained about Device Health Attestation (DHA) and its role in Intune device compliance checks, and You will get a clearer understanding of the Device Health Attestation service and its usage with Intune for compliance evaluation Device Health Attestation Intune Device Compliance Check.

Patch My PC

You can also refer to Intune Device Encryption Status Report can be of use in identifying problems for groups of devices. When you select a device from the Encryption report, Intune displays the Device encryption status.

Intune Device Health Attestation Report

These reports provide timely, targeted data that helps you focus and take action. You can view the Device Health Attestation report using the following steps –

Click on Monitor – Intune Device Health Attestation Report 1
Click on Monitor – Intune Device Health Attestation Report 1

Under Compliance, select Windows health attestation report. The DHA-Service provides the state/status of the following device parameters –

  • Attestation Identity Key (AIK) Present
  • BitLocker Status
  • Boot Debugging Enabled
  • Boot Manager Rev List Version
  • Code Integrity Enabled
  • Code Integrity Rev List Version
  • DEP Policy
  • ELAM Driver Loaded
  • Issued At
  • Kernel Debugging Enabled
  • PCR
  • Reset Count
  • Restart Count
  • Safe Mode Enabled
  • SBCP Hash
  • Secure Boot Enabled
  • Test Signing Enabled
  • VSM Enabled
  • WinPE Enable

Note – Let’s have a look at when you have a compliance policy configured that leverages Device Health Attestation DHA. If you don’t have any compliance policy setup, you may experience the message “no devices were found.”

Select Windows health attestation report
Select Windows health attestation report

Use the Columns property to add or remove columns from the generated report. Click on the Columns, and A flyout displays. Here you can Check or Uncheck the columns you want to include and click Apply.

The following columns are available in this report:

  • Device OS
  • BitLocker
  • Code Integrity
  • Early Launch AntiMalware
  • Boot Debugging
  • Attestation Identity Key (AIK)
  • Secure Boot
  • Data Execution Prevention Policy
  • Health Certificate Issued
  • Kernel Debugging
  • PCR Value
  • Reset count
  • Restart count
  • Safe Mode
  • Test Signing
  • Virtual Security Mode (VSM)
  • WinPE environment
  • Boot Manager Version
  • Code Integrity Check Version
Select Columns - Intune Device Health Attestation Report 3
Select Columns – Intune Device Health Attestation Report 3

Click on the Filter, and A flyout displays. Here you can select the device type and data point status you want to include—Select Apply to update.

  • Select device type: Devices that support health attestation
  • Select data point status:
    • BitLocker not enabled
    • Secure Boot is not enabled
    • Code integrity not enabled
    • The early launch anti-malware driver is not loaded
Filter Windows health attestation report - Intune Device Health Attestation Report 4
Filter Windows health attestation report – Intune Device Health Attestation Report 4

Export Intune Device Health Attestation Report

You can quickly export reporting data generated. Click on the Export all. The popup will appear with the following message when exporting all devices, Click Download.

A notification will appear automatically in the top right-hand corner with the message Export is in progress. You can also see the status by selecting the notification icon.

Click on Export all - Export Intune Device Health Attestation Report
Click on Export all – Export Intune Device Health Attestation Report

This will export data to a comma-separated values (.csv) file. The report file is added to your download tray and automatically saved to your computer, and a notification message will appear Export completed. Open the downloaded file to view the details.

Export Intune Device Health Attestation Report
Export Intune Device Health Attestation Report

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.