DoD Zero Trust Strategy for the device pillar
The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.
This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.
Use the following links to go to sections of the guide.
- Introduction
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
2 Device
This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the device pillar. To learn more, see Securing endpoints with Zero Trust.
2.1 Device inventory
Microsoft Intune and Microsoft Defender for Endpoint configure, assess health, and discover software vulnerabilities for devices. Use Microsoft Entra ID and Microsoft Intune integration to enforce compliant device policies for resource access.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 2.1.1 Device Health Tool Gap AnalysisDoD Organizations develop a manual inventory of devices within the environment. Device attributes tracked in the inventory enable functionality outlined in the ZTA target level. Outcome: - Manual inventory of devices is created per organization with owners |
Microsoft Entra ID Register end user devices with Microsoft Entra ID and manage device identities from the Microsoft Entra Admin Center. The Devices Overview page tracks device assets, management state, operating system, join type, and owner. - Registered devices - Hybrid joined devices - List devices - Manage device identities Microsoft Entra Connect Sync Use Connect Sync to synchronize Active Directory managed devices with Microsoft Entra ID. - Hybrid joined devices Microsoft Intune View device information about managed devices from the Microsoft Intune admin center. Retrieve diagnostics from Windows devices using the Collect diagnostics remote action. - Device details - Windows device diagnostics Microsoft Endpoint Configuration Manager Use co-management to attach a Configuration Manager deployment to the Microsoft 365 cloud. - Co-management Microsoft Defender for Endpoint View devices protected by Defender for Endpoint in the Microsoft Defender portal. - Device inventory |
Target 2.1.2 NPE/PKI, Device under ManagementDoD Organizations utilize the DoD Enterprise PKI solution/service to deploy x509 certificates to all supported and managed devices. Additional other Nonperson Entities (NPEs) that support x509 certificates are assigned in the PKI and/or IdP systems. Outcome: - Nonperson entities are managed via Org PKI and Org IDP |
Microsoft Intune Add Intune Certificate Connector for certificate provisioning on endpoints. - Certificate connector - Certificates for authentication Use Intune network profiles to help managed devices authenticate to your network. Add a Simple Certificate Enrolment Protocol (SCEP) certificate. - Device Wi-Fi settings - Windows device wired network settings Integrate Intune with network access control (NAC) partners to secure your data when devices access on-premises resources. - NAC integration Application management policy Configure the tenant app management policy to restrict application credentials to certificates issued by enterprise PKI. See Microsoft guidance 1.9.1 in User. Azure IoT Hub Configure Azure IoT Hub to use and enforce X.509 authentication. - Authenticate identities with x509 certificates Microsoft Defender for Identity If your organization hosts its PKI with Active Directory Certificate Services (AD CS), deploy Defender for Identity sensors, and configure auditing for AD CS. - AD CS sensor - Configure audits for AD CS |
Target 2.1.3 Enterprise IDP Pt1The DoD eterprise Identity Provider (IdP) either using a centralized technology or federated organizational technologies integrates Non-Person Entities (NPEs) such as devices and service accounts. Integration is tracked in the Enterprise Device Management solution when applicable as to whether it is integrated or not. NPEs unable to be integrated with the IdP are either marked for retirement or excepted using a risk based methodical approach. Outcome: - NPEs including devices are integrated with Enterprise IdP |
Microsoft Entra joined devices registration Use Microsoft Entra joined devices for new and re-imaged Windows client devices. Microsoft Entra joined devices have an improved user experience for sign-in to cloud apps like Microsoft 365. Users access on-premises resources using Microsoft Entra joined devices. - Joined devices - SSO to on-premises resources on joined devices Microsoft Intune Set up automatic enrollment for Windows 10 or 11 devices joined to a Microsoft Entra tenant. - Automatic enrollment Microsoft Entra Connect Sync If your organization synchronizes Active Directory with Microsoft Entra ID using Connect Sync. To automatically register devices with Microsoft Entra ID, configure hybrid joined devices. - Hybrid joined devices Microsoft Entra applications Register applications with Microsoft Entra and use Service Principals for programmatic access to Microsoft Entra and protected APIs like Microsoft Graph. Configure app management policies to restrict application credential types. See Microsoft guidance 2.1.2. Microsoft Entra Workload ID Use workload identity federation to access Microsoft Entra protected resources in GitHub actions, and other supported scenarios. - Workload identity federation Managed identities Use managed identities for supported Azure resources and Azure Arc-enabled VMs. - Managed identities for Azure resources - Azure Arc-enabled servers Azure IoT Hub Use Microsoft Entra ID to authenticate requests to Azure IoT Hub service APIs. - Control access to IoT Hub |
Advanced 2.1.4 Enterprise IDP Pt2The DoD enterprise Identity Provider (IdP) either using a centralized technology or federated organizational technologies adds additional dynamic attributes for NPEs such as location, usage patterns, etc. Outcome: - Conditional device attributes are part of the IdP profile |
Microsoft Defender for Endpoint Deploy Defender for Endpoint to end user desktop devices, managed mobile devices, and servers. - Onboard devices - Defender for Endpoint on devices with Intune - Onboard Windows servers Microsoft Intune Manage end user devices with Intune. Configure Intune compliance policies for managed devices. Include Microsoft Defender for Endpoint machine risk score in Intune compliance policies. - Plan compliance policies - Compliance policy for device risk level - Custom compliance policies - Configure Windows devices in Intune - Android Enterprise security configuration - iOS and iPadOS devices in Intune If your organization uses a third-party Mobile Threat Defense (MTD) solution, configure the Intune connector. - MTD configuration Mobile app management Use Intune MAM for unenrolled devices to configure and secure apps for bring your own devices (BYOD). - App management |
2.2 Device detection and compliance
Microsoft Intune compliance policies ensure devices comply with organizational standards. Compliance policies can assess device configuration against a security baseline. Policies use Microsoft Defender for Endpoint protection state, and machine risk score, to determine compliance. Conditional Access uses device compliance state to make dynamic access decisions for users and devices, including bring-your-own-devices (BYOD).
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 2.2.1 Implement C2C/Compliance Based Network Authorization Pt1The DoD enterprise working with the Organizations develops a policy, standard, and requirements for Comply to Connect. Once agreement is reached, solution procurement is started, a vendor(s) is selected, and implementation begins with base level functionality in ZT Target environments (low risk). Base level checks are implemented in the new Comply to Connection solution enabling the ability to meet ZTA target functionalities. Outcomes: - C2C is enforced at the enterprise level for low risk and testing environments - Basic devices checks are implemented using C2C |
Microsoft Intune Manage devices with Intune and configure device compliance policies. Use Intune mobile application management (MAM) to secure apps on un-enrolled BYOD. See Microsoft guidance in 2.1.4. Conditional Access Use Intune-compliant device signals, location, and sign-in risk signals in Conditional Access policies. Use device filters for Conditional Access policies, based on device attributes. - Require compliance devices - Conditions - Filter for devices - Conditional Access with Intune Microsoft Entra Workload ID Create Conditional Access policies for workload identities using risk and location controls. - Conditional Access for workload identities - Secure workload identities |
Advanced 2.2.2 Implement C2C/Compliance Based Network Authorization Pt2DoD Organizations expand the deployment and usage of Comply to Connect to all supported environments required to meet ZT advanced functionalities. Comply to Connect teams integrate their solution(s) with the Enterprise IdP and Authorization Gateways to better manage access and authorizations to resources. Outcomes: - C2C is enforced in all supported environments - Advanced devices checks are completed and integrated with dynamic access, enterprise IdP and ZTNA. |
Microsoft Entra applications Integrate applications and govern user access with Microsoft Entra ID. See Microsoft guidance 1.2.4 in User. Microsoft Intune and Microsoft Defender for Endpoint Manage devices with Intune, deploy Defender for Endpoint, and configure a device-compliance policy using Defender for Endpoint machine risk score. See Microsoft guidance 2.1.4 in this section. Conditional Access Create Conditional Access policies requiring compliant device for application access. See Microsoft guidance in 2.2.1. Microsoft Entra application proxy Deploy application proxy or a secure hybrid access (SHA) partner solution to enable Conditional Access for on-premises and legacy applications through the Zero Trust Network Access (ZTNA). - SHA with Microsoft Entra integration Microsoft Tunnel Tunnel is a virtual private network (VPN) gateway solution for Intune-managed devices and un-enrolled devices with Intune-managed apps. Tunnel uses Microsoft Entra ID for authentication and Conditional Access policies for mobile device access to on-premises applications. - Tunnel for Intune |
2.3 Device authorization with real time inspection
Conditional Access is the Zero Trust policy engine for Microsoft cloud products and services. Evaluating Zero Trust policies at the IdP advances the comply-to-connect (C2C) model by applying adaptive controls before resource access. Conditional Access policies use security signals from Microsoft Entra ID, Microsoft Defender XDR, and Microsoft Intune.
Microsoft Defender XDR components assess device and identity risk levels by using machine learning (ML) detections, and by enabling dynamic, risk-based decisions to allow, block, or control access to data, applications, assets, and services (DAAS).
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Advanced 2.3.1 Entity Activity Monitoring Pt1Using the developed User and Device baselines, DoD Organizations utilize the implemented User and Entity Behavioral Activity (UEBA) solution to integrate baselines. UEBA device attributes and baselines are available to be used for device authorization detections. Outcomes: - UEBA attributes are integrated for device baseline - UEBA attributes are available for usage with device access |
Microsoft Intune and Microsoft Defender for Endpoint Manage devices with Intune, deploy Defender for Endpoint, and configure a device compliance policy using Defender for Endpoint machine risk score. See Microsoft guidance in 2.1.4. Conditional Access Create Conditional Access policies that require compliant device for application access. See Microsoft guidance in 2.2.1. Microsoft Entra ID Protection Configure Conditional Access policies for identity risk levels in Microsoft Entra ID Protection. See Microsoft guidance 1.6.1 in User. |
Advanced 2.3.2 Entity Activity Monitoring Pt2DoD Organizations utilize the User and Entity Behavioral Activity (UEBA) solution with network access solutions to mandate UEBA attributes (e.g., device health, logon patterns, etc.) for accessing environments and resources. Outcome: - UEBA attributes are mandated for device access |
Conditional Access Use Intune-compliant device state, location, and identity risk signals in Conditional Access policies. Use device filters to target Conditional Access policies based on device attributes. See Microsoft guidance in 2.2.1 and in 2.3.1. |
Target 2.3.3 Implement Application Control & File Integrity Monitoring (FIM) ToolsDoD Organizations procure and implement File Integrity Monitoring (FIM) and Application Control solutions. FIM continues development and expansion of monitoring in the Data Pillar. Application Control is deployed to low-risk environments in a monitor only mode establishing baseline allowances. Application control teams being integration with the Enterprise and Organization PKI environments utilize certificates for application allowances. NextGen AV covers all possible services and applications Outcomes: - AppControl and FIM tooling is implemented on all critical services/applications - EDR tooling covers the maximum amount of services/applications - AppControl and FIM data is sent to C2C as needed |
Microsoft Defender for Endpoint Defender for Endpoint aggregates signals from File Integrity Monitoring (FIM), Application Control, Next Generation Antivirus (NGAV), and more for machine risk score. - Next-generation protection - Antivirus for managed devices - Controlled folder access Microsoft Intune Configure App Control enpoint security policies in Microsoft Intune. - Approved apps with App Control for Business - Windows Defender AppControl policy and file rules Conditional Access To achieve the comply-to-connect (C2C) model, integrate applications with Microsoft Entra ID and require compliant device grant control in Conditional Access. See Microsoft guidance in 2.2.2. |
Advanced 2.3.4 Integrate NextGen AV Tools C2CDoD Organizations procure and implement Next Generation Anti-Virus & Anti-Malware solutions as needed. These solutions are integrated with the initial deployment of Comply to Connect for baseline status checks of signatures, updates, etc. Outcomes: - Critical NextGen AV data is being sent to C2C for checks - NextGen AV tooling is implemented on all critical services/applications |
Microsoft Intune Create device-compliance policies for antivirus and Microsoft Defender for Endpoint machine risk score. - Antivirus policy for endpoint security See Microsoft guidance in 2.2.2. |
Advanced 2.3.5 Fully Integrate Device Security stack with C2C as appropriateDoD Organizations continue the deployment of Application Control to all environments and in prevention mode. File Integrity Monitoring (FIM) and Application Controls analytics are integrated into Comply to Connect for expanded access decision making data points. Comply to Connect analytics are evaluated for further device/endpoint security stack data points such as UEDM and are integrated as necessary. Outcomes: - AppControl and FIM deployment is expanded to all necessary services/applications - Remaining data from Device Security tooling is implemented with C2C |
Complete activity 2.3.4. Microsoft Defender for Cloud Apps Identify and control risky cloud applications with Defender for Cloud Apps policies. - Control cloud apps with policies |
Advanced 2.3.6 Enterprise PKI Pt1The DoD Enterprise Public Key Infrastructure (PKI) is expanded to include the addition of NPE and device certificates. NPEs and devices that do not support PKI certificates are marked for retirement and decommission starts. Outcomes: - Devices that are unable to have certificates are phased out and/or moved to minimal access environments - All devices and NPEs have certs installed for authentication in the Enterprise PKI |
Microsoft Intune Use Microsoft Intune to deploy DoD PKI certificates to devices. See Microsoft guidance in 2.1.2. Application management policy Configure the tenant app management policy to restrict application credentials to certificates issued by enterprise PKI. See Microsoft guidance 1.5.3 in User. Microsoft Defender for Cloud Apps Configure access policies to require client certificates for application access and to block unauthorized device access. - Access policies |
Advanced 2.3.7 Enterprise PKI Pt2DoD Organizations utilize certificates for device authentication and machine to machine communications. Unsupported devices complete retirement and exceptions are approved using a risk based methodical approach. Outcome: - Devices are required to authenticate to communicate with other services and devices |
Microsoft Intune and Conditional Access Integrate applications with Microsoft Entra ID, manage devices with Intune, protect devices with Microsoft Defender for Endpoint, and configure compliance policies. Include a compliance policy for Defender for Endpoint machine risk score. Require compliant grant control in Conditional access policies. See Microsoft guidance in 2.2.2. |
2.4 Remote access
Microsoft Entra ID is a deny-by-default identity provider (IdP). If you use Microsoft Entra for application sign-in, users authenticate and pass Conditional Access policy checks before Microsoft Entra authorizes access. You can use Microsoft Entra ID to protect applications hosted in the cloud or on-premises.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 2.4.1 Deny Device by DefaultDoD Organizations block all unmanaged remote and local device access to resources. Compliant managed devices are provided risk based methodical access following ZTA target level concepts. Outcomes: - Components can block device access by default to resources (apps/data) and explicitly allow compliant devices per policy - Remote Access is enabled following a "deny device by default policy" approach |
Microsoft Entra ID applications Access to applications and resources protected by Microsoft Entra ID is denied by default. Resource access requires authentication, active entitlement, and authorization by Conditional Access policies. - Integrate apps - App integration Microsoft Intune Manage devices with Intune. Configure device compliance policies. Require compliant device in Conditional Access policies for all users and applications. See Microsoft guidance in 2.2.1. |
Target 2.4.2 Managed and Limited BYOD & IOT SupportDoD Organizations utilize Unified Endpoint and Device Management (UEDM) and similar solutions to ensure that managed Bring Your Own Device (BYOD) and Internet of Things (IoT) devices are fully integrated with Enterprise IdP enable user and device-based authorization are supported. Device access for all applications requires dynamic access policies. Outcomes: - All applications require dynamic permissions access for devices - BYOD and IOT device permissions are baselined and integrated with Enterprise IDP |
Complete activity 2.4.1. Microsoft Intune Use Intune device management and mobile application management to bring your own device (BYOD). - Mobile app management for unenrolled devices - App protection policies Conditional Access Require compliant device and/or app protection policy in Conditional Access for all users and applications. - Approved client app or app protection policy - App protection policy on Windows devices Microsoft Entra External ID Configure cross-tenant access settings to trust compliant device controls from trusted partners. - Cross-tenant access settings for B2B collaboration Microsoft Defender for IoT Deploy Defender for IoT sensors for visibility, also to monitor and protect IoT and operational technology (OT) devices. Ensure device software is up to date and change local passwords. Don’t use default passwords. - Defender for IoT - IoT and OT security with Zero Trust - US National Cybersecurity Strategy to secure IoT |
Advanced 2.4.3 Managed and Full BYOD & IOT Support Pt1DoD Organizations utilize Unified Endpoint and Device Management (UEDM) and similar solutions to enable access for managed and approved devices to Mission and Operational Critical services/applications using dynamic access policies. BYOD and Internet of Things (IoT) devices are required to meet standard baseline checks before authorization. Outcomes: - Only BYOD and IOT devices that meet mandated configuration standards allowed to access resources - Critical Services require dynamic access for devices |
Complete activity 2.4.2. Microsoft Defender for Cloud Apps Configure access policies to require client certificates for application access. Block access from unauthorized devices. See Microsoft guidance in 2.3.6. |
Advanced 2.4.4 Managed and Full BYOD & IOT Support Pt2DoD Organizations utilize Unified Endpoint and Device Management (UEDM) and similar solutions to enable access for unmanaged devices meeting device checks and standard baselines. All possible services/applications are integrated to allow access to managed devices. Unmanaged devices are integrated with services/applications based on risk driven methodical authorization approach. Outcome: - All possible services require dynamic access for devices |
Azure Virtual Desktop Deploy Azure Virtual Desktop (AVD) to support remote access from unmanaged devices. Join AVD session host VMs to Microsoft Entra and manage compliance with Microsoft Intune. Allow sign-in to AVD with passwordless or a passwordless phishing-resistant authenticator from unmanaged devices. - Microsoft Entra joined VMs in AVD - Authentication strength Microsoft Defender for Cloud Apps Use Defender for Cloud Apps session control to monitor and restrict web sessions from unmanaged devices. - Session policies |
2.5 Partially and fully automated asset, vulnerability, and patch management
Microsoft Endpoint Manager supports cloud-based and hybrid (co-management) solutions for device management. Configuration and compliance policies ensure devices meet the patch level and security configuration requirements for your organization.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 2.5.1 Implement Asset, Vulnerability, and Patch Management ToolsDoD Organizations implement solution(s) for managing assets/devices configurations, vulnerabilities, and patches. Using minimum compliance standards (e.g., STIGs, etc.) teams can confirm or deny managed device compliance. As part of the procurement and implementation process for solutions, APIs or other programmatic interfaces will be in scope for future levels of automation and integration. Outcomes: - Components can confirm if devices meet minimum compliance standards or not - Components have asset management, vulnerability, and patching systems with APIs that will enable integration across the systems |
Microsoft Intune Manage devices in Intune. See Microsoft guidance in 2.1.4. Use Microsoft Endpoint Manager co-management for legacy endpoint devices. - Endpoint management - Co-management Configure and update policies for device platforms managed with Intune. - iOS and iPadOS software update policies - macOS software update policies - Android FOTA updates - Windows 10 and 11 updates Microsoft Defender for Endpoint Integrate Microsoft Defender for Endpoint with Microsoft Intune. Remediate endpoint vulnerabilities with Microsoft Intune configuration policies. - Microsoft Defender Vulnerability Management - Use Microsoft Intune and vulnerabilities identified by Microsoft Defender for Endpoint |
2.6 Unified endpoint management and mobile device management
Microsoft Intune configuration and compliance policies ensure devices meet organizational security configuration requirements. Intune evaluates compliance policies and marks devices as compliant or noncompliant. Conditional Access policies can use device compliance state to block users with noncompliant devices from accessing resources protected by Microsoft Entra ID.
Microsoft Entra External ID cross-tenant access settings include trust settings for guest collaboration. These settings can be customized for each partner tenant. When you trust compliant devices from another tenant, guests using compliant devices in their home tenant satisfy Condtional Access policies requiring compliant devices in your tenant. You don’t need to make exceptions to Conditional Access policies to avoid blocking external guests.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 2.6.1 Implement UEDM or equivalent toolsDoD Organizations will work closely with the "Implement Asset, Vulnerability, and Patch Management tools" activity to procure and implement and Unified Endpoint and Device Management (UEDM) solution ensuring that requirements are integrated with the procurement process. Once a solution is procured the UEDM team(s) ensure that critical ZT target functionalities such as minimum compliance, asset management, and API support are in place. Outcomes: - Components can confirm if devices meet minimum compliance standards or not - Components have asset management system(s) for user devices (phones, desktops, laptops) that maintains IT compliance, which is reported up to DoD enterprise - Components asset management systems can programmatically, i.e., API, provide device compliance status and if it meets minimum standards |
Complete activity 2.3.2. Microsoft Intune Device compliance status is integrated with the identity provider (IdP), Microsoft Entra ID, by Intune compliance signals in Conditional Access. View device compliance status in the Microsoft Entra admin center or by using Microsoft Graph API. - Compliance policies - Intune reports Microsoft Entra External ID To extend device compliance policies to users outside the organization, configure cross-tenant access settings to trust MFA and compliant device claims from trusted DoD tenants. - Cross-tenant access Microsoft Graph API Microsoft Graph APIs query device compliance status. - Compliance and privacy APIs |
Target 2.6.2 Enterprise Device Management Pt1DoD Organizations migrate the manual device inventory to an automated approach using the Unified Endpoint and Device Management solution. Approved devices are able to be managed regardless of location. Devices part of critical services are mandated to be managed by the Unified Endpoint and Device Management solution supporting automation. Outcomes: - Manual inventory is integrated with an automated management solution for critical services - Enable ZT Device Management (from any location with or without remote access) |
Microsoft Intune and Conditional Access Manage devices with Microsoft Intune. Configure device compliance policies. Require compliant device Conditional Access policies. See Microsoft guidance in 2.1.4. |
Target 2.6.3 Enterprise Device Management Pt2DoD Organizations migrate the remaining devices to Enterprise Device Management solution. EDM solution is integrated with risk and compliance solutions as appropriate. Outcome: - Manual inventory is integrated with an automated management solution for all services |
Microsoft Intune and Conditional Access Manage devices with Intune. Configure device compliance policies. Require compliant device in Conditional Access policies. See Microsoft guidance in 2.1.4. |
2.7 Endpoint and extended detection and response (EDR and XDR)
The Microsoft Defender XDR unified defense suite coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. Microsoft Defender XDR components detect and defend against sophisticated attacks.
Integration of Microsoft Defender XDR components extends protection beyond devices. See example detection events that contribute to user risk level in Microsoft Entra ID Protection:
- Suspicious email-sending patterns detected by Microsoft Defender for Office
- Impossible travel detections in Microsoft Defender for Cloud Apps
- Attempts to access the primary refresh token detected by Microsoft Defender for Endpoint
Risk-based Conditional Access policies can secure, limit, or block access to cloud services for the risky user, even if they use a compliant device on a trusted network.
To learn more, see enable Microsoft Defender XDR components and what are risks?
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 2.7.1 Implement Endpoint Detection & Response (EDR) Tools and Integrate with C2CDoD Organizations procure and implement Endpoint Detection and Response (EDR) solution(s) within environments. EDR is protecting, monitoring, and responding to malicious and anomalous activities enabling ZT Target functionality and is sending data to the Comply to Connection solution for expanded device and user checks. Outcomes: - Endpoint Detection & Response Tooling is implemented - Critical EDR data is being sent to C2C for checks - NextGen AV tooling covers maximum amount of services/applications |
Microsoft Defender for Endpoint Deploy Defender for Endpoint for end user devices. See Microsoft guidance 2.3.1 in this section. Microsoft Intune Configure Intune device compliance policies. Include Defender for Endpoint machine risk score for policy compliance. See Microsoft guidance 2.1.4. and in 2.3.2. Microsoft Defender for Cloud Enable Microsoft Defender for Server for subscriptions with virtual machines (VMs) in Azure. Defender for Server plans include Defender for Cloud for servers. - Defender for Servers Use Azure Arc-enabled servers to manage and protect Windows and Linux physical servers and VMs outside Azure. Deploy the Azure Arc agent for servers hosted outside Azure. Onboard Arc-enabled servers to a subscription protected by Microsoft Defender for Server. - Azure Arc-enabled servers - Azure Connected Machine agent |
Target 2.7.2 Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt1DoD Organizations procure and implement Extended Detection & Response (XDR) solution(s). Integration points with cross pillar capabilities are identified and prioritized based on risk. The riskiest of these integration points are actioned and integration is started. EDR continues coverage of endpoints to include the maximum number of services and applications as part of the XDR implementation. Basic analytics are sent from the XDR solution stack to the SIEM. Outcomes: - Integration Points have been identified per Capability - Riskiest integration points have been integrated w/ XDR - Basic alerting is in place with SIEM and/or other mechanisms |
Microsoft Defender XDR Pilot and deploy Microsoft Defender XDR components and services. - Defender XDR - Sentinel and Defender XDR for Zero Trust Configure integrations of deployed Microsoft Defender XDR components. - Defender for Endpoint with Defender for Cloud Apps - Defender for Identity and Defender for Cloud Apps - Purview Information Protection and Defender for Cloud Apps Microsoft Sentinel Configure Sentinel data connectors for Microsoft Defender XDR. Enable analytics rules. - Install Defender XDR - Connect Defender XDR data to Sentinel |
Advanced 2.7.3 Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt2XDR solution stack completes identification of integration points expanding coverage to the fullest amount possible. Exceptions are tracked and managed using a risk based methodical approach for continued operation. Extended analytics enabling ZT Advanced functionalities are integrated into the SIEM and other appropriate solutions. Outcomes: - Remaining integration points have been integrated as appropriate - Extended alerting and response is enabled with other Analytics tools at least using SIEM |
Microsoft Defender XDR Use Microsoft Defender XDR in your security operations strategy. - Integrate Defender XDR into security ops |
Next steps
Configure Microsoft cloud services for the DoD Zero Trust Strategy: