locked
Health Attestation reporting all computers not ELAM compliant RRS feed

  • Question

  • Hello,

    We have recently enabled the health attestation feature using microsofts HA service (not on-prem).  It is collecting data and reporting which is great.  However...

    The Health Attestation feature thinks that the ELAM feature is not enabled on my computer (on any computer).  However, I checked this morning and it is enabled on my computer and reporting it is not compliant/healthy because of ELAM.  I also did a few config manager tasks to update policies on the client and to do new hardware & software inventories.  No change after.

    Is there some kind of hardware or software class or file that has to be inventoried before it will detect if ELAM is enabled?  Some other requirement?  Or perhaps a log that may tell me why it is failing compliance for ELAM or in general?  

    Kind of new to sccm but am learning, any tips/pointers/urls would be appreciated.

    If it helps, it can collect hardware inventory for UEFI, SecureBoot, BitLocker protection status.

    SCCM Version 1802 (KB4163547 is not yet installed)

    HA starting working last night and is reporting:

    • 24% of 246 devices are reporting HA (expected due to high Win7)
    • 57 non compliant computer devices
    • 3 devices with errors
    • 57 devices missing ELAM HA settings
    • 35 devices missing SecureBoot (expected)
    • 30 devices missing BitLocker (expected)

    Wednesday, July 18, 2018 3:14 AM

All replies

  • Hi,

    For how to turn on Early-Launch Anti-Malware (ELAM)  , please refer to the following article:

    https://gallery.technet.microsoft.com/How-to-turn-on-Early-84552ec5

    Best regards,
    Larry 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 19, 2018 4:09 AM
  • Doesn't seem like you read my post or the question

    Better luck next time with random suggestions

    Thursday, July 19, 2018 4:16 AM
  • Hi,

    Have you checked that if the Windows 10 client devices with a TPM (either 1.2 or 2.0) that is in a clear/ready state running the latest Windows Insider build?
    Are there any firewall policies or GPO or third-party anti-virus software blocking anything?

    Also, I hope this helps:

    ELAMDriverLoaded (Windows Defender)

    To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

    In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

    If a device is expected to use a 3rd party antivirus program, ignore the reported state.

    If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

    If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:

    • Disallow all access
    • Disallow access to HBI assets
    • Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.

    Reference:

    https://docs.microsoft.com/en-us/windows-server/security/device-health-attestation

    https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp

    Best regards,
    Larry


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, July 19, 2018 8:05 AM
  • Thank you for the suggestions.  Response to your questions/suggestions:

    1) Security Process Details (TPM)

    • Attestation = Ready
    • Storage = Ready

    2) Windows Build 17134.167

    • Win 10 Enterprise 1803 installed 6/12/2018

    3) Firewall policies blocking anything

    • Sure, that is what the firewall does

    4) 3rd Party A/V

    • SCCM manages our A/V

    5) I am investigating what the term "Hybrid Resume" is/means/does & how to turn it off, the articles provided does not seem to be very clear (IMO).

    Friday, July 20, 2018 2:24 AM
  • Well that 2nd article didn't help much, too technical for me and I cannot do much as it seems to be more for a developer or something.  Couldn't find much about "Hybrid Resume" online.  Thought it had to do with sleep / hibernate mode.  Hibernate was turned off already but I ran the powercfg /hibernate off command anyways.  Did another client policy update, hardware inventory, and other tasks, reboot, no change.
    Friday, July 20, 2018 3:16 AM