Event banner

AMA: Device Health Attestation - security benefits and integrations

Event Ended
Thursday, Oct 27, 2022, 11:00 AM PDT
Online

Event details

Ensuring that a platform is healthy and trustworthy is a fundamental vertical in today’s zero trust approach, and this has become one of the keys focuses of recent times. Pre-OS boot continues to remain a prime target for adversaries, which we have seen attacks on due to supply chain trust brittleness.

Device Health Attestation is designed with keeping security, which aims to detect changes related to FW, boot, and early OS security features. The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years.

This is an Ask Microsoft Anything (AMA) session so let’s look at how attestation can help in detecting some of these attacks, how Intune Integration protects customers and resources, but, most importantly, let's hear your questions!

This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, RSVP for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event.
Heather_Poulsen
Updated Dec 27, 2024
Technical Takeoff

30 Comments

Show More
  • treestryder's avatar
    treestryder
    Iron Contributor
    Oct 27, 2022

    A large percentage of our devices show as non-compliant because they are failing the Windows built-in policy named "Is active". This is supposed to ensure our devices are reporting in at least every 30 days (default). Like nearly everything else in Intune, this built-in policy is being evaluated per device AND per user. I have found that this behavior is causing devices we would consider "active" to be marked as inactive, once someone who had logged in at one time has not been seen again for 30 or more days. Should I submit this as a bug? If it is working as designed, is there a workaround? We haven't enabled Conditional Access because of these.

     

    Recently discussed this with Intune Support on Twitter.

    https://twitter.com/Treestryder/status/1583464446902427650

    • treestryder's avatar
      treestryder
      Iron Contributor
      Oct 27, 2022

      The user evaluations seen in Intune reports, what do they represent?

      1. An evaluation that happens when the user logs on.
      2. Or, an evaluation per user profile.
      3. Or, an evaluation per logged on user.

      If it is testing per logged on user, maybe these devices only need to be rebooted to become compliant.

      • treestryder's avatar
        treestryder
        Iron Contributor
        Oct 28, 2022
        A reboot and overnight wait did not resolve the problem. I am now trying the "change the shorten the expiration, then change it back" trick.
  • Heather_Poulsen's avatar
    Heather_Poulsen
    Icon for Community Manager rankCommunity Manager
    Oct 27, 2022

    Welcome to the Device Health Attestation AMA. Let's get started! Post your questions in the Comments. We will be answering questions in the live stream—and others will be answering here in the chat.

  • Heather_Poulsen's avatar
    Heather_Poulsen
    Icon for Community Manager rankCommunity Manager
    Oct 27, 2022

    The Device Health Attestation AMA starts soon. Post your questions in the Comments now.

  • taavie's avatar
    taavie
    Copper Contributor
    Oct 27, 2022
    Are there any plans on adding additional capability to Intune to resolve various device health configuration issues? Understandably detecting changes is important, but it seems quite tedious right now to actually bring machines up to a state where measuring those changes becomes important. As a more concrete example, Intune's Device Health report saying that a machine has Early-Launch AntiMalware or Data Execution Prevention disabled is good, but are there plans on adding a way to trivially these machines into the correct state? Security Baselines can't even configure all ASR rules, so those are out of the question.
  • mbhmirc's avatar
    mbhmirc
    Brass Contributor
    Oct 23, 2022
    Hello, Since this explicitly mentions preboot, will there be support for bitlocker tpm and pin in intune? Microsoft's own recommendation is if an attacker has access to the device it should be protected in this way. The TPM attack can now be done in 15 minutes. How can device attestation prevent such an attack if it happens at a level it can't block? Personal data encryption is a possible fix here but even then it is not suitable for use right now as it's known issues prevent it being used in any real meaningful context in the enterprise.
    • jeddy_'s avatar
      jeddy_
      Iron Contributor
      Oct 27, 2022
      Agreed, BitLocker with PIN is a feature available in MDOP MBAM that sorely needs native support in Intune.
Date and Time
Oct 27, 202211:00 AM - 11:30 AM PDT