Configuring an on-premises Device Health Attestation server 编辑

You can enable Device Health Attestation (DHA) for Windows 10 and Windows 11 mobile devices through an on-premises Windows server. To enable DHA on-premises, you first configure a DHA server.

After you configure the DHA server, you create an Endpoint Management policy to enable the on-premises DHA service. For information, see Device Health Attestation device policy.

Prerequisites for a DHA server

  • A server running Windows Server Technical Preview 5 or later, installed using the Desktop Experience installation option.
  • One or more Windows 10 and Windows 11 client devices. These devices must have TPM 1.2 or 2.0 running the latest version of Windows.
  • These certificates:
    • DHA SSL certificate: An x.509 SSL certificate that chains to an enterprise trusted root with an exportable private key. This certificate protects DHA data communications in transit including:
      • server to server (DHA service and MDM server) communications
      • server to client (DHA service and a Windows 10 or Windows 11 device) communications
    • DHA signing certificate: An x.509 certificate that chains to an enterprise trusted root with an exportable private key. The DHA service uses this certificate for digital signing.
    • DHA encryption certificate: An x.509 certificate that chains to an enterprise trusted root with an exportable private key. The DHA service also uses this certificate for encryption.
  • Choose one of these certificate validation modes:
    • EKCert: EKCert validation mode is optimized for devices in organizations that are not connected to the Internet. Devices connecting to a DHA service running in EKCert validation mode do not have direct access to the Internet.
    • AIKCert: AIKCert Validation Mode is optimized for operational environments that do have access to the Internet. Devices connecting to a DHA service running in AIKCert validation mode must have direct access to the Internet and are able to get an AIK certificate from Microsoft.

Add the DHA server role to the Windows server

  1. On the Windows server, if the Server Manager is not already open, click Start and then click Server Manager.
  2. Click Add roles and features.
  3. On the Before you begin page, click Next.
  4. On the Select installation type page, click Role-based or feature-based installation, and then click Next.
  5. On the Select destination server page, click Select a server from the server pool, select the server, and then click Next.
  6. On the Select server roles page, select the Device Health Attestation check box.
  7. Optional: Click Add Features to install other required role services and features.
  8. Click Next.
  9. On the Select features page, click Next.
  10. On the Web Server Role (IIS) page, click Next.
  11. On the Select role services page, click Next.
  12. On the Device Health Attestation Service page, click Next.
  13. On the Confirm installation selections page, click Install.
  14. When the installation is done, click Close.

Add the SSL certificate to the certificate store of the server

  1. Go to the SSL certificate file and select it.
  2. For the store location, select Current user and then click Next.

    Windows Server Manager

  3. Type the password for the private key.

  4. Ensure the import option Include all extended properties is selected. Click Next.

    Windows Server Manager

  5. When this window appears, click Yes.

    Windows Server Manager

  6. Confirm that the certificate is installed:

    1. Open a Command Prompt window.

    2. Type mmc and press the Enter key. To view certificates in the local machine store, you must be in the Administrator role.

    3. On the File menu, click Add/Remove Snap In.

    4. Click Add.

    5. In the Add Standalone Snap-in dialog box, select Certificates.

    6. Click Add.

    7. In the Certificates snap-in dialog box, select My User account. (If you are signed in as service account holder, select Service account.)

    8. In the Select Computer dialog box, click Finish.

      Windows Server Manager

  7. Go to Server Manager > IIS and select Server Certificates from the list of icons.

    Windows Server Manager

  8. From the Action menu, select Import… to import the SSL certificate.

    Windows Server Manager

Retrieve and save the thumbprint of the certificate

  1. In the File Explorer search bar, type mmc.
  2. In the Console Root window, click File > Add/Remove Snap-in.

    Windows File Explorer

  3. Select the certificate from available snap-in and add it to selected snap-ins.

    Windows Add or Remove Snap-ins

  4. Select My user account.

    Windows Add or Remove Snap-ins

  5. Select the certificate and click OK.

    Windows Add or Remove Snap-ins

  6. Double-click on the certificate and select the Details tab. Scroll down to see the certificate thumbprint.

    Windows Add or Remove Snap-ins

  7. Copy the thumbprint to a file. Remove the spaces when using the thumbprint in PowerShell commands.

Install the signing and encryption certificates

Run these PowerShell commands on the Windows server to install the signing and encryption certificates.

Replace the placeholder ReplaceWithThumbprint and enclose it inside double-quotation marks as shown.

$key = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -like "ReplaceWithThumbprint"}

$keyname = $key.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

$keypath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\" + $keyname icacls $keypath /grant IIS_IUSRS`:R

<!--NeedCopy-->

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:97 次

字数:9361

最后编辑:7 年前

编辑次数:0 次

更多

友情链接

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文