Awesome Intune - Microsoft Intune Tools Directory

Ugur Koc

PowerShell ModuleAutomation

Entra ID Device Trust

Entra ID Device Trust enables binding Function Apps to Entra ID joined devices by validating requests originate from trusted devices via the device certificate enrolled during device registration. It combines client-side data gathering (signature hash, device CN, public key, thumbprint) with server-side validation, and can be embedded as a module in your Function App or installed as a dependency. The solution supports embedding EntraIDDeviceTrust.Client on clients and EntraIDDeviceTrust.FunctionApp in Function Apps for seamless, enhanced request security.

Works with

WindowsEntra IDConditional Access

Created by

Nickolaj Andersen

View on GitHubGitHub

Security Analysis

5of 6

1 Issue Found

17 files scanned on Jun 11, 2026

Issues Detected

No Obfuscated Code

No base64 encoded commands or hidden scripts

Base64 decode and execute in EntraIDDeviceTrust.FunctionApp/Public/Get-EntraIDDeviceAlternativeSecurityIds.ps1 ([lines: 27](https://github.com/MSEndpointMgr/EntraIDDeviceTrust/blob/main/EntraIDDeviceTrust.FunctionApp/Public/Get-EntraIDDeviceAlternativeSecurityIds.ps1#L27))

Passed Checks

No Remote Execution

No Credential Theft

No Data Exfiltration

No Malicious Patterns

No Hardcoded Secrets

AI Analysis

Overall, the EntraIDDeviceTrust codebase is aligned with expected Intune/Entra ID device trust patterns and does not contain obfuscation or hardcoded secrets. A critical functional bug exists in the signing path (undefined variable used to select the certificate) that can disable the attestation flow. There is a legitimate data-exfiltration vector where device identity and attestation data are sent to an external Function App endpoint; ensure the endpoint is trusted, authenticated, and that data minimization/privacy controls are in place. Private key usage for signing is expected for device attestation but should be protected with strong key management and restricted access.

You might also like

PowerShell Module

Intune Hydration Kit

A PowerShell module that automates Microsoft Intune tenant setup by deploying 70+ security baselines, 43 dynamic groups, 24 device filters, compliance policies, app protection policies, and Conditional Access policies in a single command. Integrates OpenIntuneBaseline and supports multi-cloud environments.

Jorge Suarez

PowerShell Module

IntuneDeviceInventory

A PowerShell module with UI for extending Microsoft Intune device management. Adds custom properties to Intune devices, enables bulk operations including device sync and BitLocker key rotation, with both PowerShell module and standalone UI interfaces.

Florian Salzmann

PowerShell Module

OSD

A comprehensive PowerShell module for operating system deployment with 400+ functions for WinPE and Windows. Includes OSDCloud for cloud-based deployment, disk management, Windows image operations, driver management for Dell, HP, Lenovo, and Microsoft, BIOS/firmware updates, BitLocker management, and WinPE customization.

David Segura

PS Script

Autopilot App Registration Enrollment

A PowerShell script that enrolls devices into Windows Autopilot using Azure App Registration credentials. Works without hybrid Azure AD join or SCCM, enabling unattended deployment via RMM tools. Uses community hardware hash collection module for reliable device registration.

Johannes Geir Kristjansson