diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 7e05d3b90b..b6e69dd50e 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -14,7 +14,7 @@ ms.date: # Device HealthAttestation CSP -The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT adminstrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. +The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following is a list of functions performed by the Device HealthAttestation CSP: @@ -36,11 +36,11 @@ The attestation report provides a health assessment of the boot-time properties **DHA (Device HealthAttestation) feature**
The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
-**MAA-Session (Microsoft Azure Attestaiton service based device HealthAttestation session)** -The Microsoft Azure Attestaiton service based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)** +The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-**MAA-CSP Nodes (Microsoft Azure Attestaiton based Configuration Service Provider)** -The Configuration Service Provider nodes added to Windhows 11 to integrate with Microsoft Azure Attestation Service.
+**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)** +The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.
The following list of operations is performed by MAA-CSP:
Attestation flow can be broadly in three main steps:
Node type: GET -This node will retrieve the service generated correlation IDs for the given MDM provider. If there are more than one correlation id, they are separated by “;” in the string. +This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string.
Templated SyncML Call:
@@ -251,9 +251,9 @@ This node will retrieve the service generated correlation IDs for the given MDM > **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. -### MAA CSP Intergation Steps +### MAA CSP Integration StepsInstructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
@@ -665,7 +665,7 @@ HealthAttestation **Certificate** (Required)Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-Value type is b64.The supported operation is Get.
+Value type is b64. The supported operation is Get.
**Nonce** (Required)Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
@@ -916,7 +916,7 @@ After the MDM server receives the verified data, the information can be used to - Allow the device to access the resources, but flag the device for further investigation. - Prevent a device from accessing resources. -The following list of data points are verified by the DHA-Service in DHA-Report version 3: +The following list of data points is verified by the DHA-Service in DHA-Report version 3: - [Issued](#issued ) - [AIKPresent](#aikpresent) @@ -964,7 +964,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) @@ -989,7 +989,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) @@ -1005,7 +1005,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** @@ -1018,7 +1018,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion**This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
@@ -1030,7 +1030,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled**When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
@@ -1041,11 +1041,11 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
+Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
@@ -1071,7 +1071,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled**When code integrity is enabled, code execution is restricted to integrity verified code.
@@ -1086,7 +1086,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** @@ -1221,7 +1221,7 @@ Each of these are described in further detail in the following sections, along wIf SBCPHash is not present, or is an accepted allow-listed value, then allow access. -
If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. @@ -1407,7 +1407,7 @@ Each of these are described in further detail in the following sections, along w