Patch My PC / Blog

Enhancing Device Security with Device Attestation.

by | Jul 16, 2024 | Blog

Introduction to Device Attestation

In today’s world of escalating cyber threats, ensuring the security of devices within an organization is paramount. One critical technology that bolsters device security is TPM (Trusted Platform Module) attestation. But what exactly is TPM Device attestation?

TPM attestation verifies the integrity and trustworthiness of a device’s hardware and software. It uses a dedicated TPM chip, which securely stores cryptographic keys, to attest that the device is in a known good state. This process is essential for ensuring that devices have not been tampered with and are running trusted software, and it plays a crucial role in enforcing security policies.

New Report Options in Intune

Microsoft Intune has introduced a new report option called Device Attestation that leverages TPM/ MDM attestation to enhance device security.

Device Attestation Report

This new Intune/Windows feature allows IT administrators to generate comprehensive attestation reports, providing insights into the security posture of managed devices.

These reports are crucial for organizations looking to ensure that only devices meeting strict security criteria are allowed access to corporate resources. The Device attestation status reports in Intune help administrators identify devices that have successfully completed attestation and those that have not, enabling them to take security measures. This attestation report helps prevent potential security threats.

How Device Attestation Reports Work on the Device

Performing Windows Enrollment Attestation and generating the corresponding report in Intune involves several steps that are seamlessly integrated into the device management workflow. Here’s a detailed look at how this process works when users enroll devices into Intune:

1. Device Enrollment and Initialization

When a device is enrolled in device management (Intune), the enrollment process begins with the device requesting a security token from the Intune service. This token is essential for authenticating the device using multifactor authentication and initiating the attestation process.

2. Storing Keys in TPM

Once the device receives the security token, it retrieves the Intune Device Certificate. The critical step here is to store the certificate’s enrollment keys, including the private key, in the TPM chip. This step, referred to as UseTPMForEnrollmentKey, ensures that the keys are securely stored, protecting them from potential tampering.

3. Initiating Attestation via Microsoft Graph

Intune uses the Microsoft Graph API to initiate the TPM attestation from the MDM server. The specific API call, InitiateMobileDeviceManagementKeyRecovery, triggers the MDM Key Recovery and TPM attestation processes. This remote command is sent to the device, instructing it to perform the necessary attestation steps.

4. Device Recovery and Attestation

Upon receiving the command, the device executes the recovery process. If the Intune Device Certificate is not already in the TPM, the device recovers it to the TPM. Following this, the device performs the MDMClientCertAttestation with Intune, completing the attestation process.

5. Generating and Viewing Attestation Reports

After the device attestation is performed, the results are compiled into a comprehensive report. IT administrators can view these reports within the Intune portal, providing them with a detailed overview of the attestation status for all managed devices. The reports highlight which devices have successfully completed attestation and which have not, allowing administrators to enforce compliance policies effectively.

Visual Representation of the Attestation Flow

For a clearer understanding, here is a visual representation of the TPM attestation process in Intune:

Step-by-Step Breakdown:

  1. Device Enrollment: The device requests a security token and starts the enrollment process.

  2. Key Storage in TPM: Enrollment keys of the certificate are securely stored in the TPM.

  3. Initiating Attestation: Intune uses Microsoft Graph to send the InitiateMobileDeviceManagementKeyRecovery command.

  4. Device Recovery and Attestation: The device performs recovery and attestation, ensuring the certificate is in the TPM.

  5. The Platform Restriction Filter: This would restrict access by preventing unattested devices from getting enrolled.

  6. Report Generation: Intune generates attestation reports, viewable by IT administrators.

Let’s see how creating a new platform enrollment restriction could secure enrollment even more.

Securing Windows Enrollment with IsTpmAttested

With the MDM Certificate hardened and attested, ensuring that only devices that successfully performed TPM attestation can enroll in Intune is essential. To achieve this, you can create a Windows device platform restriction policy within Intune to block non-attested devices from enrolling.

Creating the Restriction Policy

To enforce this policy, follow these steps:

  1. Create a New Filter:

(device.IsTpmAttested -eq “False”)

This filter checks whether the device has successfully performed TPM attestation.

  1. Assign the Policy: Assign the new device restriction policy to all users and include the filter.

the device platform restriction filter, showin the istpmattestate -eq " false"

This filter checks whether the device has successfully performed TPM attestation.

Enforcing the Policy

With this filter in place, devices that did not successfully perform TPM attestation will be blocked from enrolling. When the device is blocked from enrollment, the error 80180032 will appear. This additional security measure ensures that only trusted devices are managed by Intune, which is especially important for organizations with a bring-your-own-device (BYOD) policy.

Something is wrong : Server error code 80190032. Device cannot be enrolled right now

If an enrollment attempt fails due to this policy, the device will display an error message indicating that it cannot be enrolled. For instance, a virtual machine that cannot perform TPM attestation will show an error code 80180032, signaling that enrollment is blocked.

Benefits of this Policy for Security Measures

Implementing this device platform restriction policy enhances the security of your MDM environment by ensuring that only devices meeting strict security criteria are enrolled. It helps prevent potential security breaches caused by non-attested devices and restricts access to unnecessary features.

Conclusion

Windows Enrollment Attestation is a powerful mechanism for ensuring the integrity and security of devices within an organization. With Intune’s new attestation report feature, administrators now have a robust tool to verify device security and enforce compliance policies. By following the steps outlined in this blog, organizations can significantly enhance their device security posture, ensuring that only trusted and attested devices are allowed access to corporate resources.

Stay ahead in the security game by leveraging TPM attestation and Intune’s comprehensive reporting capabilities. These cutting-edge technologies will secure your digital environment and protect your organization from potential threats.