On March 18, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (the Alert) urging U.S. organizations to harden their endpoint management systems following the March 11, 2026 cyberattack against medical technology firm Stryker Corporation (Stryker), which disrupted Stryker’s internal Microsoft environment. CISA stated that it is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine appropriate mitigation actions. The Alert offers specific technical recommendations—focused primarily on Microsoft Intune but applicable to endpoint management software more broadly—that organizations should consider implementing as soon as possible.
On March 11, 2026, Stryker disclosed that it was experiencing a global network disruption affecting its Microsoft environment as the result of a cyberattack. According to public reporting, Handala, a pro-Iranian threat actor linked to Iran’s Ministry of Intelligence and Security, infiltrated Stryker’s network and leveraged Microsoft Intune to disrupt Stryker’s operations and remotely wipe thousands of its registered devices.
To defend against similar activity, CISA is urging organizations to implement Microsoft’s best practices for securing Microsoft Intune, along with several other key security solutions:
- Principles of Least Privilege for Administrative Roles. Organizations should apply the principles of least privilege when designing administrative roles within endpoint management systems, including in Microsoft Intune, Entra ID, and related Microsoft software. CISA points to Microsoft’s guidance on role-based access control (RBAC) for Intune as a key resource. Privileged access should be limited to what is operationally necessary.
- Multi Admin Approval for High-Impact Actions. CISA recommends configuring policies that require a second administrator’s approval before allowing changes to sensitive or high-impact actions, such as device wiping, application deployment, scripts, and RBAC configurations. This control—described in detail in Microsoft’s guidance on Multi Admin Approval in Intune—directly addresses some of the activity identified in the Stryker incident.
- Phishing-Resistant Multifactor Authentication (MFA). Organizations should enforce phishing-resistant MFA for all administrative access to endpoint management platforms.
The Alert also provided resources for additional steps that organizations can take to secure their environments. This includes:
- Zero Trust Principles. CISA points organizations to Microsoft’s guidance on configuring Intune under zero trust principles, which broadly align with the recommendations for limiting implicit trust and enforcing verification across users, devices, and applications.
- Privileged Identity Management (PIM). CISA encourages organizations to deploy Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, enabling just-in-time access and reducing the standing privileges that can be abused if administrative credentials are compromised.
The Alert is a timely reminder that endpoint management platforms are not merely IT administration tools—they are high-value targets because of the leverage they provide. A successful compromise of an organization’s endpoint management environment can permit attackers to impact thousands of devices simultaneously using the organization’s own trusted administrative infrastructure, without deploying traditional malware. For organizations that rely on Microsoft Intune or similar platforms, the Alert warrants a prompt review of administrative role configurations, MFA implementations, and approval workflows for high-impact actions.
Alston & Bird’s Privacy, Cyber & Data Strategy team will continue to monitor developments related to this advisory and the broader threat landscape. Organizations seeking guidance on endpoint management security, incident preparedness, or related matters should contact our team.
