设备运行状况证明Device Health Attestation

适用于:Windows Server 2016Applies To: Windows Server 2016

设备运行状况证明 (DHA) 在 Windows 10 版本 1507 中引入,它包括以下方面:Introduced in Windows 10, version 1507, Device Health Attestation (DHA) included the following:

  • 根据开放移动联盟 (OMA) 标准与 Windows 10 移动设备管理 (MDM) 框架集成。Integrates with Windows 10 Mobile Device Management (MDM) framework in alignment with Open Mobile Alliance (OMA) standards.

  • 支持装有设置为固件或离散格式的受信任模块平台 (TPM) 的设备。Supports devices that have a Trusted Module Platform (TPM) provisioned in a firmware or discrete format.

  • 使企业能够将组织的安全栏提升到受监视和已证明安全的硬件,对操作成本只有极小影响或无影响。Enables enterprises to raise the security bar of their organization to hardware monitored and attested security, with minimal or no impact on operation cost.

从 Windows Server 2016 开始,现在可以运行 DHA 服务作为组织内的服务器角色。Starting with Windows Server 2016, you can now run the DHA service as a server role within your organization. 使用本主题以了解如何安装和配置设备运行状况证明服务器角色。Use this topic to learn how to install and configure the Device Health Attestation server role.


可以使用 DHA 来评估设备运行状况:You can use DHA to assess device health for:

  • 支持 TPM 1.2 或 2.0 的 Windows 10 和 Windows 10 移动设备。Windows 10 and Windows 10 Mobile devices that support TPM 1.2 or 2.0.
  • 通过使用可访问 Internet 的 Active Directory 来管理的本地设备、通过使用无法访问 Internet 的 Active Directory 来管理的设备、通过 Azure Active Directory 管理的设备,或同时使用 Active Directory 和 Azure Active Directory 的混合部署。On-premises devices that are managed by using Active Directory with Internet access, devices that are managed by using Active Directory without Internet access, devices managed by Azure Active Directory , or a hybrid deployment using both Active Directory and Azure Active Directory.

DHA 服务DHA service

DHA 服务为设备验证 TPM 和 PCR 日志,然后发布 DHA 报表。The DHA service validates the TPM and PCR logs for a device and then issues a DHA report. Microsoft 以下面三种方式提供 DHA 服务:Microsoft offers the DHA service in three ways:

  • DHA 云服务 Microsoft 管理的 DHA 是免费的地域负载平衡服务,并对来自世界不同地区的访问进行了优化。DHA cloud service A Microsoft-managed DHA service that is free, geo-load-balanced, and optimized for access from different regions of the world.

  • DHA 本地服务在 Windows Server 2016 中引入的新的服务器角色。DHA on-premises service A new server role introduced in Windows Server 2016. 具有 Windows Server 2016 许可证的客户可免费使用。It's available for free to customers that have a Windows Server 2016 license.

  • DHA Azure 云服务 Microsoft Azure 中的虚拟主机。DHA Azure cloud service A virtual host in Microsoft Azure. 若要执行此操作,需要为 DHA 本地服务提供虚拟主机和许可证。To do this, you need a virtual host and licenses for the DHA on-premises service.

DHA 服务与 MDM 解决方案相集成,并提供以下功能:The DHA service integrates with MDM solutions and provides the following:

  • 将其从设备收到的信息(通过现有的设备管理通信渠道)与 DHA 报表相组合Combine the info they receive from devices (through existing device management communication channels) with the DHA report
  • 基于已证明的硬件和受保护的数据,作出更安全且更受信任的安全决策Make a more secure and trusted security decision, based on hardware attested and protected data

以下示例演示了如何使用 DHA 来帮助提升组织资产的安全保护栏。Here's an example that shows how you can use DHA to help raise the security protection bar for your organization's assets.

  1. 创建一个策略来检查以下引导配置/特性:You create a policy that checks the following boot configuration/attributes:
    • 安全启动Secure Boot
    • BitLockerBitLocker
  2. MDM 解决方案强制实施此策略,并触发基于 DHA 报表数据的纠正操作。The MDM solution enforces this policy and triggers a corrective action based on the DHA report data. 例如,它可以验证以下方面:For example, it could verify the following:
    • 安全启动已启用,设备加载了可靠的受信任代码,且 Windows 启动加载器未被篡改。Secure Boot was enabled, the device loaded trusted code that is authentic, and the Windows boot loader was not tampered with.
    • 受信任的引导已成功验证 Windows 内核以及设备启动时加载的组件的数字签名。Trusted Boot successfully verified the digital signature of the Windows kernel and the components that were loaded while the device started.
    • 标准引导创建了可远程验证的受 TPM 保护的审核线索。Measured Boot created a TPM-protected audit trail that could be verified remotely.
    • BitLocker 已启用,当设备关闭时它可以保护数据。BitLocker was enabled and that it protected the data when the device was turned off.
    • ELAM 在早期启动阶段已启用,并且正在监视运行时。ELAM was enabled at early boot stages and is monitoring the runtime.

DHA 云服务DHA cloud service

DHA 云服务提供以下功能:The DHA cloud service provides the following benefits:

  • 查看从注册了 MDM 解决方案的设备接收的 TCG 和PCR 设备引导日志。Reviews the TCG and PCR device boot logs it receives from a device that is enrolled with an MDM solution.
  • 创建一个能够抵御篡改和防篡改的报表(DHA 报表),用于描述设备基于由设备 TPM 芯片收集和保护的数据的启动方式。Creates a tamper resistant and tamper evident report (DHA report) that describes how the device started based on data that is collected and protected by a device's TPM chip.
  • 在受保护的通信通道中,将 DHA 报表传递到请求报表的 MDM 服务器。Delivers the DHA report to the MDM server that requested the report in a protected communication channel.

DHA 本地服务DHA on-premises service

DHA 本地服务提供由 DHA 云服务提供的所有功能。The DHA on-premises service offer all the capabilities that are offered by DHA cloud service. 它还使客户能够:It also enables customers to:

  • 通过运行自己数据中心的 DHA 服务来优化性能Optimize performance by running DHA service in your own data center
  • 确保 DHA 报表未离开网络Ensure that the DHA report does not leave your network

DHA Azure 云服务DHA Azure cloud service

此服务提供与 DHA 本地服务相同的功能,除非 DHA Azure 云服务在 Microsoft Azure 中作为虚拟主机运行。This service provides the same functionality as the DHA on-premises service, except that the DHA Azure cloud service runs as a virtual host in Microsoft Azure.

DHA 验证模式DHA validation modes

可以设置 DHA 本地服务以在 EKCert 或 AIKCert 验证模式下运行。You can set up the DHA on-premises service to run in either EKCert or AIKCert validation mode. 当 DHA 服务发布一个报表时,它会指示是在 AIKCert 还是 EKCert 验证模式中发布。When the DHA service issues a report, it indicates if it was issued in AIKCert or EKCert validation mode. AIKCert 和 EKCert 验证模式提供相同的安全保证,前提是 EKCert 信任链保持最新。AIKCert and EKCert validation modes offer the same security assurance as long as the EKCert chain of trust is kept up-to-date.

EKCert 验证模式EKCert validation mode

在未连接到 Internet 的组织中对设备进行 EKCert 验证模式优化。EKCert validation mode is optimized for devices in organizations that are not connected to the Internet. 连接到在 EKCert 验证模式下运行的 DHA 服务的设备能直接访问 Internet。Devices connecting to a DHA service running in EKCert validation mode do not have direct access to the Internet.

当 DHA 在 EKCert 验证模式下运行时,它依赖于企业管理的需要不定期更新(每年大约 5-10 次)的信任链。When DHA is running in EKCert validation mode, it relies on an enterprise managed chain of trust that needs to updated occasionally (approximately 5 - 10 times per year).

Microsoft 在 .cab 存档可公开访问的存档中为已批准的 TPM 制造商发布受信任的根和中间 CA 聚合包(如果可用)。Microsoft publishes aggregated packages of trusted Roots and intermediate CA's for approved TPM manufacturers (as they become available) in a publicly accessible archive in .cab archive. 需要下载源,验证其完整性,并将其安装在运行设备运行状况证明的服务器上。You need to download the feed, validate its integrity, and install it on the server running Device Health Attestation.

示例存档是https://go.microsoft.com/fwlink/?linkid=2097925An example archive is https://go.microsoft.com/fwlink/?linkid=2097925.

AIKCert 验证模式AIKCert validation mode

AIKCert 验证模式为有权访问 Internet 的运行环境进行了优化。AIKCert Validation Mode is optimized for operational environments that do have access to the Internet. 连接到在 AIKCert 验证模式下运行的 DHA 服务的设备必须具有直接访问 Internet 的权限,并且可以从 Microsoft 获得 AIK 证书。Devices connecting to a DHA service running in AIKCert validation mode must have direct access to the Internet and are able to get an AIK certificate from Microsoft.

在 Windows Server 2016 上安装和配置 DHA 服务Install and configure the DHA service on Windows Server 2016

使用下列部分,在 Windows Server 2016 上安装和配置 DHA。Use the following sections to get DHA installed and configured on Windows Server 2016.


为了设置和验证 DHA 本地服务,需要:In order to set up and verify a DHA on-premises service, you need:

  • 运行 Windows Server 2016 的服务器。A server running Windows Server 2016.
  • 带有在清除/就绪状态运行最新 Windows Insider 内部版本的 TPM(1.2 或 2.0)的一个(或多个) Windows 10 客户端设备。One (or more) Windows 10 client devices with a TPM (either 1.2 or 2.0) that is in a clear/ready state running the latest Windows Insider build.
  • 确定是要在 EKCert 还是在 AIKCert 验证模式下运行。Decide if you are going to run in EKCert or AIKCert validation mode.
  • 以下证书:The following certificates:
    • DHA SSL 证书链接到企业信任的根的 x.509 SSL 证书,具有可导出的私钥。DHA SSL certificate An x.509 SSL certificate that chains to an enterprise trusted root with an exportable private key. 此证书保护传输中的 DHA 数据通信,包括服务器到服务器(DHA 服务和 MDM 服务器)和服务器到客户端(DHA 服务和 Windows 10 设备)的通信。This certificate protects DHA data communications in transit including server to server (DHA service and MDM server) and server to client (DHA service and a Windows 10 device) communications.
    • DHA 签名证书链接到企业信任的根的 x.509 证书,具有可导出的私钥。DHA signing certificate An x.509 certificate that chains to an enterprise trusted root with an exportable private key. DHA 服务使用此证书进行数字签名。The DHA service uses this certificate for digital signing.
    • DHA 加密证书链接到企业信任的根的 x.509 证书,具有可导出的私钥。DHA encryption certificate An x.509 certificate that chains to an enterprise trusted root with an exportable private key. DHA 服务还使用此证书进行加密。The DHA service also uses this certificate for encryption.

安装 Windows Server 2016Install Windows Server 2016

使用首选的安装方法来安装 Windows Server 2016,如 Windows 部署服务,或从可启动的媒体、USB 驱动器或本地文件系统中运行安装程序。Install Windows Server 2016 using your preferred installation method, such as Windows Deployment Services, or running the installer from bootable media, a USB drive, or the local file system. 如果是首次配置 DHA 本地服务,应使用桌面体验安装选项安装 Windows Server 2016。If this is the first time you are configuring the DHA on-premises service, you should install Windows Server 2016 using the Desktop Experience installation option.

添加设备运行状况证明服务器角色Add the Device Health Attestation server role

可以使用服务器管理器安装设备运行状况证明服务器角色及其依赖项。You can install the Device Health Attestation server role and its dependencies by using Server Manager.

在安装 Windows Server 2016 后,设备会重新启动,并打开服务器管理器。After you've installed Windows Server 2016, the device restarts and opens Server Manager. 如果服务器管理器未自动启动,单击“开始”,然后单击“服务器管理器”。If Server manager doesn't start automatically, click Start, and then click Server Manager.

  1. 单击“添加角色和功能”。Click Add roles and features.
  2. 在“开始之前” 页上,单击“下一步” 。On the Before you begin page, click Next.
  3. “选择安装类型” 页面上,单击 “基于角色或基于功能的安装” ,然后单击 “下一步”On the Select installation type page, click Role-based or feature-based installation, and then click Next.
  4. 选择目标服务器页上,单击“从服务器池中选择服务器”,选择服务器,然后单击“下一步”。On the Select destination server page, click Select a server from the server pool, select the server, and then click Next.
  5. 选择服务器角色页上,选择“设备运行状况证明”复选框。On the Select server roles page, select the Device Health Attestation check box.
  6. 单击“添加功能”来安装其他所需的角色服务和功能。Click Add Features to install other required role services and features.
  7. 单击“下一步” 。Click Next.
  8. 在“选择功能”页上,单击“下一步”。On the Select features page, click Next.
  9. 在“Web 服务器角色 (IIS)” 页面上,单击“下一步” 。On the Web Server Role (IIS) page, click Next.
  10. 选择角色服务页上,单击“下一步”。On the Select role services page, click Next.
  11. 设备运行状况证明服务页上,单击“下一步”。On the Device Health Attestation Service page, click Next.
  12. “确认安装选择” 页上,单击 “安装”On the Confirm installation selections page, click Install.
  13. 安装完成后,单击“关闭”。When the installation is done, click Close.

安装签名和加密证书Install the signing and encryption certificates

使用以下 Windows PowerShell 脚本来安装签名和加密证书。Using the following Windows PowerShell script to install the signing and encryption certificates. 有关指纹的详细信息, 请参阅如何:检索证书的指纹。For more information about the thumbprint, see How to: Retrieve the Thumbprint of a Certificate.

$key = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -like "<thumbprint>"}
$keyname = $key.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keypath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\" + $keyname
icacls $keypath /grant <username>`:R
#<thumbprint>: Certificate thumbprint for encryption certificate or signing certificate
#<username>: Username for web service app pool, by default IIS_IUSRS

安装受信任的 TPM 根证书包Install the trusted TPM roots certificate package

若要安装受信任的 TPM 根证书包,必须将其提取,删除任何组织不信任的信任链,然后运行 setup.cmd。To install the trusted TPM roots certificate package, you must extract it, remove any trusted chains that are not trusted by your organization, and then run setup.cmd.

下载受信任的 TPM 根证书包Download the trusted TPM roots certificate package

在安装证书包之前, 您可以从https://go.microsoft.com/fwlink/?linkid=2097925下载最新的受信任的 TPM 根列表。Before you install the certificate package, you can download the latest list of trusted TPM roots from https://go.microsoft.com/fwlink/?linkid=2097925.

重要说明: 安装包之前, 请验证它是否已由 Microsoft 进行数字签名。Important: Before installing the package, verify that it is digitally signed by Microsoft.

提取受信任的证书包Extract the trusted certificate package

通过运行以下命令提取受信任的证书包。Extract the trusted certificate package by running the following commands.

mkdir .\TrustedTpm
expand -F:* .\TrustedTpm.cab .\TrustedTpm

为 TPM 供应商删除组织信任的信任链(可选)Remove the trust chains for TPM vendors that are not trusted by your organization (Optional)

为任何 TPM 供应商信任链删除组织不信任的文件夹。Delete the folders for any TPM vendor trust chains that are not trusted by your organization.

注意: 如果使用 AIK 证书模式, 则需要 Microsoft 文件夹来验证 Microsoft 颁发的 AIK 证书。Note: If using AIK Certificate mode, the Microsoft folder is required to validate Microsoft issued AIK certificates.

安装受信任的证书包Install the trusted certificate package

通过从 .cab 文件运行安装程序脚本来安装受信任的证书包。Install the trusted certificate package by running the setup script from the .cab file.


配置设备运行状况证明服务Configure the Device Health Attestation service

可以使用 Windows PowerShell 来配置 DHA 本地服务。You can use Windows PowerShell to configure the DHA on-premises service.

Install-DeviceHealthAttestation -EncryptionCertificateThumbprint <encryption> -SigningCertificateThumbprint <signing> -SslCertificateStoreName My -SslCertificateThumbprint <ssl> -SupportedAuthenticationSchema "<schema>"

#<encryption>: Thumbprint of the encryption certificate
#<signing>: Thumbprint of the signing certificate
#<ssl>: Thumbprint of the SSL certificate
#<schema>: Comma-delimited list of supported schemas including AikCertificate, EkCertificate, and AikPub

配置证书链策略Configure the certificate chain policy

通过运行以下 Windows PowerShell 脚本来配置证书链策略。Configure the certificate chain policy by running the following Windows PowerShell script.

$policy = Get-DHASCertificateChainPolicy
$policy.RevocationMode = "NoCheck"
Set-DHASCertificateChainPolicy -CertificateChainPolicy $policy

DHA 管理命令DHA management commands

以下是一些可以帮助管理 DHA 服务的 Windows PowerShell 示例。Here are some Windows PowerShell examples that can help you manage the DHA service.

首次配置 DHA 服务Configure the DHA service for the first time

Install-DeviceHealthAttestation -SigningCertificateThumbprint "<HEX>" -EncryptionCertificateThumbprint "<HEX>" -SslCertificateThumbprint "<HEX>" -Force

删除 DHA 服务配置Remove the DHA service configuration

Uninstall-DeviceHealthAttestation -RemoveSslBinding -Force

获取活动签名证书Get the active signing certificate


设置活动签名证书Set the active signing certificate

Set-DHASActiveSigningCertificate -Thumbprint "<hex>" -Force

注意: 此证书必须部署在LocalMachine\My证书存储中运行 DHA 服务的服务器上。Note: This certificate must be deployed on the server running the DHA service in the LocalMachine\My certificate store. 当设置活动签名证书时,现有的活动签名证书会移动到非活动的签名证书列表。When the active signing certificate is set, the existing active signing certificate is moved to the list of inactive signing certificates.

列出非活动签名证书List the inactive signing certificates


删除所有非活动签名证书Remove any inactive signing certificates

Remove-DHASInactiveSigningCertificates -Force
Remove-DHASInactiveSigningCertificates  -Thumbprint "<hex>" -Force

注意: 服务中每次只能存在一个不活动的证书 (属于任何类型)。Note: Only one inactive certificate (of any type) may exist in the service at any time. 一旦不再需要,证书应从非活动证书列表中删除。Certificates should be removed from the list of inactive certificates once they are no longer required.

获取活动加密证书Get the active encryption certificate


设置活动加密证书Set the active encryption certificate

Set-DHASActiveEncryptionCertificate -Thumbprint "<hex>" -Force

此证书必须在 LocalMachine\My 证书存储中的设备上部署。The certificate must be deployed on the device in the LocalMachine\My certificate store.

当设置活动加密证书时,现有的活动加密证书会移动到非活动的加密证书列表。When the active encryption certificate is set, the existing active encryption certificate is moved to the list of inactive encryption certificates.

列出非活动加密证书List the inactive encryption certificates


删除任何非活动加密证书Remove any inactive encryption certificates

Remove-DHASInactiveEncryptionCertificates -Force
Remove-DHASInactiveEncryptionCertificates -Thumbprint "<hex>" -Force 

获取 X509ChainPolicy 配置Get the X509ChainPolicy configuration


更改 X509ChainPolicy 配置Change the X509ChainPolicy configuration

$certificateChainPolicy = Get-DHASInactiveEncryptionCertificates
$certificateChainPolicy.RevocationFlag = <X509RevocationFlag>
$certificateChainPolicy.RevocationMode = <X509RevocationMode>
$certificateChainPolicy.VerificationFlags = <X509VerificationFlags>
$certificateChainPolicy.UrlRetrievalTimeout = <TimeSpan>
Set-DHASCertificateChainPolicy = $certificateChainPolicy

DHA 服务报表DHA service reporting

以下是由 DHA 服务向 MDM 解决方案报告的消息列表:The following are a list of messages that are reported by the DHA service to the MDM solution:

  • 200 HTTP 正常。200 HTTP OK. 证书已返回。The certificate is returned.
  • 400 请求无效。400 Bad request. 请求格式无效,运行状况证书无效,证书签名不匹配,运行状况证明 Blob 无效,或运行状况状态 Blob 无效。Invalid request format, invalid health certificate, certificate signature does not match, invalid Health Attestation Blob, or an invalid Health Status Blob. 响应还包含一条消息,如响应架构所述,有可用于诊断的错误代码和错误消息。The response also contains a message, as described by the response schema, with an error code and an error message that can be used for diagnostics.
  • 500 内部服务器错误。500 Internal server error. 如果出现阻止该服务颁发证书的问题,它也可能发生。This can happen if there are issues that prevent the service from issuing certificates.
  • 503 限制拒绝请求以防止服务器过载。503 Throttling is rejecting requests to prevent server overloading.