Today, Intune uses the Windows Device Health Attestation (DHA) service for Windows 10/11 Compliance policy - Device Health settings. Device health attestation is a reporting service used to ensure a device boots to a trusted state. Starting in mid-August 2023 we’ll slowly be rolling out support for Microsoft Azure Attestation (MAA) service for Windows 11 devices. Learn more about Windows 11 device health attestation: HealthAttestation CSP - Windows Client Management | Microsoft Learn.
Note that Windows 10 devices, and GCC High/DoD environments will continue to use DHA and are not impacted by this change.
How does this affect me?
If you set any of the Windows 10/11 Compliance policy - Device Health settings, Windows 11 devices will begin to use a MAA attestation provider based on your Intune tenant location. You may need to ensure there are no firewall policies preventing access to the new Intune MAA attestation providers for Windows 11. Windows 11 devices with assigned compliance policies using any of the device health settings will fall out of compliance if they are unable to reach the MAA attestation endpoints for their location.
Note: Windows 10 devices will continue to use the existing DHA endpoint – “has.spserv.microsoft.com” for device health attestation reporting.
What do I need to do?
Check your network to ensure there are no firewall rules blocking outbound HTTPS/443 traffic to the endpoints listed below based on your Intune tenant’s location. To find your tenant location navigate to the Microsoft Intune admin center > Tenant administration > Tenant status > Tenant details, see Tenant location.
North America based locations:
https://intunemaape1.eus.attest.azure.net
https://intunemaape2.eus2.attest.azure.net
https://intunemaape3.cus.attest.azure.net
https://intunemaape4.wus.attest.azure.net
https://intunemaape5.scus.attest.azure.net
https://intunemaape6.ncus.attest.azure.net
Europe based locations:
https://intunemaape7.neu.attest.azure.net
https://intunemaape8.neu.attest.azure.net
https://intunemaape9.neu.attest.azure.net
https://intunemaape10.weu.attest.azure.net
https://intunemaape11.weu.attest.azure.net
https://intunemaape12.weu.attest.azure.net
Asia pacific locations:
https://intunemaape13.jpe.attest.azure.net
https://intunemaape17.jpe.attest.azure.net
https://intunemaape18.jpe.attest.azure.net
https://intunemaape19.jpe.attest.azure.net
Stay tuned to What’s new in Intune for the release, we’ll update this blog when it’s rolled out to all customers! Let us know if you have any questions by leaving a comment below or reach out to us on Twitter @IntuneSuppTeam.