CISA Zero Trust Maturity Model for the devices pillar
This section has Microsoft guidance and recommendations for the CISA Zero Trust Maturity Model in the devices pillar.
2 Devices
CISA identifies a device as an asset that connects to a network, including servers, desktop and laptop computers, printers, mobiles phones, internet of things (IoT) devices, networking equipment, and more. Assets include hardware software, firmware, etc. To learn more, see Securing endpoints with Zero Trust.
Use the following links to go to sections of the guide.
2.1 Function: Policy enforcement and compliance monitoring
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise receives self-reported device characteristics (e.g., keys, tokens, users, etc., on the device) but has limited enforcement mechanisms. Enterprise has a preliminary, basic process in place to approve software use and push updates and configuration changes to devices. |
Microsoft Intune, Microsoft Configuration Manager The Microsoft Intune family of products is an integrated solution to manage devices. Use Intune device inventory, device configuration change, and software update capabilities. With Microsoft Configuration Manager, enable cloud-attach to modernize and streamline device management. Use of third-party mobile device management (MDM) solutions can consolidate device management with Intune. - Intune - Configuration Manager - Cloud attach - Intune migration guide - Operating systems and browsers supported by Intune |
| Advanced Maturity Status Enterprise has verified insights (i.e., an administrator can inspect and verify the data on device) on initial access to device and enforces compliance for most devices and virtual assets. Enterprise uses automated methods to manage devices and virtual assets, approve software, and identify vulnerabilities and install patches. |
Intune Configure policies to evaluate devices for compliance and configuration requirements. Administrators review insights and verify data on managed devices in the Intune admin center, and with device compliance reports. - Intune admin center - Device profiles in Intune Set up automatic enrollment for initial access to devices. Enforce compliance with Intune. - Device enrollment in Intune - Automatic enrollment To manage approved software, configure Windows Defender Application Control policies with Intune. - WDAC and AppLocker - Deploy WDAC policies To control data access and how it’s shared by apps on mobile devices, configure app protection policies. - App protection policies - Create and deploy app protection policy - Mobile app management and app protection - Windows Autopilot Microsoft Defender for Endpoint Integrate Defender for Endpoint with Intune to identify vulnerabilities and remediate managed Intune devices. Configure Defender for Endpoint in Intune Microsoft Defender for Cloud Protect and manage Azure virtual assets with Defender for Cloud, a cloud-native application protection platform (CNAPP). Use security measures and practices to protect cloud-based applications from cyber threats and vulnerabilities. Defender for Cloud Defender for Cloud, Azure Arc To manage configurations, connect non-Azure assets, including virtual, to Defender for Cloud with Azure Arc. - Azure Arc - Connect Azure Arc-enabled servers to Defender for Cloud Defender for IoT Defender for IoT is a unified security solution to identify internet of things (IoT) and operational technology (OT) devices, vulnerabilities, and threats. Use Defender for IoT to secure IoT and OT environments, also devices without security agents or full operating systems. Defender for IoT |
| Optimal Maturity Model Enterprise continuously verifies insights and enforces compliance throughout the lifetime of devices and virtual assets. Enterprise integrates device, software, configuration, and vulnerability management across all Enterprise environments, including for virtual assets. |
Microsoft Entra Conditional Access Configure Conditional Access to continuously enforce application and data access, based on device compliance status. Configurations apply throughout device lifetime. Require that only compliant devices access resources. - Conditional Access - Grant controls in policy and require compliant devices Microsoft Defender Vulnerability Management Use Defender Vulnerability Management to continuously monitor and get recommendations. Enable risk-based prioritization with Secure Score and Exposure Score. DVM has continuous inventory of installed software (apps), digital certificates, hardware, firmware, also browser extensions. - Defender Vulnerability Management - Monitor device risk and compliance Microsoft Defender for Cloud, Defender for Servers Defender for Servers in Defender for Cloud brings threat detection and advanced defenses to Windows and Linux computers that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments. Defender for Servers |
2.2 Function: Asset and supply-chain risk management
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise tracks all physical and some virtual assets and manages supply chain risks by establishing policies and control baselines according to federal recommendations using a robust framework, (e.g., NIST SCRM.) |
Microsoft Intune Use Intune to view information about managed devices: hardware specifications, installed apps, and compliance status. The centralized view helps to monitor device health, ensure compliance with corporate policies, and manage device configurations. Intune Defender for Endpoint Defender for Endpoint complements Intune with inventoried devices protected by Defender for Endpoint. Integrate Intune and Defender for Endpoint to track physical and virtual assets. Device inventory Adopt Microsoft software and cloud services with supply chain policies to help control baselines according to federal recommendations. This action supports responsible sourcing and supply chain integrity. Supply chain |
| Advanced Maturity Status Enterprise begins to develop a comprehensive enterprise view of physical and virtual assets via automated processes that can function across multiple vendors to verify acquisitions, track development cycles, and provide third-party assessments. |
Microsoft Intune Use Intune to enroll and manage devices on operating systems like Windows, macOS, iOS, Android, etc. Enrollment creates a centralized inventory of devices, including hardware specifications, installed apps, and compliance status. To streamline device onboarding, implement automated device enrollment such as Windows Autopilot and Apple Device Enrollment Program (DEP). - Move to Intune - Enroll devices in Intune Microsoft Defender for Endpoint Deploy Defender for Endpoint for an enterprise-wide view of physical and virtual assets, including installed software, with automation. Review insights about devices generating security alerts, including domain, risk level, and operating system. Use the discovery capability to find unmanaged devices in your network. Device discovery uses onboarded network endpoints to collect, probe, or scan for unmanaged devices. Use the weaknesses page in Microsoft Defender Vulnerability Management for known common vulnerabilities and exposures (CVE), including third-party assessments, by CVE ID. - Defender Vulnerability Management, software inventory - Vulnerabilities in my organization |
| Optimal Maturity Status Enterprise has a comprehensive, at-, or near-real-time view of all assets across vendors and service providers, automates its supply chain risk management as applicable, builds operations that tolerate supply chain failures, and incorporates best practices. |
Microsoft Entra Conditional Access Configure Conditional Access policies to require compliant devices, managed by Intune, or by supported mobile device management (MDM) integration partners. This control ensures an at-, or near-real-time asset view. - Grant controls in policy, require compliant devices - Third-party device-compliance partners in Intune Intune, Microsoft Defender for Endpoint Enable Defender for Endpoint and Intune to establish a service-to-service connection. Onboard devices to manage with Intune to Defender for Endpoint. Onboarding enables an at-, or near-real-time asset view. Threat analytics in Defender for Endpoint deliver threat intelligence from Microsoft Security researchers. Security teams use it to support automated risk management, including supply chain risk. - Configure Defender for Endpoint in Intune - Address emerging threats with Defender for Endpoint Defender for IoT Defender for IoT identifies internet of things (IoT) and operational technology (OT) devices, vulnerabilities, and threats. Use Defender for IoT to secure IoT and OT environments, including devices with no security agents. Defender for IoT Microsoft Defender External Attack Surface Management Defender EASM continuously discovers and maps digital attack surfaces with an external view of online infrastructure. Security and IT teams identify unknowns, prioritize risks, mitigate threats, also extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated with vulnerability and infrastructure data. Discover key areas of concern. Defender EASM |
2.3 Function: Resource access
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise requires some devices or virtual assets to report characteristics then use this information to approve resource access. |
Microsoft Entra ID Register end user devices with Microsoft Entra ID. Manage device identities from the Microsoft Entra admin center. - Microsoft Entra joined devices - Hybrid joined devices - Registered devices Microsoft Entra Conditional Access Use device signals such as location in Conditional Access policies for security decisions. Use filters based on device attributes to include and exclude policies. - Conditions - Filter for devices |
| Advanced Maturity Status Enterprise’s initial resource access considers verified device or virtual asset insights. |
Microsoft Intune, Microsoft Defender for Endpoint Manage devices with Intune, deploy Defender for Endpoint, and configure device-compliance policy. See section 2.1 Function: Policy enforcement and compliance; Advanced Maturity Status. Conditional Access Create Conditional Access policies that require hybrid or compliant device. Include device or virtual asset insights in resource access decisions. See section 2.1 Function: Policy enforcement and compliance. Microsoft Entra applications Integrate apps and govern user access with Microsoft Entra ID. See section 1.1 Function: Authentication. Microsoft Entra application proxy Deploy application proxy, or a secure hybrid access (SHA) partner solution, to enable Conditional Access for on-premises and legacy applications through the Zero Trust Network Access (ZTNA). SHA with Microsoft Entra |
| Optimal Maturity Status Enterprise’s resource access considers real-time risk analytics within devices and virtual assets. |
Microsoft Entra ID Protection Configure Microsoft Entra ID Protection for risk detection, including device risk, to detect risky users and sign-in events. Use the sign-in and user risk conditions to align policies with risk levels. Require multifactor authentication (MFA) for risky sign-ins. - ID Protection - Deploy ID Protection Microsoft Intune, Microsoft Defender for Endpoint Enable Defender for Endpoint and Intune to establish a service-to-service connection. Onboard managed devices with Intune to Defender for Endpoint for at- or near-real-time asset views. With Defender for Endpoint, use threat risk signals to block access to devices, based on risk score. Microsoft recommends allowing access to devices with a medium risk score, or lower. - Configure Defender for Endpoint in Intune - Defender Vulnerability Management - Monitor device risk and compliance Conditional Access Create compliant device policy in Conditional Access. Use real-time risk analytics in devices and virtual assets for resource access decisions. See section 2.1 Function: Policy enforcement and compliance |
2.4 Function: Device threat detection
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise has some automated processes for deploying and updating threat protection capabilities to devices and to virtual assets with limited policy enforcement and compliance monitoring integration. |
Microsoft Defender for Endpoint Deploy Defender for Endpoint for end user devices. Deploy Defender for Endpoint Defender for Cloud To automate processes that deploy and update threat protection capabilities to Azure virtual assets, integrate Defender for Endpoint with Defender for Cloud. Defender for Endpoint integration |
| Advanced Maturity Status Enterprise begins to consolidate threat protection capabilities to centralized solutions for devices and virtual assets and integrates most of these capabilities with policy enforcement and compliance monitoring. |
Microsoft Intune Configure Intune for device compliance policies. Include Defender for Endpoint machine risk score for policy compliance. Intune device compliance policy Integrate Defender for Endpoint with Intune as a Mobile Threat Defense (MTD) solution. For legacy devices managed by Microsoft Configuration Manager, configure cloud attach. - Defender for Endpoint in Intune - Configure Defender for Endpoint in Intune - Cloud attach Defender XDR Pilot, then deploy Defender XDR components and services. Defender XDR Configure integrations of deployed Microsoft Defender XDR components. - Defender for Endpoint with Defender for Cloud Apps - Defender for Identity and Defender for Cloud Apps - Purview Information Protection and Defender for Cloud Apps Azure Arc Use Azure Arc-enabled servers to manage and protect Windows and Linux physical servers. Also protect virtual machines (VMs) outside Azure. Deploy Azure Arc for servers hosted outside Azure. Onboard Arc-enabled servers into a subscription protected by Defender for Server. - Azure Arc-enabled servers - Azure Connected Machine agent Defender for Cloud Enable Defender for Servers for subscriptions with VMs in Azure. Defender for Server plans include Defender for Cloud for servers. Defender for Servers |
| Optimal Maturity Status Enterprise has a centralized threat protection security solution(s) deployed with advanced capabilities for all devices and virtual assets and a unified approach for device threat protection, policy enforcement, and compliance monitoring. |
Defender XDR To enable advanced capabilities for devices and virtual assets, integrate Defender XDR into security operations strategies. - Defender XDR and security operations - Advanced hunting In Defender XDR, alerts are signals from sources that result from threat detection activities. Signals indicate malicious or suspicious events in an environment. Alerts can indicate a broader, complex attack. Related alerts are aggregated and correlated to form an incident, which represents an attack. Alerts, incidents, and correlation in Defender XDR Microsoft Sentinel Configure Sentinel data connectors for Defender XDR. Enable analytics rules. - Discover and manage Sentinel - Connect Defender XDR data to Sentinel - Sentinel and Defender XDR for Zero Trust Microsoft Defender Threat Intelligence Defender TI aggregates and enriches critical data sources viewed in an easy-to-use interface. Correlate indicators of compromise (IoCs) with related articles, actor profiles, and vulnerabilities. Analysts use Defender TI to collaborate with fellow analysts. Defender TI |
2.5 Function: Visibility and analytics
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise uses digital identifiers (e.g., interface addresses, digital tags) alongside a manual inventory and endpoint monitoring of devices when available. Some Enterprise devices and virtual assets are under automated analysis (e.g., software-based scanning) for anomaly detection based on risk. |
Microsoft Intune, Microsoft Defender for Endpoint Each device has a digital identifier. An enterprise can pilot, with some devices and virtual assets, automated analysis for anomaly detection, based on risk. See section 2.1 Function: Policy enforcement and compliance. |
| Advanced Maturity Status Enterprise automates both inventory collection (including endpoint monitoring on all standard user devices, e.g., desktops and laptops, mobile phones, tablets, and their virtual assets) and anomaly detection to detect unauthorized devices. |
Defender for Endpoint To detect unauthorized devices, automate inventory collection and anomaly detection. Device discovery Intune To view details about your managed devices, use the Intune device inventory. - Device details in Intune - Endpoint security in Intune - See section 2.1 Function: Policy enforcement and compliance. |
| Optimal Maturity Status Enterprise automates status collection of all network-connected devices and virtual assets while correlating with identities, conducting endpoint monitoring, and performing anomaly detection to inform resource access. Enterprise tracks patterns of provisioning and/or deprovisioning of virtual assets for anomalies. |
Microsoft Entra Conditional Access Configure Conditional Access policies to require compliancy for network connected devices. Intune manages devices or a supported mobile device management (MDM) integration partner manages them. This control requires devices are enrolled in Intune, which automates status collection, endpoint monitoring, and anomaly detection to inform resource access. - Grant controls in Conditional Access, require compliant devices - Third-party device compliance partners support in Intune Microsoft Defender XDR To detect anomalies from users, devices, and applications, deploy, and integrate components in Defender XDR. - Defender XDR - Deploy supported devices - Zero Trust with Defender XDR Microsoft Entra ID Protection ID Protection anomaly detection is enhanced by integration with other Defender XDR components. Risks in ID Protection Conditional Access Configure risk-based Conditional Access policies, informed by identity risk, for user and sign-in risk, including anomaly detection. Require phishing-resistant multifactor authentication (MFA) for risky sign-ins. To monitor effects, create a policy to block high-risk users in report-only mode. Risk-based access policy Fusion in Microsoft Sentinel Connect required data sources to Sentinel and enable advanced, multistage-attack detection. - Connect data sources to Sentinel - Advanced multistage attack detection |
2.6 Function: Automation and orchestration
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to use tools and scripts to automate the process of provisioning, configuration, registration, and/or deprovisioning for devices and virtual assets |
Microsoft Intune Begin automation to provision, configure, and deprovision devices. Intune Microsoft Entra ID Implement Microsoft Entra ID to streamline device registration. Automate device registration Microsoft Defender for Endpoint Apply basic security configurations to manage device protection. Defender for Endpoint Microsoft Sentinel Use Sentinel to monitor device status. Sentinel |
| Advanced Maturity Status Enterprise has implemented monitoring and enforcement mechanisms to identify and manually disconnect or isolate noncompliant (vulnerable, unverified certificate; unregistered mac address) devices and virtual assets. |
Intune Enforce compliance policies and manage device configurations. Compliance policy in Intune Defender for Endpoint Detect and respond to vulnerabilities and compliance issues with advanced threat protection. Threat detection and response in Defender for Endpoint Sentinel Use Sentinel for advanced data collection, analysis, and for alerting to support monitoring and enforcement. Advanced monitoring in Sentinel |
| Optimal Maturity Status Enterprise has fully automated processes for provisioning, registering, monitoring, isolating, remediating, and deprovisioning devices and virtual assets. |
Intune Automate device lifecycles: provision, register, monitor, and deprovision. Automate device lifecycles in Intune Microsoft Entra ID For a unified approach, integrate device management with identity and access control. Integrate device management with Microsoft Entra Microsoft Defender XDR Use Defender XDR for advanced and automated threat detection and response. Advanced threat detection with Defender XDR Sentinel Employ Sentinel to automate monitoring, compliance enforcement, and incident response. Automate with Sentinel |
2.7 Function: Governance
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise sets and enforces policies for the procurement of new devices, the lifecycle of nontraditional computing devices and virtual assets, and for regularly conducting monitoring and scanning of devices. |
Microsoft Intune Create policies for new-device procurement and lifecycles. Ensure basic configuration and management. Intune Microsoft Defender for Endpoint Regularly monitor and scan devices to identify vulnerabilities and compliance issues. Defender for Endpoint Sentinel Implement monitoring and scanning practices to see device status and potential issues. Sentinel |
| Advanced Maturity Status Enterprise sets enterprise-wide policies for the lifecycle of devices and virtual assets, including their enumeration and accountability, with some automated enforcement mechanisms. Accountability, with some automated enforcement mechanisms. |
Intune Define and enforce comprehensive lifecycle management policies for devices and virtual assets. Compliance policy in Intune Defender for Endpoint Enhance security and compliance with automated enforcement mechanisms and advanced monitoring. Threat detection and response Sentinel Use Sentinel for detailed device enumeration and accountability. Integrate with automated enforcement, where possible. Advanced monitoring |
| Optimal Maturity Status Enterprise automates policies for the lifecycle of all network-connected devices and virtual assets across the enterprise. |
Intune Automate device and virtual-asset lifecycle management: procure, configure, monitor, and deprovision. Automate device lifecycles with Intune Microsoft Entra ID For a seamless approach to device and asset management, integrate lifecycle policies with identity and access management. Integrate device management Microsoft Defender XDR Use Defender XDR for automated and advanced threat detection, response, and enforcement across devices and assets. Advanced threat detection Sentinel Sentinel automates monitoring, compliance enforcement, and enterprise-wide lifecycle management. Automate with Sentinel |
Next steps
Configure Microsoft Cloud Services for the CISA Zero Trust Maturity Model.