Configuring an on-premises Device Health Attestation server

Contributed by Sanket Mishra

You can enable Device Health Attestation (DHA) for Windows 10 and Windows 11 mobile devices through an on-premises Windows server. To enable DHA on-premises, you first configure a DHA server.

After you configure the DHA server, you create a XenMobile Server policy to enable the on-premises DHA service. For information on creating this policy, seeDevice Health Attestation device policy.

Prerequisites for a DHA server

• 运行Windows server的服务器技术预览版5 or later, installed using the Desktop Experience installation option.
• One or more Windows 10 and Windows 11 client devices. These devices must be have TPM 1.2 or 2.0 running the latest version of Windows.
• These certificates:
  • DHA SSL certificate.一个xSSL证书,连锁企业双方ise trusted root with an exportable private key. This certificate protects DHA data communications in transit including server to server (DHA service and MDM server) and server to client (DHA service and a Windows 10 or Windows 11 device) communications.
  • DHA signing certificate.一个xcertificate that chains to an enterprise trusted root with an exportable private key. The DHA service uses this certificate for digital signing.
  • DHA encryption certificate.一个xcertificate that chains to an enterprise trusted root with an exportable private key. The DHA service also uses this certificate for encryption.
• Choose one of these certificate validation modes:
  • EKCert.EKCert validation mode is optimized for devices in organizations that are not connected to the Internet. Devices connecting to a DHA service running in EKCert validation mode do not have direct access to the Internet.
  • AIKCert.AIKCert Validation Mode is optimized for operational environments that do have access to the Internet. Devices connecting to a DHA service running in AIKCert validation mode must have direct access to the Internet and are able to get an AIK certificate from Microsoft.

Add the DHA server role to the Windows server

1. On the Windows server, if the Server Manager is not already open, clickStartand then clickServer Manager.
2. ClickAdd roles and features.
3. On theBefore you beginpage, clickNext.
4. On theSelect installation typepage, clickRole-based or feature-based installation, and then clickNext.
5. On theSelect destination serverpage, clickSelect a server from the server pool, select the server, and then clickNext.
6. On theSelect server roles page, select the Device Health Attestation check box.
7. Optional: ClickAdd Featuresto install other required role services and features.
8. ClickNext.
9. On theSelect features page, clickNext.
10. On theWeb Server Role (IIS)page, clickNext.
11. On theSelect role servicespage, clickNext.
12. On theDevice Health Attestation Servicepage, clickNext.
13. On the确认installation selectionspage, clickInstall.
14. When the installation is done, clickClose.

Add the SSL certificate to the certificate store of the server

1. Go to the SSL certificate file and select it.

2. SelectCurrent useras the store location and clickNext.

   

3. Type the password for the private key.

4. Ensure the import optionInclude all extended propertiesis selected. ClickNext.

   

5. When this window appears, clickYes.

   

6. Confirm that the certificate is installed:

   1. Open a Command Prompt window.

   2. Typemmcand press the Enter key. To view certificates in the local machine store, you must be in the Administrator role.

   3. On the File menu, clickAdd/Remove Snap In.

   4. ClickAdd.

   5. In the Add Standalone Snap-in dialog box, selectCertificates.

   6. ClickAdd.

   7. In the Certificates snap-in dialog box, selectMy User account.(If you are signed in as service account holder, selectService account.)

   8. In the Select Computer dialog box, clickFinish.

      

7. Go toServer Manager > IISand selectServer Certificatesfrom the list of icons.

   

8. From the Action menu, selectImport…to import the SSL certificate.

   

Retrieve and save the thumbprint of the certificate

1. In the File Explorer search bar, typemmc.

2. In the Console Root window, clickFile > Add/Remove Snap-in….

   

3. Select the certificate from available snap-in and add it to selected snap-ins.

   

4. SelectMy user account.

   

5. Select the certificate and clickOK.

   

6. Double-click on the certificate and select theDetailstab. Scroll down to see the certificate thumbprint.

   

7. Copy the thumbprint to a file. Remove the spaces when using the thumbprint in PowerShell commands.

Install the signing and encryption certificates

Run these PowerShell commands on the Windows server to install the signing and encryption certificates.

Replace the placeholder ReplaceWithThumbprint and enclose it inside double-quotation marks as shown.

$key = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -like "ReplaceWithThumbprint"} $keyname = $key.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName $keypath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\" + $keyname icacls $keypath /grant IIS_IUSRS`:R 

Extract the TPM roots certificate and install the trusted certificate package

Run these commands on the Windows server:

mkdir .\TrustedTpm expand -F:\* .\TrustedTpm.cab .\TrustedTpm cd .\TrustedTpm .\setup.cmd 

Configure the DHA service

Run this command on the Windows server to configure the DHA service.

Replace the placeholder ReplaceWithThumbprint.

Install-DeviceHealthAttestation -EncryptionCertificateThumbprint ReplaceWithThumbprint -SigningCertificateThumbprint ReplaceWithThumbprint -SslCertificateStoreName My -SslCertificateThumbprint ReplaceWithThumbprint -SupportedAuthenticationSchema "AikCertificate" 

Run these commands on the Windows server to set up the certificate chain policy for the DHA service:

$policy = Get-DHASCertificateChainPolicy $policy.RevocationMode = "NoCheck" Set-DHASCertificateChainPolicy -CertificateChainPolicy $policy 

Respond to these prompts, as follows:

Confirm Are you sure you want to perform this action? Performing the operation "Install-DeviceHealthAttestation" on target "WIN-N27D1FKCEBT". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A Adding SSL binding to website 'Default Web Site'. Add SSL binding? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Adding application pool 'DeviceHealthAttestation_AppPool' to IIS. Add application pool? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Adding web application 'DeviceHealthAttestation' to website 'Default Web Site'. Add web application? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Adding firewall rule 'Device Health Attestation Service' to allow inbound connections on port(s) '443'. Add firewall rule? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Setting initial configuration for Device Health Attestation Service. Set initial configuration? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Registering User Access Logging. Register User Access Logging? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y 

Check the configuration

To check whether the DHASActiveSigningCertificate is active, run this command on the server:

Get-DHASActiveSigningCertificate

If the certificate is active, the certificate type (Signing) and thumbprint is displayed.

To check whether the DHASActiveSigningCertificate is active, run these commands on the server

Replace the placeholder ReplaceWithThumbprint and enclose it inside double-quotation marks as shown.

Set-DHASActiveEncryptionCertificate -Thumbprint "ReplaceWithThumbprint" -Force Get-DHASActiveEncryptionCertificate 

If the certificate is active, the thumbprint appears.

To perform a final check, go to this URL:

https:///DeviceHeathAttestation/ValidateHealthCertificate/v1

If the DHA service is running, “Method not allowed” appears.