You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#15565
Replace the use of the isFederated registry key with a keys that check
for AAD (Azure Active Directory, now Entra ID)
Federated enrollment (`isFederated`) seems to be when windows uses a
Discovery MDM endpoint to get its policy and management endpoint
configuration. This is always the case when a client is enrolled with
fleet, so installations always show up as automatic.
It's being replaced by a different key, `AADResourceID`, which appears
to identify the resource that controls the automated deployment. In my
tests it only appears to be populated when the computer is enrolled
through automated deployments. This key appears on both Windows 10 and
11.
There is a similar key, `AADTenantID`, which appears to identify the
client (tenant) to the Azure cloud. I haven't seen this ID in our
systems, so it is likely exclusively used in Azure. Both this key and
`AADResourceID` seem to always be set at the same time, so we only
check for the `AADResourceID`.
I've also added documentation on the registry keys I've analyzed for future reference.
Each enrollment gets its own subdirectory with a UUID as a key,
68
+
inside each directory is a set of keys associated with that enrollment
69
+
-`CurCryptoProvider`
70
+
Often `Microsoft Software Key Storage Provider`
71
+
Cryptographic Key storage provider
72
+
-`CurKeyContainer`
73
+
Key within key provider
74
+
-`DiscoveryServiceFullURL`
75
+
MDM Discovery service URL
76
+
-`DMPCertThumbPrint`
77
+
According to [this blog post](https://call4cloud.nl/2022/10/fullmetal-certificate-the-revenge-of-renewal/), this is the thumbprint of your MDM device certificate
78
+
-`EnrollmentFlags`
79
+
See [this link](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/cd22d3a0-f469-4a44-95ed-d10ce4dc2063) for details
| 0x00000001 | Instructs the client and CA to include an S/MIME extension, as specified in [RFC4262]. |
84
+
| 0x00000008 | Instructs the CA to append the issued certificate to the userCertificate attribute, on the user object in Active Directory. |
85
+
| 0x00000010 | Instructs the CA to check the user's userCertificate attribute in Active Directory, as specified in [RFC4523], for valid certificates that match the template enrolled for. |
86
+
| 0x00000040 | This flag instructs clients to sign the renewal request using the private key of the existing certificate. For more information, see [MS-WCCE] section 3.2.2.6.2.1.4.5.6. This flag also instructs the CA to process the renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6. |
87
+
| 0x00000100 | Instructs the client to get a user's consent before attempting to enroll for a certificate based on the specified template. |
88
+
| 0x00000400 | Instructs the client to delete any expired, revoked, or renewed certificate from the user's certificate stores. |
89
+
| 0x00002000 | This flag instructs the client to reuse the private key for a smart card–based certificate renewal if it is unable to create a new private key on the card. |
90
+
-`EnrollmentState`
91
+
The best documentation we can find is [here](https://learn.microsoft.com/en-us/graph/api/resources/intune-shared-enrollmentstate?view=graph-rest-beta)
| unknown | 0 | Device enrollment state is unknown |
96
+
| enrolled | 1 | Device is Enrolled. |
97
+
| pendingReset | 2 | Enrolled but it's enrolled via enrollment profile and the enrolled profile is different from the assigned profile. |
98
+
| failed | 3 | Not enrolled and there is enrollment failure record. |
99
+
| notContacted | 4 | Device is imported but not enrolled. |
100
+
| blocked | 5 | Device is enrolled as userless, but is blocked from moving to user enrollment because the app failed to install. |
101
+
102
+
-`EnrollmentType`
103
+
According to [this PDF](https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-MDE2/%5BMS-MDE2%5D.pdf) it can have three different values.
104
+
105
+
Device, Full, and AppManaged
106
+
107
+
From what I've seen, value 6 on AAD, 1 on manual
108
+
-`isFederated`
109
+
According to [this web page](https://learn.microsoft.com/en-us/windows/client-management/federated-authentication-device-enrollment), being federated means that the MDM
110
+
endpoints and details were fetched from a Discovery endpoint,
111
+
instead of being manually installed. The page does not make mention
112
+
of the specific registry key, but we are making an assumption that
113
+
it means the same thing.
114
+
-`ProviderID`
115
+
Set during enrollment. In our case it's the word "Fleet".
116
+
-`RenewalPeriod`
117
+
Set during enrollment. Period to renew WSTEP certificate.
118
+
-`RenewErrorCode`
119
+
Presumably set if there is an error renewing WSTEP certificate.
120
+
-`RenewROBOSupport`
121
+
According to [this post](https://call4cloud.nl/2022/10/fullmetal-certificate-the-revenge-of-renewal/) this means "Request On Behalf Of".
122
+
It seems to have to do with automatic certificate renewal
123
+
-`RenewStatus`
124
+
Status of the renewal
125
+
-`RenewTimestamp`
126
+
Presumably the timestamp of the last renewal
127
+
-`RootCertThumbPrint`
128
+
The thumbprint of the WSTEP root certificate
129
+
-`SID`
130
+
Security Identifier
131
+
-`UPN`
132
+
User Principal Name of the user that enrolled the device
133
+
-`AADResourceID`
134
+
Appears to be the domain of the server managing the enrollment,
135
+
always appears to be present on machines enrolled through Microsoft
136
+
Entra (Azure Active Directory)
137
+
-`AADTenantID`
138
+
Also related to Azure Active Directory, and also appears to be
0 commit comments