Helping IT teams provide more secure and productive endpoints requires continuous innovation. Bad actors search for new ways to compromise systems while business users want to be free to work with either personal or corporate-owned devices. The Microsoft Intune team works hard to help endpoint administrators do their part to help secure data and devices.
One common way attackers gain access to networks is supply-chain attacks impersonating authorized devices or installing malicious code on devices at the hardware level, which can’t be detected by anti-virus or anti-malware software. To help protect against these kinds of threats, you can leverage Microsoft Intune to enable hardware-backed device attestation on many common device platforms. These local checks take place on the device itself, without requiring an external service for attestation. These checks prove devices are genuine and haven’t been tampered with. This information is then passed into risk evaluation systems, which can help you ensure that company resources can only be accessed by devices proven to be uncompromised.
Supported Samsung Galaxy devices
In August 2023, in collaboration with Samsung, we rolled out an on-device attestation solution for enterprises. Samsung hardware-backed device attestation proves devices are genuine and not compromised in real-time. This attestation is then used to grant access to company resources and may also be used to remove company data from non-compliant devices. For more details, see which devices are supported and read Hardware-backed device attestation powers mobile workers.
What is Windows device enrollment attestation?
Windows device enrollment attestation, which will be available in the coming weeks, requires a device to be hardware-attested so that you can verify that a device is securely enrolled. The enrollment credentials are the private keys of the enrollment mobile device management (MDM) certificate from Intune and the Microsoft Entra ID access token. These keys are stored on the Trusted Platform Module (TPM) 2.0 hardware chip and are then confirmed using attestation.
With Windows device enrollment attestation, you gain insight into which devices are more susceptible to tampering. This can help you protect against attackers who might steal an Intune MDM certificate or an access token and then impersonate an enrolled device to gain access to resources.
You can then use a new status report to manage your organization’s attestation status overall and at the individual device level, and quickly proceed with attestation on demand. Additional columns and improved sorting let you see whether you have devices without a qualifying TPM chip to prioritize procurement or to obtain details on devices that may have failed attestation, including recommended troubleshooting. Devices that have not attested or originally failed attestation on enrollment can be retried with the new Attest device action, which can be performed manually right from the report.
After you have surveyed your inventory, you can decide whether an enrollment restriction makes sense for your organization using the new isTpmAttested filter. You can configure an enrollment restriction to block MDM enrollment if a device is failing attestation at enrollment time. The user of that device then receives an error message that they could not enroll. In the case of a bad actor, their device will be blocked.
This can be configured in the rule syntax editor during regular filter creation.
Improved reporting is cross-platform and enables the following:
- Easy discovery, search, sort, and filtering for more settings, including those available in Microsoft Azure Attestation for Windows 11 devices.
- Enhanced scaling and paging, improving the experience, especially for those organizations with many Windows devices to manage.
- The ability to stay productive by performing an export in the background.
- Scope tags that limit visibility to authorized admins. Also, a new permission under remote task enables you to perform attestation using the Attest remote action in the report.
- Greater consistency of the admin experience with other reports and UI across the Intune admin center.
- The ability to import and export unified settings platform (aka Settings Catalog) policies.
- The ability to reuse and adapt existing configuration profiles.
- A JSON file format, making editing and adapting easy.
Stay up to date on the release of this capability on the public Microsoft 365 roadmap.
Coming soon: support for iOS, iPadOS, and macOS devices
As part of our ongoing partnership with Apple, Intune is planning to introduce support for the Automated Certificate Management Environment (ACME) protocol and managed device attestation for Intune-enrolled iOS, iPadOS, and macOS devices in the second half of 2024. This critical security feature will better help you verify that credentials cannot be lifted from authorized personal and corporate-owned devices. New and eligible personal devices and automated device enrollments will attempt to become attested. There will be no change to the end user onboarding experience, and the attestation status report described above will report on these devices, too.
The ACME certificate that comes from Intune is wrapped by the Secure Enclave of the device. Admins can utilize the device attestation status report to see the attestation status of eligible Apple devices, and whether it is successful or whether a further action is needed. Also, in the Settings app, end users and admins can see whether the hardware bound field is set to Yes. These are indications that the device is enrolled with the new ACME protocol.
Stay up to date on the release of this and all Mac capabilities in Intune with the public Microsoft 365 roadmap. If you’d like to participate and help us develop our Apple device enrollment capabilities, sign up for the private preview.
For more details on managed device attestation, read the Apple documentation or check out the WWDC2022 video announcing managed device attestation.
Make your voice heard
We want to hear from you! What hardware do you want to see added to this capability? How do you foresee using these capabilities in your security plan? Join the conversation in our community and follow us on LinkedIn and @MSIntune on X to get the latest.
Stay up to date! Bookmark the Microsoft Intune Blog.