What is TPM attestation and should we enable it in Intune?

TPM attestation is the check that a laptop is actually the laptop it claims to be, not a virtual machine or a compromised device with a spoofed identifier. For SMBs running Intune and Conditional Access, it is a free extra layer.

Try this first

1. 1Check in Intune that devices have TPM 2.0. Endpoint security, Hardware, or via a DeviceHealth report. Windows 11 already requires TPM 2.0, Windows 10 laptops from 2018 onwards usually have it too.
2. 2Enable Health Attestation in Intune under Compliance policies, Windows 10/11. Requirements: BitLocker on, Secure Boot on, Code integrity on. A device that does not report any of these falls out of compliance.
3. 3Tie the Compliance policy to a Conditional Access policy: Require device to be marked as compliant. From then on, a laptop without a healthy TPM cannot reach Microsoft 365.
4. 4Test on your own laptop before broad rollout. A legitimate laptop with an odd driver stack can fail unexpectedly, better to find that yourself than via a flood of tickets.
5. 5For BYOD: TPM attestation requires enrolment, which clashes with BYOD-without-MDM. There you pick between MAM-only or an extra MFA layer, not TPM.

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.