CA-06: Creating a Privileged Access Workstation (PAW) Policy
Overview
This guide walks you through creating a Conditional Access policy that restricts administrative access to designated Privileged Access Workstations (PAWs). PAWs are hardened devices dedicated exclusively to administrative tasks, providing the highest level of protection against credential theft and lateral movement attacks.
Control ID: CA-06 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P2 + Microsoft Intune (included in Microsoft 365 E5)
Why This Matters
When administrators use their daily workstations for both regular work and admin tasks, a single compromise of that device exposes all admin credentials. Privileged Access Workstations solve this by:
- Isolating admin activities to dedicated, hardened devices
- Reducing attack surface - no email, browsing, or general apps on PAWs
- Enabling hardware-based security - Credential Guard, secure boot, TPM
- Providing audit trail - all admin actions trace to specific PAW devices
- Limiting lateral movement - compromised regular workstations cannot access admin portals
This is a Level 3 (Maximum Security) control for high-security environments.
Prerequisites
Required Roles
You need the following roles:
For Conditional Access Policy:
- Conditional Access Administrator or Global Administrator
For Intune Device Configuration:
- Intune Administrator or Global Administrator
For Device Deployment:
- Local Administrator on the PAW devices
Required Licenses
- Microsoft Entra ID P2 (for device filters in Conditional Access)
- Microsoft Intune (for device management and compliance)
- Included in: Microsoft 365 E5
Pre-Configuration Requirements
Before creating the Conditional Access policy:
- Deploy dedicated PAW devices - Hardware must be procured and configured
- Enroll PAWs in Intune - Devices must be managed
- Apply PAW device tag or extension attribute - For Conditional Access filtering
- Configure compliance policies - PAWs must meet strict compliance
- Document break-glass procedures - For emergency access without PAW
Time Estimate
| Task | Duration |
|---|---|
| PAW device procurement | 1-2 weeks |
| PAW OS deployment and hardening | 2-4 hours per device |
| Intune enrollment and tagging | 1-2 hours |
| Compliance policy creation | 1 hour |
| Conditional Access policy creation | 30 minutes |
| Testing and validation | 1 day |
| Total | 2-3 weeks for full deployment |
Step-by-Step Instructions
Part 1: Prepare PAW Infrastructure
Step 1A: Procure Dedicated Hardware
PAW devices should be dedicated hardware, not repurposed existing devices:
Recommended Hardware Specifications:
- TPM 2.0 chip (required for Credential Guard)
- Secure Boot capable UEFI
- Virtualization-based security (VBS) support
- Minimum 16 GB RAM
- SSD storage (256 GB minimum)
- No wireless capability (preferred) or disabled Wi-Fi
Recommended Device Types:
- Microsoft Surface Pro/Laptop (with security features enabled)
- Dell Precision or Latitude with security configuration
- HP Elite series with security features
- Lenovo ThinkPad with security chip
Step 1B: Deploy Hardened OS Image
Deploy Windows with security hardening:
- Install Windows 11 Enterprise (latest version)
- Enable security features:
- Credential Guard (protects credentials in memory)
- Device Guard/WDAC (application control)
- Secure Boot
- BitLocker encryption
- Apply security baselines:
- Microsoft Security Baseline for Windows 11
- Configure AppLocker or WDAC policies to allow only admin tools
- Remove unnecessary software:
- No email clients
- No web browser (except for admin portals)
- No Office applications
- No third-party software
Step 1C: Enroll PAW Devices in Intune
- Join the device to Entra ID
- Ensure automatic Intune enrollment is configured
- Verify device appears in Intune admin center
Part 2: Tag PAW Devices for Conditional Access
You need a way to identify PAW devices in Conditional Access. Choose one method:
Option A: Use Device Extension Attribute (Recommended)
- Navigate to Intune admin center > Devices > Configuration
- Create a new Settings catalog profile
- Add setting: Device > Extension Attribute 1 (or other available attribute)
- Set value:
PAW - Assign to a group containing PAW devices
Option B: Use Entra ID Dynamic Device Group
- Navigate to Entra admin center > Groups > All groups
- Create a new Security group with Dynamic device membership
- Add membership rule based on device naming convention:
(device.displayName -startsWith "PAW-") - Verify PAW devices are added to the group
Option C: Use Intune Filters
- Navigate to Intune admin center > Tenant administration > Filters
- Create a new filter for devices:
- Platform: Windows 10 and later
- Rule:
(device.displayName -startsWith "PAW-")
- Note the filter for use in Conditional Access
Part 3: Create PAW Compliance Policy
Create a strict compliance policy for PAW devices:
- Navigate to Intune admin center > Devices > Compliance
- Click + Create policy
- Select Windows 10 and later
- Name:
PAW Compliance Policy
Device Health Settings:
| Setting | Value |
|---|---|
| Require BitLocker | Require |
| Require Secure Boot | Require |
| Require code integrity | Require |
Device Properties Settings:
| Setting | Value |
|---|---|
| Minimum OS version | Latest Windows 11 version |
System Security Settings:
| Setting | Value |
|---|---|
| Password required | Yes |
| Minimum password length | 14 |
| Password complexity | Require digits and lowercase |
| Firewall | Require |
| TPM | Require |
| Antivirus | Require |
| Antispyware | Require |
| Microsoft Defender Antimalware | Require |
| Real-time protection | Require |
- Set Actions for noncompliance to mark device non-compliant immediately
- Assign to PAW device group
Part 4: Create Conditional Access Policy
Now create the policy to restrict admin access to PAWs.
Step 4A: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- In the left navigation, expand Protection
- Select Conditional Access
- Click Policies
Step 4B: Create the Policy
- Click + New policy
- Enter a name:
Restrict Admin Portals to PAW Devices
Step 4C: Configure Users and Groups
-
Under Assignments, click Users
-
Under Include, select Select users and groups
-
Check Directory roles
-
Select administrative roles:
- Global Administrator
- Privileged Role Administrator
- Security Administrator
- Conditional Access Administrator
- Exchange Administrator
- SharePoint Administrator
- (Add other critical admin roles)
-
Under Exclude, add your emergency access accounts
Important: Emergency access accounts MUST be excluded. These provide access when PAWs are unavailable.
Step 4D: Configure Target Resources
- Under Target resources, click Cloud apps
- Under Include, select Select apps
- Select Microsoft Admin Portals (this includes Entra, Intune, M365 admin centers)
Alternative - More comprehensive: Add specific portals:
- Microsoft Azure Management (Azure portal)
- Microsoft 365 admin center
- Microsoft Intune
- Exchange admin center (if needed)
Step 4E: Configure Device Filter Condition
- Under Conditions, click Filter for devices
- Set Configure to Yes
- Select Include filtered devices in policy
- Configure the filter rule:
Using Extension Attribute:
device.extensionAttribute1 -eq "PAW"
Using Device Name:
device.displayName -startsWith "PAW-"
Important: Use "Exclude filtered devices from policy" mode and then negate the logic to allow only PAW devices:
- Select Exclude filtered devices from policy
- Configure:
device.extensionAttribute1 -eq "PAW"
This allows only devices matching the filter and blocks all others.
Step 4F: Configure Access Controls
- Under Access controls, click Grant
- Select Grant access
- Check Require device to be marked as compliant
- Click Select
Step 4G: Enable the Policy
Important: Test thoroughly before full enablement.
- Under Enable policy, select Report-only
- Click Create
- Test with admin accounts on PAW devices
- Verify non-PAW devices are blocked (in report-only mode, check sign-in logs)
- Once validated, edit policy and change to On
Emergency Access (Break-Glass) Procedures
Document procedures for when PAW devices are unavailable:
Scenario 1: PAW Hardware Failure
- Use emergency access accounts (excluded from policy) from any device
- Document all actions taken
- Investigate and restore PAW access as soon as possible
Scenario 2: All PAW Devices Unavailable
- Use emergency access accounts to temporarily disable PAW policy
- Perform required admin actions
- Re-enable PAW policy immediately after
- File incident report
Scenario 3: Emergency Access Account Usage
All emergency account sign-ins should:
- Trigger alerts to security team
- Be documented with justification
- Be reviewed within 24 hours
Verification Checklist
After enabling the policy, verify successful implementation:
Device Verification
- PAW devices appear in Intune as managed and compliant
- Device extension attribute or naming convention is correctly applied
- Compliance policy shows all PAW devices as compliant
Policy Verification
- Policy appears in Conditional Access with status "On"
- Correct admin roles are included
- Emergency access accounts are excluded
- Device filter is correctly configured
- Microsoft Admin Portals (or specific portals) are targeted
Access Testing
-
PAW Device Test:
- Sign in with admin account from PAW device
- Access admin portal successfully
- Verify sign-in log shows policy applied
-
Non-PAW Device Test:
- Attempt admin portal access from regular workstation
- Verify access is blocked
- Verify appropriate error message is displayed
-
Emergency Account Test:
- Sign in with emergency access account from any device
- Verify access is granted (account is excluded)
- Document test for audit purposes
Troubleshooting
Admin Blocked from PAW Device
Symptom: Legitimate admin on PAW device cannot access admin portals.
Solutions:
- Verify the device is correctly enrolled in Intune
- Check device compliance status (must be compliant)
- Verify the device filter criteria matches the PAW device
- Check that the extension attribute or naming is correct
- Use the "What If" tool to diagnose
Device Filter Not Matching
Symptom: PAW devices are not recognized by the policy.
Solutions:
- Verify extension attribute is properly set on the device object
- Check Intune sync status - changes may take time to propagate
- Review filter syntax for typos
- Test with a simple filter (device name) first
Compliance Policy Issues
Symptom: PAW devices show as non-compliant.
Solutions:
- Check which compliance settings are failing
- Verify BitLocker is enabled and keys are escrowed
- Check Windows update status
- Ensure Credential Guard and Secure Boot are enabled
- Review Microsoft Defender status
Emergency Access Not Working
Symptom: Emergency access accounts are blocked.
Solutions:
- Verify emergency accounts are in the policy exclusion list
- Check for typos in the excluded account UPNs
- Ensure no other policy is blocking emergency accounts
- Test with the "What If" tool
Policy Configuration Summary
Conditional Access Policy
| Setting | Value |
|---|---|
| Policy Name | Restrict Admin Portals to PAW Devices |
| Users - Include | Directory roles: Global Admin, Security Admin, etc. |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | Microsoft Admin Portals |
| Conditions - Filter for devices | Exclude non-PAW devices |
| Grant | Require compliant device |
| Enable Policy | On |
Compliance Policy
| Setting | Value |
|---|---|
| Policy Name | PAW Compliance Policy |
| BitLocker | Required |
| Secure Boot | Required |
| TPM | Required |
| Real-time protection | Required |
| Minimum OS | Latest Windows 11 |
PAW Security Hardening Checklist
Ensure your PAW devices meet these security requirements:
Hardware Security
- TPM 2.0 chip present and enabled
- Secure Boot enabled in UEFI
- Virtualization extensions enabled (for Credential Guard)
- UEFI password set
Operating System Security
- Windows 11 Enterprise (latest version)
- Credential Guard enabled
- Device Guard/WDAC application control enabled
- BitLocker full disk encryption enabled
- Windows Defender enabled and updated
Network Security
- Wi-Fi disabled or restricted to corporate networks only
- Bluetooth disabled
- USB storage blocked (except for FIDO2 keys)
- Direct internet access blocked (proxy required)
Application Control
- Only approved admin tools installed
- No email client
- No personal productivity apps
- AppLocker or WDAC policies enforced
Administrative Controls
- Local admin rights restricted
- Separate local admin credentials from domain
- Audit logging enabled for all activities
Related Controls
- PA-05: Require Phishing-Resistant MFA for Admins (additional authentication)
- PA-06: Require FIDO2 Security Keys for Administrators (hardware MFA)
- PA-07: Enable Continuous Access Evaluation (token protection)
- DV-01: Require Compliant Devices for Admin Access (prerequisite concept)
- DV-02: Require Compliant Devices for Global Admins (device compliance)