Recent research has unveiled a more reliable method for verifying device and tenant identities by leveraging Microsoft Intune’s Mobile Device Management (MDM) certificates. This approach offers a significant improvement over traditional methods, such as registry values, which are more susceptible to tampering.
Understanding MDM Certificates
When devices enroll in Microsoft Intune, they receive MDM certificates that facilitate secure communication between the device and the Intune service. These certificates contain Object Identifiers (OIDs) that, when decoded, reveal unique Global Unique Identifiers (GUIDs) for both the MDM Device ID and the Entra ID Tenant ID. This discovery, highlighted by Ben Whitmore, underscores the potential for endpoint managers to utilize cryptographic data for robust identity confirmation within enterprise environments.
Decoding the Hidden OIDs
Within the MDM certificates, researchers identified two critical OIDs:
– OID 1.2.840.113556.5.4: Represents the MDM Device ID.
– OID 1.2.840.113556.5.14: Corresponds to the Entra ID Tenant ID.
These identifiers are stored as mixed little-endian and big-endian byte arrays, necessitating specific reordering to convert them into readable GUIDs. Unlike registry values, which can be easily altered, these certificate-bound identifiers provide a chain of trust backed by Microsoft’s certification authorities, enhancing the security and integrity of device authentication.
Extracting Meaningful Data
To extract meaningful data from these OIDs, a precise byte reordering process is required. For example:
– MDM Device ID (OID 1.2.840.113556.5.4):
– Reverse the first four bytes.
– Reverse the next two pairs.
– Leave the final six bytes unchanged.
Using sample bytes `12 34 56 78 9A BC DE F0 12 34 56 78 90 AB CD EF`, the transformation yields the GUID `78563412-BC9A-F0DE-1234-567890ABCDEF`.
– Entra ID Tenant ID (OID 1.2.840.113556.5.14):
– Reverse the first four bytes.
– Reverse the next two pairs.
– Leave the final eight bytes unchanged.
Converting sample data `A1 B2 C3 D4 E5 F6 12 34 56 78 9A BC DE F0 01 23 A1` results in the GUID `F6E5D4C3-F6E5-3412-5678-9ABCDEF00123A1`.
This method ensures high-confidence verification, as the data originates from trusted issuers like the Microsoft Intune MDM Device CA, reducing risks associated with modifiable system artifacts.
Automating the Process with PowerShell
To streamline the extraction and decoding process, developers at MSEndpointMgr have released a PowerShell script, `Get-TenantInformation.ps1`, available on GitHub. This script automates certificate discovery and decoding across LocalMachine and user profile stores. It performs the following functions:
– Searches for certificates issued by the Microsoft Intune MDM Device CA or MS-Organization-Access.
– Validates their chain against expected root and intermediate authorities.
– Checks private key exportability using `certutil` for Key Storage Provider details.
– Processes OIDs like 1.2.840.113556.5.4 and 1.2.840.113556.5.14, reassembling bytes into GUIDs.
– Outputs comprehensive details, including thumbprint, issuer, and trust status.
Running the script with administrative privileges reveals whether keys are TPM-protected, indicated by Microsoft Platform Crypto Provider, versus software-only on older devices, flagging potential vulnerabilities. This tool empowers administrators to audit Entra ID join types and tenant regions from extensions like 1.2.840.113556.1.5.284.7, fostering proactive security management.
Enhancing Device Identity Assurance
By prioritizing certificate OIDs over less secure alternatives, organizations can build stronger device identity assurance. This approach not only elevates trust but also aids in threat detection by confirming legitimate tenant associations. As Intune evolves, such techniques will prove essential for maintaining endpoint integrity.
