Windows 11 Moves to Azure Attestation Service for Client Attestation Reporting

Client Attestation Reporting in Windows protect user credentials when using a Remote Desktop connection and/or in Bring Your Own Device (BYOD) scenarios.

Microsoft Azure Attestation Service

has announced that the boot attestation reporting for clients will be transitioned to the Microsoft Azure Attestation (MAA) service for Client Attestation Reporting, starting in mid-August 2023.

The transition to the Azure Attestation service only affects Windows 11 clients. clients will continue to use the existing Windows Device Health Attestation (DHA) service endpoint for device health attestation reporting.

Windows 11 Moves from DHA to MAA

Client Attestation Reporting in Windows, also known as Windows Defender Remote Credential Guard, is a security feature introduced in Windows 10, version 1607. It is designed to protect your credentials when you are using a Remote Desktop connection and/or in Bring Your Own Device (BYOD) scenarios. It operates by redirecting Kerberos requests back to the device that's requesting the connection, providing single sign-on experiences for Remote Desktop sessions. Previously, the Windows Device Health Attestation (DHA) service was responsible for attestation reporting for both Windows 10 and Windows 11 clients.

The DHA's configuration service provider (CSP) would gather auditing data from a Windows device's Trusted Platform Module (TPM), along with boot log information. This data was then used to respond to attestation requests from DHA-enabled mobile device management (MDM) solutions.

With the introduction of Windows 11, an update to the device health attestation feature has been implemented. This update provides deeper insights into Windows boot security, supporting a zero-trust approach to device security. The MAA service simplifies the attestation process by introducing more child nodes to the HealthAttestation node for MDM providers to connect to.

The attestation report generated by the MAA service provides a health assessment of the boot-time properties of the device, ensuring automatic security as soon as the devices power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device.

Firewall Policies and IT Professionals

IT professionals are advised to ensure that their firewall policies are compatible with the transition to the Azure Attestation service. Specifically, they should ensure there are no firewall rules blocking outbound HTTPS/443 traffic to the specific endpoints listed in Microsoft's announcement.

In the announcement, Microsoft also provides a list of endpoints based on the Intune tenant's location that IT professionals should ensure are not blocked by firewall rules. The Intune Support Team advises that Windows 11 devices with assigned policies using any of the device health settings will fall out of compliance if they cannot reach the MAA attestation endpoints for their location.