CISA urges companies to lock down Microsoft Intune after Stryker cyberattack
5 min. read 
Published on
CISA is urging organizations to secure Microsoft Intune and other endpoint management platforms after the March 11 cyberattack that disrupted Stryker’s Microsoft environment. The agency said it is aware of malicious cyber activity targeting endpoint management systems and told organizations to harden configurations using Microsoft’s own Intune security guidance.
The warning matters because endpoint management tools sit at the center of modern IT operations. If attackers gain privileged access to a platform like Intune, they can push apps, change settings, trigger remote actions, and affect large numbers of devices at once. Microsoft’s new guidance focuses on least privilege, phishing-resistant authentication, and Multi Admin Approval for high-impact changes.
Stryker’s own public statement confirms the incident triggered a “global disruption” to its Microsoft environment. The company said it activated its incident response plan, brought in external advisors and cybersecurity experts, and believes the incident has been contained. In a separate customer update, Stryker said it had no indication of ransomware or malware at that stage.
Reuters reported that CISA is coordinating with federal partners, including the FBI, to identify additional threats and determine mitigation actions. Reuters also reported that the March 11 attack disrupted Stryker’s ability to process orders, manufacture products, and ship them to customers.
What CISA is telling organizations to do
CISA’s alert points organizations toward Microsoft’s newly published Intune hardening guide. Microsoft lays out three core steps: build least-privilege admin roles, use phishing-resistant authentication and stronger privileged access hygiene, and enable Multi Admin Approval for sensitive changes.
That guidance is broader than one product. CISA framed the issue around endpoint management systems in general, not only Intune, which suggests the agency wants security teams to review any platform that can issue policy changes or remote actions across a fleet.
Key security controls highlighted by Microsoft
| Control | What it does | Why it matters |
|---|---|---|
| Least-privilege RBAC | Limits what each admin can do and which users or devices they can affect | Reduces the blast radius if one account is compromised |
| Phishing-resistant MFA | Strengthens sign-ins with harder-to-bypass authentication methods | Lowers the risk of account takeover and session abuse |
| Privileged access hygiene | Restricts use of high-power roles and supports tighter admin workflows | Helps keep Global Admin and Intune Admin roles out of daily use |
| Multi Admin Approval | Requires a second authorized admin to approve sensitive actions | Stops one compromised admin account from making tenant-wide changes alone |
Microsoft says least privilege should cover both actions and scope, meaning admins should have only the permissions they need and only over the users or devices they actually manage. The company also warns that broad Entra roles such as Global Administrator and Intune Administrator are privileged roles and should be limited rather than used for everyday work.
Why Multi Admin Approval stands out
One of the most important recommendations is Multi Admin Approval. Microsoft says this control requires a second authorized administrator to review and approve selected Intune changes before deployment, and that enforcement applies both in the Intune admin center and through Intune APIs.
Microsoft’s Intune changelog also shows that Multi-administrator approval now supports device configuration policies created through the settings catalog and device compliance policies. That expands the feature’s practical value because it covers policy work that often affects large device groups.
MFA remains a core defense
Microsoft already requires MFA for accounts that sign in to the Microsoft Intune admin center to perform Create, Read, Update, or Delete operations, with enforcement rolling out from late 2024. The company later expanded enforcement for other Azure management paths, including CLI, PowerShell, IaC tools, and REST API endpoints, starting October 1, 2025.
That does not mean every tenant is equally protected. Microsoft’s Intune hardening guide still stresses phishing-resistant authentication and stronger privileged access hygiene, which suggests basic MFA alone is not enough against modern credential theft or token abuse.
What this means for Intune admins right now
- Review all Intune and Entra privileged roles.
- Remove standing admin access where it is not necessary.
- Use role-based access control and scope tags to narrow permissions.
- Turn on Multi Admin Approval for sensitive changes.
- Check Conditional Access and sign-in protections for privileged accounts.
- Confirm that all Intune administrative paths enforce MFA.
- Audit recent admin actions, policy changes, remote actions, and role changes.
Quick summary of the Stryker-linked warning
| Item | Confirmed detail |
|---|---|
| Agency warning | CISA urged endpoint management system hardening after the cyberattack |
| Trigger event | March 11, 2026 cyberattack affecting Stryker’s Microsoft environment |
| Federal response | CISA said it is coordinating with the FBI and other partners |
| Main Microsoft recommendations | Least privilege, phishing-resistant authentication, Multi Admin Approval |
| Stryker’s status update | Company said the incident was contained and restoration was in progress |
FAQ
Yes. Reuters reported that CISA asked companies to implement Microsoft’s best practices for securing Microsoft Intune, and Microsoft had published that guidance just days earlier.
Stryker said it suffered a March 11 cybersecurity attack that caused a global disruption to its Microsoft environment. The company said it activated its incident response plan, brought in outside experts, and believed the incident had been contained.
They should review privileged roles and high-impact workflows first. Microsoft’s guidance puts least-privilege design and Multi Admin Approval at the center of Intune hardening.
Because these platforms can control huge numbers of endpoints from one console. If attackers compromise them, they can create broad operational damage very quickly.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages