Endpoint Management System Hardening Advisory Following Stryker Cyberattack

CISA Cybersecurity Advisories

Published March 18th, 2026

Detected April 2nd, 2026

Summary

CISA released a cybersecurity alert on March 18, 2026, following a March 11 cyberattack against medical technology firm Stryker Corporation that compromised their Microsoft environment. The alert urges all U.S. organizations to harden endpoint management system configurations, specifically recommending Microsoft Intune security best practices including least privilege RBAC, phishing-resistant MFA, and Multi Admin Approval for sensitive operations.

View original document View source feed page

What changed

CISA documented a cyberattack against Stryker Corporation's Microsoft environment and is recommending that organizations implement Microsoft's newly released Intune security best practices. Key recommendations include using role-based access control with least privilege principles, enforcing phishing-resistant MFA through Microsoft Entra ID Conditional Access, and requiring Multi Admin Approval for sensitive actions such as device wiping or RBAC changes.\n\nOrganizations should immediately review CISA's alert and Microsoft documentation to assess their endpoint management security posture. While this is advisory guidance without a specific compliance deadline, security teams should prioritize implementing these controls given the active exploitation of endpoint management systems. CISA is coordinating with the FBI to identify additional threats.

What to do next

Review CISA's alert and Microsoft's Intune security best practices documentation
Implement least privilege RBAC for endpoint management systems and assign minimum permissions to administrative roles
Enforce phishing-resistant MFA and Conditional Access policies for privileged access to Intune
Configure Multi Admin Approval requiring secondary administrator approval for sensitive or high-impact operations

Source document (simplified)

Alert

CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization

Release Date

March 18, 2026

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment. 1 To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.

To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software:

Use principles of least privilege when designing administrative roles.
- Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
- Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
Configure access policies to require Multi Admin Approval in Microsoft Intune.
- Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc. Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity:
Microsoft resources:
- For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune.
- For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval.
- For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security.
- For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune.
- For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment.
CISA resources:
- For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Acknowledgements

Microsoft and Stryker contributed to this alert.

Notes

1 For updates from Stryker on the incident, see “Customer Updates: Stryker Network Disruption,” Stryker, last modified March 15, 2026, https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html.

This product is provided subject to this Notification and this Privacy & Use policy.