Boost security with Microsoft Intune device attestation

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Helping IT teams provide more secure and productive endpoints requires continuous innovation. Bad actors search for new ways to compromise systems while business users want to be free to work with either personal or corporate-owned devices. The Microsoft Intune team works hard to help endpoint administrators do their part to help secure data and devices.

One common way attackers gain access to networks is supply-chain attacks impersonating authorized devices or installing malicious code on devices at the hardware level, which can’t be detected by anti-virus or anti-malware software. To help protect against these kinds of threats, you can leverage Microsoft Intune to enable hardware-backed device attestation on many common device platforms. These local checks take place on the device itself, without requiring an external service for attestation. These checks prove devices are genuine and haven’t been tampered with. This information is then passed into risk evaluation systems, which can help you ensure that company resources can only be accessed by devices proven to be uncompromised.

Supported Samsung Galaxy devices

In August 2023, in collaboration with Samsung, we rolled out an on-device attestation solution for enterprises. Samsung hardware-backed device attestation proves devices are genuine and not compromised in real-time. This attestation is then used to grant access to company resources and may also be used to remove company data from non-compliant devices. For more details, see which devices are supported and read Hardware-backed device attestation powers mobile workers.

Screenshot of showing how to set a policy for specific device conditions in the Microsoft Intune admin center that warns the IT administrator if Samsung Knox device does not pass attestation.Screenshot of showing how to set a policy for specific device conditions in the Microsoft Intune admin center that warns the IT administrator if Samsung Knox device does not pass attestation.

Screenshot of a user’s mobile device with a notification that their organization is now removing its data associated with an app because the device did not pass Samsung Knox device attestation.Screenshot of a user’s mobile device with a notification that their organization is now removing its data associated with an app because the device did not pass Samsung Knox device attestation.

What is Windows device enrollment attestation?

Windows device enrollment attestation, which will be available in the coming weeks, requires a device to be hardware-attested so that you can verify that a device is securely enrolled. The enrollment credentials are the private keys of the enrollment mobile device management (MDM) certificate from Intune and the Microsoft Entra ID access token. These keys are stored on the Trusted Platform Module (TPM) 2.0 hardware chip and are then confirmed using attestation.

With Windows device enrollment attestation, you gain insight into which devices are more susceptible to tampering. This can help you protect against attackers who might steal an Intune MDM certificate or an access token and then impersonate an enrolled device to gain access to resources.

You can then use a new status report to manage your organization’s attestation status overall and at the individual device level, and quickly proceed with attestation on demand. Additional columns and improved sorting let you see whether you have devices without a qualifying TPM chip to prioritize procurement or to obtain details on devices that may have failed attestation, including recommended troubleshooting. Devices that have not attested or originally failed attestation on enrollment can be retried with the new Attest device action, which can be performed manually right from the report.

Screenshot of the preview of the device attestation status report in the Intune admin center listing the name, ID, and primary UPN of a device that failed device attestation.Screenshot of the preview of the device attestation status report in the Intune admin center listing the name, ID, and primary UPN of a device that failed device attestation.

After you have surveyed your inventory, you can decide whether an enrollment restriction makes sense for your organization using the new isTpmAttested filter. You can configure an enrollment restriction to block MDM enrollment if a device is failing attestation at enrollment time. The user of that device then receives an error message that they could not enroll. In the case of a bad actor, their device will be blocked.

Screenshot of the enrollment restrictions filters screen in the Intune admin center where you can apply a filter to include or exclude certain devices from the assignment.Screenshot of the enrollment restrictions filters screen in the Intune admin center where you can apply a filter to include or exclude certain devices from the assignment.

This can be configured in the rule syntax editor during regular filter creation.

Screenshot of what an IT admin would see when editing rule syntax for a given filter.Screenshot of what an IT admin would see when editing rule syntax for a given filter.

Improved reporting is cross-platform and enables the following:

  • Easy discovery, search, sort, and filtering for more settings, including those available in Microsoft Azure Attestation for Windows 11 devices.
  • Enhanced scaling and paging, improving the experience, especially for those organizations with many Windows devices to manage.
  • The ability to stay productive by performing an export in the background.
  • Scope tags that limit visibility to authorized admins. Also, a new permission under remote task enables you to perform attestation using the Attest remote action in the report.
  • Greater consistency of the admin experience with other reports and UI across the Intune admin center.
  • The ability to import and export unified settings platform (aka Settings Catalog) policies.
  • The ability to reuse and adapt existing configuration profiles.
  • A JSON file format, making editing and adapting easy.

Stay up to date on the release of this capability on the public Microsoft 365 roadmap.

Coming soon: support for iOS, iPadOS, and macOS devices

As part of our ongoing partnership with Apple, Intune is planning to introduce support for the Automated Certificate Management Environment (ACME) protocol and managed device attestation for Intune-enrolled iOS, iPadOS, and macOS devices in the second half of 2024. This critical security feature will better help you verify that credentials cannot be lifted from authorized personal and corporate-owned devices. New and eligible personal devices and automated device enrollments will attempt to become attested. There will be no change to the end user onboarding experience, and the attestation status report described above will report on these devices, too.

Both admins and end users will see that the ACME certificate is hardware-bound within the Settings app. This is the critical indication from the Apple device that the MDM certificate is bound to the hardware and stored in the secure enclave.

Screenshot of the management profile within the Settings app on an Apple device showing that the device is hardware bound.Screenshot of the management profile within the Settings app on an Apple device showing that the device is hardware bound.

Stay up to date on the release of this and all Mac capabilities in Intune with the public Microsoft 365 roadmap. If you’d like to participate and help us develop our Apple device enrollment capabilities, sign up for the private preview.

For more details on managed device attestation, read the Apple documentation or check out the WWDC2022 video announcing managed device attestation.

Make your voice heard

We want to hear from you! What hardware do you want to see added to this capability? How do you foresee using these capabilities in your security plan? Join the conversation in our community and follow us on LinkedIn and @MSIntune on X to get the latest.

Stay up to date! Bookmark the Microsoft Intune Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.