Blog Post

Microsoft Intune Blog
5 MIN READ

Boost security with Microsoft Intune device attestation

Lior_Bela's avatar
Lior_Bela
Icon for Microsoft rankMicrosoft
May 06, 2024

Editor's note 11.22.2024 - This post has been edited to provide clarity on the public preview scope of the Windows enrollment attestation feature.

Helping IT teams provide more secure and productive endpoints requires continuous innovation. Bad actors search for new ways to compromise systems while business users want to be free to work with either personal or corporate-owned devices. The Microsoft Intune team works hard to help endpoint administrators do their part to help secure data and devices.

One common way attackers gain access to networks is supply-chain attacks impersonating authorized devices or installing malicious code on devices at the hardware level, which can’t be detected by anti-virus or anti-malware software. To help protect against these kinds of threats, you can leverage Microsoft Intune to enable hardware-backed device attestation on many common device platforms. These local checks take place on the device itself, without requiring an external service for attestation. These checks prove devices are genuine and haven’t been tampered with. This information is then passed into risk evaluation systems, which can help you ensure that company resources can only be accessed by devices proven to be uncompromised.

Supported Samsung Galaxy devices

In August 2023, in collaboration with Samsung, we rolled out an on-device attestation solution for enterprises. Samsung hardware-backed device attestation proves devices are genuine and not compromised in real-time. This attestation is then used to grant access to company resources and may also be used to remove company data from non-compliant devices. For more details, see which devices are supported and read Hardware-backed device attestation powers mobile workers.

Screenshot of showing how to set a policy for specific device conditions in the Microsoft Intune admin center that warns the IT administrator if Samsung Knox device does not pass attestation.Screenshot of a user’s mobile device with a notification that their organization is now removing its data associated with an app because the device did not pass Samsung Knox device attestation.

What is Windows device enrollment attestation?

Windows device enrollment attestation, which will be available in the coming weeks, requires a device to be hardware-attested so that you can verify that a device is securely enrolled. The enrollment credentials are the private keys of the enrollment mobile device management (MDM) certificate from Intune and the Microsoft Entra ID access token. These keys are stored on the Trusted Platform Module (TPM) 2.0 hardware chip and are then confirmed using attestation.

With Windows device enrollment attestation, you gain insight into which devices are more susceptible to tampering. This can help you protect against attackers who might steal an Intune MDM certificate or an access token and then impersonate an enrolled device to gain access to resources.

You can then use a new status report to manage your organization’s attestation status overall and at the individual device level, and quickly proceed with attestation on demand. Additional columns and improved sorting let you see whether you have devices without a qualifying TPM chip to prioritize procurement or to obtain details on devices that may have failed attestation, including recommended troubleshooting. Devices that have not attested or originally failed attestation on enrollment can be retried with the new Attest device action, which can be performed manually right from the report.

Screenshot of the preview of the device attestation status report in the Intune admin center listing the name, ID, and primary UPN of a device that failed device attestation.

Improved reporting is cross-platform and enables the following:

  • Easy discovery, search, sort, and filtering for more settings, including those available in Microsoft Azure Attestation for Windows 11 devices.
  • Enhanced scaling and paging, improving the experience, especially for those organizations with many Windows devices to manage.
  • The ability to stay productive by performing an export in the background.
  • Scope tags that limit visibility to authorized admins. Also, a new permission under remote task enables you to perform attestation using the Attest remote action in the report.
  • Greater consistency of the admin experience with other reports and UI across the Intune admin center.
  • The ability to import and export unified settings platform (aka Settings Catalog) policies.
  • The ability to reuse and adapt existing configuration profiles.
  • A JSON file format, making editing and adapting easy.

Stay up to date on the release of this capability on the public Microsoft 365 roadmap.

Coming soon: support for iOS, iPadOS, and macOS devices

As part of our ongoing partnership with Apple, Intune is planning to introduce support for the Automated Certificate Management Environment (ACME) protocol and managed device attestation for Intune-enrolled iOS, iPadOS, and macOS devices in the second half of 2024. This critical security feature will better help you verify that credentials cannot be lifted from authorized personal and corporate-owned devices. New and eligible personal devices and automated device enrollments will attempt to become attested. There will be no change to the end user onboarding experience, and the attestation status report described above will report on these devices, too.

The ACME certificate that comes from Intune is wrapped by the Secure Enclave of the device. Admins can utilize the device attestation status report to see the attestation status of eligible Apple devices, and whether it is successful or whether a further action is needed. Also, in the Settings app, end users and admins can see whether the hardware bound field is set to Yes. These are indications that the device is enrolled with the new ACME protocol.

Screenshot of the MDM certificate private key within the Settings app that's wrapped by the Secure Enclave of the device.

Stay up to date on the release of this and all Mac capabilities in Intune with the public Microsoft 365 roadmap. If you’d like to participate and help us develop our Apple device enrollment capabilities, sign up for the private preview.

For more details on managed device attestation, read the Apple documentation or check out the WWDC2022 video announcing managed device attestation.

Make your voice heard

We want to hear from you! What hardware do you want to see added to this capability? How do you foresee using these capabilities in your security plan? Join the conversation in our community and follow us on LinkedIn and @MSIntune on X to get the latest.


Stay up to date! Bookmark the Microsoft Intune Blog.

Updated Nov 22, 2024
Version 3.0
  • jordi_segarra's avatar
    jordi_segarra
    Copper Contributor

    Hey Lior_Bela , speaking about Windows devices, to use the isTpmAttested field for the filter, the device needs to be already enrolled in Intune, right?

    If so, will this condition be part of the Compliance policies so we can lock any already enrolled device out of the Corp data?

    Additionally, is this field only populated when manually running the scan report for the enrolled devices, what's the benefit on adding the filter for the Enrollment Restriction? Or for any new device that tries to enroll the attribute is auto populated?

     

    Thanks!