ISDF (Intune Stateful Device Fingerprinting) is an open-source project that closes a specific blindspot in Conditional Access: the fact that device-reported attributes can be locally manipulated.
The problem it solves
Conditional Access is only as strong as the signals it consumes. If a device can assert its own compliance state, an attacker with local admin access can manipulate those signals. ISDF introduces a layer of cloud-stamped metadata — device attributes that cannot be set by the device itself.
How it works
- Enrolment — Device receives a PKCS certificate via Intune Cloud PKI
- Collection — A remediation script gathers hardware-rooted identifiers (TPM/vTPM/UEFI/BIOS/IMDS)
- Authentication — The device authenticates to Azure using its PKCS certificate
- Ingestion — Metadata is POSTed to a Logic App endpoint
- Validation — Logic App validates token signature, app ID, and certificate binding
- Stamping — Managed Identity writes verified values into Entra extension attributes
- Enforcement — Conditional Access evaluates cloud-stamped attributes — not device-reported ones
What’s in the repo
- ARM and Bicep templates for Logic Apps and APIM
- Detection and remediation scripts for Intune
- Watchdog scheduled task integration
- KQL queries for compliance monitoring
Read more
- Announcing ISDF — full design walkthrough and architecture
- OuttaTune: the vulnerability that prompted this — the original research