Microsoft Switching Windows 11 to the Azure Attestation Service This Month
Microsoft gave public notice this week that boot attestation reporting for Windows 11 clients is getting switched to the Microsoft Azure Attestation service, "starting in mid-August 2023."
IT pros will need to check that their firewall polices will permit the changeover to the Azure Attestation service. The mid-August deadline seemed a bit acute. Possibly, Microsoft gave advance notice to IT pros via its nonpublic Message Center notification service.
Currently, Windows 10 and Windows 11 client attestation reporting happens via the Windows Device Health Attestation (DHA) service, via its "configuration service provider" (CSP). The DHA's CSP collects auditing information from a Windows device's Trusted Platform Module (TPM), along with boot log information. It can then respond to attestation requests from "DHA-enabled MDM" (mobile device management solutions), Microsoft explained, in this document on health attestation CSP.
Microsoft defines a Windows device's TPM (typically thought of as a chip in a computer) as "specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing." The idea is to attest that no rootkit or bootkit malware was launched before the Windows boot-up process.
Azure Attestation's MDM Benefits
The Windows DHA service and the Azure Attestation service are both used to report on client boot processes, which hopefully happen in a "trusted" and "compliant" manner. The switching of Windows 11 over to the Azure Attestation service wasn't explained too much in the announcement. However, the Azure Attestation service was described as offering improvements for MDM providers, per the health attestation CSP document:
Windows 11 introduces more child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation.
Microsoft also considers Windows 11 to have capabilities that "update the device health attestation feature," enabling "deeper insights to Windows boot security."
No Change for Windows 10
Microsoft just plans to switch Windows 11 client management over to the Azure Attestation service, starting mid-month. There's no change regarding Windows 10 clients, which will "continue to use the existing DHA endpoint -- 'has.spserv.microsoft.com' for device health attestation reporting," the announcement indicated.
Microsoft will automatically make this change, starting mid-month, for Windows 11 clients. However, the announcement cautioned IT pros "to ensure there are no firewall policies preventing access to the new Intune MAA attestation providers for Windows 11." Specifically, IT pros should "ensure there are no firewall rules blocking outbound HTTPS/443 traffic" to the specific endpoints listed in Microsoft's announcement.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.