How to Set Up Health Attestation Service on Windows Server 2016
Device Health Attestation (DHA) is a Windows Server 2016 feature that allows an organization to verify the security health of Windows 10 and Windows Server 2016 devices before granting them access to corporate resources. The Health Attestation Service works by communicating with the Trusted Platform Module (TPM) chip in client devices to verify that Secure Boot was enabled, that the boot process was not tampered with, that BitLocker is active, that Code Integrity policies are enforced, and that the device’s firmware and OS state matches a known-good baseline. This guide explains how to deploy and configure the Device Health Attestation Service on Windows Server 2016 for use with on-premises infrastructure.
Before deploying DHA, verify that your client devices have TPM 2.0 chips, that they are running Windows 10 or Windows Server 2016, and that your network infrastructure supports the required SSL certificates. The DHA service itself runs on Windows Server 2016 and requires an SSL certificate bound to port 443 on the DHA server. Active Directory and DNS must be functioning correctly within your domain.
Step 1: Install the Device Health Attestation Role
Open an elevated PowerShell window on the server that will host the DHA service and install the role:
Install-WindowsFeature -Name DeviceHealthAttestation -IncludeManagementTools -IncludeAllSubFeatureThe installation will also install IIS components required to host the DHA endpoint. After installation, verify that the feature installed successfully:
Get-WindowsFeature -Name DeviceHealthAttestationStep 2: Obtain and Bind an SSL Certificate
The DHA service communicates exclusively over HTTPS. Request a certificate from your internal Certificate Authority (CA) for the FQDN of the DHA server, such as dha.yourdomain.com. Import the certificate into the Local Computer personal certificate store and note its thumbprint. Bind the certificate to IIS port 443 using PowerShell:
$thumbprint = "YOURCERTTHUMBPRINTHERE"
$binding = Get-WebBinding -Protocol https -Port 443
$binding.AddSslCertificate($thumbprint, "MY")Ensure that the DNS record for dha.yourdomain.com resolves correctly to the DHA server’s IP address from all client devices.
Step 3: Configure the DHA Service
Run the DHA configuration wizard from the IIS Manager console, or configure it directly via PowerShell. The following command configures the DHA service in on-premises mode with your internal CA certificate:
Initialize-DeviceHealthAttestationService `
-SigningCertificateThumbprint "YOURCERTTHUMBPRINTHERE" `
-EncryptionCertificateThumbprint "YOURCERTTHUMBPRINTHERE" `
-SupportedAuthorizationComponents "HealthCertificate" `
-DhaServiceMode "OnPremise"After initialization, restart the IIS service to apply the configuration:
Restart-Service -Name "W3SVC"Step 4: Verify the DHA Endpoint is Accessible
From a client machine or a separate administrative workstation, verify that the DHA HTTPS endpoint is reachable:
Invoke-WebRequest -Uri "https://dha.yourdomain.com/DeviceHealthAttestation/1.0" -UseBasicParsingA 200 or 400 HTTP response indicates the service is running. A connection refused or certificate error indicates a configuration problem with either the SSL binding or the firewall.
Step 5: Configure Clients via Group Policy
Point client devices at your on-premises DHA service using Group Policy. Open Group Policy Management and create a new GPO linked to the organizational unit containing your managed devices. Navigate to Computer Configuration, Administrative Templates, Windows Components, Device Health Attestation Service. Enable the policy Use device health attestation service and set the Device Health Attestation Service URL to https://dha.yourdomain.com/DeviceHealthAttestation/1.0. Apply the GPO and force a Group Policy update on client devices:
gpupdate /forceStep 6: Integrate with MDM or Configuration Manager
The true value of DHA is realized when it is integrated with a Mobile Device Management platform such as Microsoft Intune or System Center Configuration Manager (SCCM). The MDM server queries the DHA service to obtain a health certificate for each managed device during enrollment or periodic compliance checks. Devices that fail attestation because Secure Boot is disabled, BitLocker is not active, or the boot process was modified can be automatically quarantined, blocked from accessing corporate email, or flagged for remediation.
In SCCM, configure the Health Attestation settings in the Client Settings policy under Cloud Services. Enable On-premises Health Attestation Service and enter the DHA server URL.
Step 7: Monitor DHA Service Health
Review the DHA service event log entries in Event Viewer under Applications and Services Logs, Microsoft, Windows, DeviceHealthAttestation. Monitor IIS access logs at C:inetpublogsLogFiles for client connections. Set up a monitoring check that verifies the DHA HTTPS endpoint responds within an acceptable time, and alert the operations team if it becomes unresponsive, as device attestation failures will prevent compliant clients from accessing protected resources.
Device Health Attestation on Windows Server 2016 provides a hardware-rooted trust mechanism that significantly raises the security bar for conditional access scenarios, ensuring that only devices with verifiably secure boot states can access sensitive corporate resources.
