Windows 10 Device Health Attestation (DHA) Kam Kouladjie Microsoft OSG, Enterprise and Security R&D June 2016

Agenda Introduction to Device Health Attestation (DHA): hardware monitored & attested security assurance Overview of Windows 10 & enterprise security risk management framework Device Health Attestation (DHA) Implementation options Use case scenarios Detailed data flows Office 365 – Conditional Access VPN – Conditional Access

Attestation Attestation is a Windows security feature that was released as part of Windows 8 release: TPM creates a tamper resistant audit log (as it is measuring/monitoring the boot) It can be validated locally and remotely Windows Kernel & Boot Drivers Early Launch Anti-Malware Boot Loaders UEFI Secure Boot OS Loader TPM Boot Log Platform Configuration Registers (PCRs) EK Cert AIK Cert TPM

Windows 10, Device Health Attestation (DHA) Device Health Attestation (DHA) is a new Windows 10 feature that was released in June 2015 as part of the initial Windows 10 RTM release: Integrates with Windows 10 Mobile Device Management (MDM) framework Designed to work on devices that support Trusted Module Platform (TPM) in firmware or discrete formats (TPM 2.0 and 1.2) Enables enterprises to raise the security bar of their organization to hardware monitored and attested security for On-premise, Hybrid & Cloud based scenarios

Windows 10, Device Health Attestation (DHA) Before Windows 10, DHA release device health was assumed

Windows 10, Device Health Attestation (DHA) After Windows 10 DHA release, device health can be assessed based on hardware measured state

Windows 10, Device Health Attestation (DHA) Define security compliance baseline for different operational environments Monitor and report on device compliance Detect violations Trigger remote corrective actions On enrolled devices (i.e. disable features, lock devices, initiate remote wipe,..) Or enforce conditional access (i.e. prevent access to online enterprise resources..) Device Health Attestation enables organizations to:

Windows 10, Device Health Attestation (DHA) Sample use case scenarios: Data Collection (i.e. Anomaly analysis, Audit) Compliance Reporting ( i.e. On demand, Scheduled) Live Monitoring (i.e. Continuous diagnostics) Zero Day Incident Response (Incident Response Agility) Online Enforcement (i.e. Conditional Access) Out of band enforcement (i.e. Alert, notification, expiring access tokens..)

Windows 10, Device Health Attestation (DHA) Builds upon existing Windows security technologies: “Secure Boot”, “Measured Boot”, “Early Launch Anti-Malware” and “TPM Attestation” Enables administrators to monitor remotely and make security decisions based on “TPM protected”, “tamper resistant” and “tamper evident” data

Windows 10, Device Health Attestation (DHA) TPM (Trusted Platform Module) Types : Discrete (Physical) TPM (Laptop, Desktop, Servers ) Firmware TPM (Tablets, Phone) Virtual TPM (Virtual PC)

Windows 10, Device Health Attestation (DHA) ISO/IEC 11889

Windows 10, Device Health Attestation (DHA) Supported devices: Every PC that has a relatively New Intel or AMD processor, runs Windows 10 Every Windows Mobile Phone (WP8 +) upgraded to Windows 10, or shipped after Windows 10 release

Windows 10, Device Health Attestation (DHA) DHA-Enabled MDM: And more ………

Windows 10, Device Health Attestation (DHA) A malware (i.e. jailbreak) disables UEFI secure boot, prevents ELAM from getting loaded during the boot, and enables kernel debug Device Health Attestation Service (HAS) reports the findings to MDM server - even in the face of a malicious OS Sample Risk Scenario Mitigation

Windows 10, Device Health Attestation (DHA) Questions?

Windows 10, Device Health Attestation (DHA) Windows 10 & enterprise security risk management

Windows 10, Device Health Attestation (DHA)

Windows 10, Device Health Attestation (DHA)

Windows 10, Device Health Attestation (DHA) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

Windows 10, Device Health Attestation (DHA) Addressing the threats requires a new approach Increase attack cost: reduce attacker return on investment 1 Look for repeated behaviors: detect anomaly, create signatures, clean up impacted devices 2 Reduce exposure to risks : harden runtimes, applications, networks, devices 3 Monitor compliance : assume breach, verify compliance 4

Windows 10, Device Health Attestation (DHA) Microsoft Digital Crime Unit Increase attack cost: reduce attacker return on investment 1 Look for repeated behaviors: detect anomaly, create signatures, clean up impacted devices 2

Windows 10, Device Health Attestation (DHA) Device Guard Bitlocker Windows Hello Credential Guard Reduce exposure to risks : harden runtimes, applications, networks, devices 3

Windows 10, Device Health Attestation (DHA) Device Guard Bitlocker Windows Hello Credential Guard Reduce exposure to risks : harden runtimes, applications, networks, devices 3 Monitor compliance : assume breach, verify compliance 4 Trusted Module Platform

Windows 10, Device Health Attestation (DHA) Sample Risk Scenario Verifies if a device is booted to a Factory Trusted state (firmware) Assures that MDM is talking to the same device Validates that the device is running a Trusted OS and provides a mechanism to monitor compliance. For example validates: Secure boot state (on/off) Bitlocker state (on/off) Firmware patch version OS security policy/state

Windows 10, Device Health Attestation (DHA) Questions?

Windows 10, Device Health Attestation (DHA) Implementation options

Windows 10, Device Health Attestation (DHA) Cloud based device management solutions On-Premise device management solutions AD, AAD managed, MDM managed, BYOD

Windows 10, Device Health Attestation (DHA) TPM enabled devices Device Health Attestation Service (DHA-Service) options Device Management Solution (MDM) options 1st and 3rd party On-Prem and Cloud MDM solutions Microsoft Cloud: ready now On-Prem (2016 Server): ready for beta testing in April 2016

Windows 10, Device Health Attestation (DHA) Compliance monitoring example: SCCM

Windows 10, Device Health Attestation (DHA) Compliance monitoring example: INTUNE

Windows 10, Device Health Attestation (DHA) Data collection & compliance monitoring example: Power BI

Windows 10, Device Health Attestation (DHA) Compliance monitoring example: Power BI

Windows 10, Device Health Attestation (DHA) Sample use case scenario: incident response

Windows 10, Device Health Attestation (DHA) Sample use case scenario: incident response

Windows 10, Device Health Attestation (DHA) Questions?

Windows 10, Device Health Attestation (DHA) Detailed Data Flows

Windows 10, Device Health Attestation (DHA) 8- Device sends the EK_CERT and EK_PUB to AIK provisioning service 9- AIK Provisioning service issues a challenge: Verifies the EK_CERT Issues a challenge: Generates a random value Encrypts it with EK_PUB Sends the encrypted challenge to the device 1- Fuse EK Seed 2- Generate EK Key Pairs (EK_PRIV, EK_PUB) and AIK key Pairs 7- User purchases the device, turns the device on 3- Send EK_PUB to signing server 10- Device decrypts the challenge with EK_PRIV, forward the following to the AIK provisioning service - Challenge data in clear format - Hash of AIK_PUB to 4- Sign the EK_PUB, issue an EK_CERT 5- Store the EK_CERT on the device 11- AIK provision service, gets the data: - validates if the challenge data are correct - Issues a 6- Ship the device

Windows 10, Device Health Attestation (DHA) Windows 10, TPM Enabled Device Device Health Attestation Service (DHA-Service) Enterprise Managed Asset Device Management Solution (MDM)

Windows 10, Device Health Attestation (DHA) Step 1: Device Measures Boot Components in the TPM Microsoft Device Health Attestation Service (DHA-Service) 2.1. SSL { DH Data := TCG_Log, Quote (PCR, Counter), cert } 2. Device Health CSP Step 2: DHA-CSP Forwards Measurements to HAS, Gets an Encrypted Report 3.3.SSL { Verify := DH Quote(Current_State, Nonce), Cert + Nonce} 3.1. SSL { Session Nonce } Step 3: Device Management Solution Gets and Verifies Device Health Report 2.2. SSL { DH_Boot_Report := Signed (Encrypted (Analyzed DH Data)) } 3.4. SSL { Device Health Report } BIOS / UEFI TPM Boot Log PCR Boot Loader 1. TPM Kernel 3.2.SSL {DHA_Verification_Claims:= DHA_Boot_Report, Quote(Current_State, Nonce), Cert } Early Launch Anti-Malware Windows 10 Device (phone, tablet, laptop, PC,…) Device Management Solution (MDM) Early Drivers

Windows 10, Device Health Attestation (DHA) Sample data points that is evaluated/reported by HAS BitlockerStatus SecureBootEnabled CodeIntegrityEnabled ELAMDriverLoaded VSMEnabled CIPolicyHash SBCPPolicyHash DEPPolicy State SafeMode WinPE BootDebuggingEanabled OSKernelDebuggingEnabled TestSigningEnabled AIKCertPresent Value of PCR 0 Reset Count (Hibernation) Restart Count (Boot/reboot) And more ….

Windows 10, Device Health Attestation (DHA) Sample implementation scenario: Device Health Attestation & Office 365

Windows 10, Device Health Attestation (DHA) Other Device Configuration Service Providers (CSP’s) Office Apps (E6) Present Token Win 10 Device (E1) Trigger Token Acquisition Office 365 Resource (F) Access Office 365 Protected Resources TCG Boot Log PCR Measured boot Bios UEFI Boot Loader Early Launch Antimalware Kernel Early Drivers (E5) Forward Token Forward Device Config – State Info (C2) TPM (C1) Query Device Config - State (C1) Device Health CSP (B2) AAD TB Plugin/ADAL Forward TCG log & related boot state data (A1) (B1) MDM Client (A) Get Device Health Certificate (A2) Issue Device Health Cert Issue Office 365 Access Token (E4) (E2) Request Access Token (AuthN, AuthZ) (B) Validate Device Health (B1) Send Nonce (B2) Forward Health Data (C) Query Device Config - State (D) Set “IsCompliant” Device Attribute (E) Request Office 365 Access Token (E3) Validate Device Compliance Sate (F) Access Office 365 Protected Resources Sate Data Compliance (C3) Validate DHA-Service (B3) Forward Health Data & Nonce MDM AAD Data Health Device (B4) Validate B5) Issue Device Health Report D) Set “IsCompliant” Device Attribute

Windows 10, Device Health Attestation (DHA) Sample implementation scenario: Device Health Attestation & VPN

Windows 10, Device Health Attestation (DHA) VPN Server Other Device Configuration Service Providers (CSP’s) Win 10 Device (F2) Present Short Lived Cert (EAP-TLS) VPN Client (F1) Retrieve VPN Short Lived Cert Certificate Store (F3) VPN client authenticated TCG Boot Log PCR Measured boot Bios UEFI Boot Loader Early Launch Antimalware Kernel Early Drivers (G) Access Internal Network Resources Forward Device Config – State Info (C2) TPM (E3) (E0) Trigger connection (if cert not valid) cert request on VPN (C1) Query Device Config - State (C1) Device Health CSP (B2) Forward TCG log & related boot state data (A1) (A) Get Device Health Certificate (B1) AAD Token Broker Plugin MDM Client (B) Validate Device Health (A2) Issue Device Health Cert Issue Short Lived Certificate (E3) (C) Query Device Config - State (E1) Request for VPN Certificate (B1) Send Nonce (B2) Forward Health Data (D) Set “IsCompliant” Device Attribute (E) Request VPN Certificate (F) F- Client connects to VPN Server (E2) Validate Compliance State [VPN Compliance Policy configured] (G) Access Internal Network Resources Sate Data Compliance (C3) Validate AAD mini CA (B3) Forward Health Data & Nonce MDM AAD Data Health Device (B4) Validate DHA-Service B5) Issue Device Health Report D) Set “IsCompliant” Device Attribute

Windows 10, Device Health Attestation (DHA) Upcoming TAP opportunities

Windows 10, Device Health Attestation (DHA) DHA-OnPrem SCCM Airwatch SOTI Citrix Mobile Iron Symantec DHA-Cloud INTUNE Airwatch SOTI Citrix Mobile Iron Symantec

Windows 10, Device Health Attestation (DHA) Questions?

APPENDIX

Appendix https://msdn.microsoft.com/en-us/library/dn920025(v=vs.85).aspx

Appendix https://msdn.microsoft.com/en-us/library/dn934876(v=vs.85).aspx