{"id":9002,"date":"2024-09-06T06:51:32","date_gmt":"2024-09-06T13:51:32","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=9002"},"modified":"2024-08-30T09:22:37","modified_gmt":"2024-08-30T16:22:37","slug":"verifying-device-health-at-microsoft-with-zero-trust","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/verifying-device-health-at-microsoft-with-zero-trust\/","title":{"rendered":"Verifying device health at Microsoft with Zero Trust"},"content":{"rendered":"

\"MicrosoftHere at Microsoft, we\u2019re using our Zero Trust security model to help us transform the way we verify device health across all devices that access company resources. Zero Trust supplies an integrated security philosophy and end-to-end strategy that informs how our company protects its customers, data, employees, and business in an increasingly complex and dynamic digital world.<\/p>\n

Verified device health is a core pillar of our Microsoft Digital Zero Trust security model. Because unmanaged devices are an easy entry point for bad actors, ensuring that only healthy devices can access corporate applications and data is vital for enterprise security. As a fundamental part of our Zero Trust implementation, we require all user devices accessing corporate resources to be enrolled in device-management systems.<\/p>\n

Verified devices support our broader framework for Zero Trust, alongside the other pillars of verified identity, verified access, and verified services.<\/p>\n

\"Diagram
The four pillars of Microsoft\u2019s Zero Trust model.<\/figcaption><\/figure>\n

[Explore verifying identity in a Zero Trust model<\/a>. | Unpack implementing a Zero Trust security model at Microsoft<\/a>. | Discover enabling remote work: Our remote infrastructure design and Zero Trust<\/a>. | Watch our Enabling remote work infrastructure design using Zero Trust video.] <\/a><\/em><\/p>\n

Verifying the device landscape at Microsoft<\/h2>\n

The device landscape at Microsoft is characterized by a wide variety of devices. We have more than 220,000 employees and additional vendors and partners, most of whom use multiple devices to connect to our corporate network. We have more than 650,000 unique devices enrolled in our device-management platforms, including devices running Windows, iOS, Android, and macOS. Our employees need to work from anywhere, including customer sites, cafes, and home offices. The transient nature of employee mobility poses challenges to data safety. To combat this, we are implementing device-management functionality to enable the mobile-employee experience\u2014confirming identity and access while ensuring that the devices that access our corporate resources are in a verified healthy state according to the policies that govern safe access to Microsoft data.<\/p>\n

Enforcing client device health<\/h3>\n

Device management is mandatory for any device accessing our corporate data. The Microsoft Endpoint Manager platform enables us to enroll devices, bring them to a managed state, monitor the devices\u2019 health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Endpoint Manager also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.<\/p>\n

We\u2019re using Microsoft Endpoint Manager to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health is not a onetime process. Our policy-verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We\u2019re using modern endpoint protection configuration on every managed device, including preboot and postboot protection and cross-platform coverage. Our modern management environment includes several critical components:<\/p>\n