Home
Using the Console
This section provides information about using the SOTI MobiControl console to perform the various management tasks.
Monitoring Devices
Using Microsoft Health Attestation Reports
The Health Attestation feature provides administrators with the security health overview of their Windows Modern devices. This involves capturing several security measurements during boot time and protecting the reported data in the device's Trusted Platform Module (TPM). The boot measurements are then forwarded to the Health Attestation Service (HAS) to confirm the reported measurement’s authenticity and integrity. If a device report fails to meet the enterprise security compliance criteria, administrators can take preventative actions. They can perform actions such as unenrolling the device or removing its Virtual Private Network (VPN) configurations.
Security Parameters

Welcome to SOTI MobiControl 2025.1 Help
SOTI MobiControl is an enterprise mobility management solution designed to help you efficiently manage your organization's devices. Use the SOTI MobiControl Help Center to explore its full range of features.
What's New in SOTI MobiControl
Setting Up SOTI MobiControl
This section provides instructions for installing, activating, and upgrading SOTI MobiControl instances.
Using the Console
This section provides information about using the SOTI MobiControl console to perform the various management tasks.
- About the SOTI MobiControl Console
- Managing Users
- Managing Devices
- Managing Configurations
- Managing Applications
- Managing Data
- Monitoring Devices
  - Using Data Collection Policies
  - Using Telecom Expense Management Policies
  - Restricting Device Usage While Roaming
  - Using Location Services
  - Using Custom Data
  - Using Email (SMTP) Notifications
  - Using Microsoft Health Attestation Reports
    The Health Attestation feature provides administrators with the security health overview of their Windows Modern devices. This involves capturing several security measurements during boot time and protecting the reported data in the device's Trusted Platform Module (TPM). The boot measurements are then forwarded to the Health Attestation Service (HAS) to confirm the reported measurement’s authenticity and integrity. If a device report fails to meet the enterprise security compliance criteria, administrators can take preventative actions. They can perform actions such as unenrolling the device or removing its Virtual Private Network (VPN) configurations.
    - Using Health Policies
    - Security Parameters
    - Searchable Health Attestation Properties
      Use SOTI Search to find devices with specific Health Attestation properties by creating search queries based on the following health properties. See console/start/search_bar_advanced.html for task details.
  - Using Windows Defender Advanced Threat Protection
  - Using Device Notes
  - Securing Devices
  - Checking Battery Health on Panasonic Devices
- Troubleshooting Device Issues
- Generating Reports
- Managing System Settings
- Other Features
- SOTI MobiControl Console Reference
System Health
View vital system stats in a variety of interactive, up-to-date charts and tables.
SOTI MobiControl Administration
This section provides information about how to perform various administrative tasks related to SOTI MobiControl. These tasks include monitoring your SOTI MobiControl system, changing deployment settings, integrating SOTI MobiControl with third-party applications, and performing various modifications that extend SOTI MobiControl beyond its standard configuration.
Using Package Studio
This section provides information about how to use SOTI MobiControl Package Studio to create data packages for devices.
Using Script Commands
Send scripts and execute commands on your devices with SOTI MobiControl. Script commands are supported on the following platforms:
Using SOTI MobiControl Stage
This section provides information about how to use SOTI MobiControl Stage to quickly and easily enroll devices.
Cloud Link Agent
Glossary
Notices

Security Parameters

SOTI checks the following parameters for compliance by the Microsoft Health Attestation Reports.

Tip: Search for devices with specific Health Attestation properties to triage them as required. See Searchable Health Attestation Properties.


Parameter	Description	Compliant Status
Attestation Identity Key (AIK)	Indicates that the device has an endorsement key certificate.	Present on device
Bitlocker Status	Protects data on the device drive from unauthorized access.	Enabled
Boot debug is disabled	Indicates a device used for development and testing, which is typically less secure.	Disabled
Boot Manager Version	Indicates the version of the Boot Manager and facilitates tracking of the security of the boot sequence and environment.	Running latest version
Code Integrity	Restricts code execution to integrity verified code.	Enabled
Code Integrity Version	Helps in ensuring usage of latest code for performing integrity checks during the boot sequence	Running latest version
Data Execution Prevention	Data Execution Prevention policy defines a set of hardware and software technologies that perform further checks on memory to help prevent malicious code from running on a system.	Enabled
Early launch anti-malware	Protect computers in your network when they start up and before third-party drivers initialize.	Enabled
OS Kernel Debugging	Indicates a device used for development and testing, which is typically less secure.	Disabled
Platform Configuration Register[0]	Represents a consistent view of the Host Platform between boot cycles.	Is not present on the device (default policy is in place) or Is present on device and is using a whitelisted value
Safe Mode	Starts your computer in a limited state.	Disabled
Secure Boot	Forces system to boot to a factory trusted state.	Enabled
Test Signing	Does not enforce signature validation during boot and enables unsigned drivers to load.	Disabled
Virtual Secure Mode	A container that protects high value assets from a compromised kernel.	Enabled
Windows Pre-Installation Environment	Minimal operating system with limited services used to prepare a computer for Windows installation, to copy disk images from a network file server, and to start Windows Setup.	Disabled