BIO 12.01.02 ISO A.12.6.2

Intune: Windows Health Attestation

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Windows Health Attestation is TPM-backed device health reporting - cryptographic proof die device heeft veilige Boot, BitLocker, Code Integrity ingeschakeld.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
6u (tech: 3u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Health Attestation is trust maar verify: Scenario: Admin claims 'BitLocker ingeschakeld' β†’ User Schakelt uit in BIOS β†’ Intune doesn't detecteer (user-reported). Health Attestation: TPM cryptographically signs boot measurements β†’ Attestation server verifies β†’ PROOF of veilige Boot/BitLocker. Attack prevention: Rootkit/bootkits detected (boot chain tampered).

Implementatie

Health Attestation: TPM measures: veilige Boot ingeschakeld, BitLocker ingeschakeld, Code Integrity active, Early Launch Anti-Malware (ELAM), Attestation server: Verifies TPM signatures, Compliance: Device non-compliant if attestation fails.

Vereisten

  1. Windows 10 1607+
  2. TPM 2.0
  3. veilige Boot ingeschakeld
  4. Intune enrollment

Implementatie

Gebruik PowerShell-script windows-health-attestation.ps1 (functie Invoke-Implementation) – Implementeren.

Intune: Device Compliance β†’ Windows β†’ Device Health β†’ Require veilige Boot: Yes, Require Code Integrity: Yes, Require BitLocker: Yes. Health Attestation: automatische (TPM-based).

Compliance

Zero Trust, BIO 12.01 (Device security), ISO 27001 A.12.6.2.

Monitoring

Gebruik PowerShell-script windows-health-attestation.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script windows-health-attestation.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# ================================================================================ POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS Intune: Windows Health Attestation .DESCRIPTION Implementeert, monitort en herstelt: Intune: Windows Health Attestation .NOTES Filename: windows-health-attestation.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Workload: intune Category: device-health #> #Requires -Version 5.1 [CmdletBinding()] param() $ErrorActionPreference = 'Stop' function Invoke-Implementation { <# .SYNOPSIS Implementeert de configuratie #> [CmdletBinding()] param() Write-Host "[INFO] Invoke-Implementation - Intune: Windows Health Attestation" -ForegroundColor Cyan Invoke-Remediation } function Invoke-Monitoring { <# .SYNOPSIS Controleert de huidige configuratie status #> [CmdletBinding()] param() try { Write-Host " ========================================" -ForegroundColor Cyan Write-Host "Intune: Windows Health Attestation - Monitoring" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan # TODO: Implementeer monitoring logica voor Intune: Windows Health Attestation Write-Host "[INFO] Monitoring check voor Intune: Windows Health Attestation" -ForegroundColor Yellow Write-Host "[OK] Monitoring check completed" -ForegroundColor Green } catch { Write-Error "Monitoring failed: $_" throw } } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat #> [CmdletBinding()] param() try { Write-Host " ========================================" -ForegroundColor Cyan Write-Host "Intune: Windows Health Attestation - Remediation" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan # TODO: Implementeer remediation logica voor Intune: Windows Health Attestation Write-Host "[INFO] Remediation voor Intune: Windows Health Attestation" -ForegroundColor Yellow Write-Host "[OK] Remediation completed" -ForegroundColor Green } catch { Write-Error "Remediation failed: $_" throw } }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: User-reported compliance is falsifiable (TPM attestation is proof).

Management Samenvatting

Windows Health Attestation. TPM-backed compliance verification. Rootkit/bootkit detectie. Implementatie: 3-6 uur.