CA-06: Creating a Privileged Access Workstation (PAW) Policy

Overview

This guide walks you through creating a Conditional Access policy that restricts administrative access to designated Privileged Access Workstations (PAWs). PAWs are hardened devices dedicated exclusively to administrative tasks, providing the highest level of protection against credential theft and lateral movement attacks.

Control ID: CA-06 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P2 + Microsoft Intune (included in Microsoft 365 E5)

Why This Matters

When administrators use their daily workstations for both regular work and admin tasks, a single compromise of that device exposes all admin credentials. Privileged Access Workstations solve this by:

  • Isolating admin activities to dedicated, hardened devices
  • Reducing attack surface - no email, browsing, or general apps on PAWs
  • Enabling hardware-based security - Credential Guard, secure boot, TPM
  • Providing audit trail - all admin actions trace to specific PAW devices
  • Limiting lateral movement - compromised regular workstations cannot access admin portals

This is a Level 3 (Maximum Security) control for high-security environments.


Prerequisites

Required Roles

You need the following roles:

For Conditional Access Policy:

  • Conditional Access Administrator or Global Administrator

For Intune Device Configuration:

  • Intune Administrator or Global Administrator

For Device Deployment:

  • Local Administrator on the PAW devices

Required Licenses

  • Microsoft Entra ID P2 (for device filters in Conditional Access)
  • Microsoft Intune (for device management and compliance)
  • Included in: Microsoft 365 E5

Pre-Configuration Requirements

Before creating the Conditional Access policy:

  1. Deploy dedicated PAW devices - Hardware must be procured and configured
  2. Enroll PAWs in Intune - Devices must be managed
  3. Apply PAW device tag or extension attribute - For Conditional Access filtering
  4. Configure compliance policies - PAWs must meet strict compliance
  5. Document break-glass procedures - For emergency access without PAW

Time Estimate

TaskDuration
PAW device procurement1-2 weeks
PAW OS deployment and hardening2-4 hours per device
Intune enrollment and tagging1-2 hours
Compliance policy creation1 hour
Conditional Access policy creation30 minutes
Testing and validation1 day
Total2-3 weeks for full deployment

Step-by-Step Instructions

Part 1: Prepare PAW Infrastructure

Step 1A: Procure Dedicated Hardware

PAW devices should be dedicated hardware, not repurposed existing devices:

Recommended Hardware Specifications:

  • TPM 2.0 chip (required for Credential Guard)
  • Secure Boot capable UEFI
  • Virtualization-based security (VBS) support
  • Minimum 16 GB RAM
  • SSD storage (256 GB minimum)
  • No wireless capability (preferred) or disabled Wi-Fi

Recommended Device Types:

  • Microsoft Surface Pro/Laptop (with security features enabled)
  • Dell Precision or Latitude with security configuration
  • HP Elite series with security features
  • Lenovo ThinkPad with security chip

Step 1B: Deploy Hardened OS Image

Deploy Windows with security hardening:

  1. Install Windows 11 Enterprise (latest version)
  2. Enable security features:
    • Credential Guard (protects credentials in memory)
    • Device Guard/WDAC (application control)
    • Secure Boot
    • BitLocker encryption
  3. Apply security baselines:
    • Microsoft Security Baseline for Windows 11
    • Configure AppLocker or WDAC policies to allow only admin tools
  4. Remove unnecessary software:
    • No email clients
    • No web browser (except for admin portals)
    • No Office applications
    • No third-party software

Step 1C: Enroll PAW Devices in Intune

  1. Join the device to Entra ID
  2. Ensure automatic Intune enrollment is configured
  3. Verify device appears in Intune admin center

Part 2: Tag PAW Devices for Conditional Access

You need a way to identify PAW devices in Conditional Access. Choose one method:

Option A: Use Device Extension Attribute (Recommended)

  1. Navigate to Intune admin center > Devices > Configuration
  2. Create a new Settings catalog profile
  3. Add setting: Device > Extension Attribute 1 (or other available attribute)
  4. Set value: PAW
  5. Assign to a group containing PAW devices

Option B: Use Entra ID Dynamic Device Group

  1. Navigate to Entra admin center > Groups > All groups
  2. Create a new Security group with Dynamic device membership
  3. Add membership rule based on device naming convention:
    (device.displayName -startsWith "PAW-")
    
  4. Verify PAW devices are added to the group

Option C: Use Intune Filters

  1. Navigate to Intune admin center > Tenant administration > Filters
  2. Create a new filter for devices:
    • Platform: Windows 10 and later
    • Rule: (device.displayName -startsWith "PAW-")
  3. Note the filter for use in Conditional Access

Part 3: Create PAW Compliance Policy

Create a strict compliance policy for PAW devices:

  1. Navigate to Intune admin center > Devices > Compliance
  2. Click + Create policy
  3. Select Windows 10 and later
  4. Name: PAW Compliance Policy

Device Health Settings:

SettingValue
Require BitLockerRequire
Require Secure BootRequire
Require code integrityRequire

Device Properties Settings:

SettingValue
Minimum OS versionLatest Windows 11 version

System Security Settings:

SettingValue
Password requiredYes
Minimum password length14
Password complexityRequire digits and lowercase
FirewallRequire
TPMRequire
AntivirusRequire
AntispywareRequire
Microsoft Defender AntimalwareRequire
Real-time protectionRequire
  1. Set Actions for noncompliance to mark device non-compliant immediately
  2. Assign to PAW device group

Part 4: Create Conditional Access Policy

Now create the policy to restrict admin access to PAWs.

Step 4A: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. In the left navigation, expand Protection
  3. Select Conditional Access
  4. Click Policies

Step 4B: Create the Policy

  1. Click + New policy
  2. Enter a name: Restrict Admin Portals to PAW Devices

Step 4C: Configure Users and Groups

  1. Under Assignments, click Users

  2. Under Include, select Select users and groups

  3. Check Directory roles

  4. Select administrative roles:

    • Global Administrator
    • Privileged Role Administrator
    • Security Administrator
    • Conditional Access Administrator
    • Exchange Administrator
    • SharePoint Administrator
    • (Add other critical admin roles)
  5. Under Exclude, add your emergency access accounts

Important: Emergency access accounts MUST be excluded. These provide access when PAWs are unavailable.

Step 4D: Configure Target Resources

  1. Under Target resources, click Cloud apps
  2. Under Include, select Select apps
  3. Select Microsoft Admin Portals (this includes Entra, Intune, M365 admin centers)

Alternative - More comprehensive: Add specific portals:

  • Microsoft Azure Management (Azure portal)
  • Microsoft 365 admin center
  • Microsoft Intune
  • Exchange admin center (if needed)

Step 4E: Configure Device Filter Condition

  1. Under Conditions, click Filter for devices
  2. Set Configure to Yes
  3. Select Include filtered devices in policy
  4. Configure the filter rule:

Using Extension Attribute:

device.extensionAttribute1 -eq "PAW"

Using Device Name:

device.displayName -startsWith "PAW-"

Important: Use "Exclude filtered devices from policy" mode and then negate the logic to allow only PAW devices:

  1. Select Exclude filtered devices from policy
  2. Configure: device.extensionAttribute1 -eq "PAW"

This allows only devices matching the filter and blocks all others.

Step 4F: Configure Access Controls

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check Require device to be marked as compliant
  4. Click Select

Step 4G: Enable the Policy

Important: Test thoroughly before full enablement.

  1. Under Enable policy, select Report-only
  2. Click Create
  3. Test with admin accounts on PAW devices
  4. Verify non-PAW devices are blocked (in report-only mode, check sign-in logs)
  5. Once validated, edit policy and change to On

Emergency Access (Break-Glass) Procedures

Document procedures for when PAW devices are unavailable:

Scenario 1: PAW Hardware Failure

  1. Use emergency access accounts (excluded from policy) from any device
  2. Document all actions taken
  3. Investigate and restore PAW access as soon as possible

Scenario 2: All PAW Devices Unavailable

  1. Use emergency access accounts to temporarily disable PAW policy
  2. Perform required admin actions
  3. Re-enable PAW policy immediately after
  4. File incident report

Scenario 3: Emergency Access Account Usage

All emergency account sign-ins should:

  1. Trigger alerts to security team
  2. Be documented with justification
  3. Be reviewed within 24 hours

Verification Checklist

After enabling the policy, verify successful implementation:

Device Verification

  • PAW devices appear in Intune as managed and compliant
  • Device extension attribute or naming convention is correctly applied
  • Compliance policy shows all PAW devices as compliant

Policy Verification

  • Policy appears in Conditional Access with status "On"
  • Correct admin roles are included
  • Emergency access accounts are excluded
  • Device filter is correctly configured
  • Microsoft Admin Portals (or specific portals) are targeted

Access Testing

  1. PAW Device Test:

    • Sign in with admin account from PAW device
    • Access admin portal successfully
    • Verify sign-in log shows policy applied
  2. Non-PAW Device Test:

    • Attempt admin portal access from regular workstation
    • Verify access is blocked
    • Verify appropriate error message is displayed
  3. Emergency Account Test:

    • Sign in with emergency access account from any device
    • Verify access is granted (account is excluded)
    • Document test for audit purposes

Troubleshooting

Admin Blocked from PAW Device

Symptom: Legitimate admin on PAW device cannot access admin portals.

Solutions:

  1. Verify the device is correctly enrolled in Intune
  2. Check device compliance status (must be compliant)
  3. Verify the device filter criteria matches the PAW device
  4. Check that the extension attribute or naming is correct
  5. Use the "What If" tool to diagnose

Device Filter Not Matching

Symptom: PAW devices are not recognized by the policy.

Solutions:

  1. Verify extension attribute is properly set on the device object
  2. Check Intune sync status - changes may take time to propagate
  3. Review filter syntax for typos
  4. Test with a simple filter (device name) first

Compliance Policy Issues

Symptom: PAW devices show as non-compliant.

Solutions:

  1. Check which compliance settings are failing
  2. Verify BitLocker is enabled and keys are escrowed
  3. Check Windows update status
  4. Ensure Credential Guard and Secure Boot are enabled
  5. Review Microsoft Defender status

Emergency Access Not Working

Symptom: Emergency access accounts are blocked.

Solutions:

  1. Verify emergency accounts are in the policy exclusion list
  2. Check for typos in the excluded account UPNs
  3. Ensure no other policy is blocking emergency accounts
  4. Test with the "What If" tool

Policy Configuration Summary

Conditional Access Policy

SettingValue
Policy NameRestrict Admin Portals to PAW Devices
Users - IncludeDirectory roles: Global Admin, Security Admin, etc.
Users - ExcludeEmergency access accounts
Cloud AppsMicrosoft Admin Portals
Conditions - Filter for devicesExclude non-PAW devices
GrantRequire compliant device
Enable PolicyOn

Compliance Policy

SettingValue
Policy NamePAW Compliance Policy
BitLockerRequired
Secure BootRequired
TPMRequired
Real-time protectionRequired
Minimum OSLatest Windows 11

PAW Security Hardening Checklist

Ensure your PAW devices meet these security requirements:

Hardware Security

  • TPM 2.0 chip present and enabled
  • Secure Boot enabled in UEFI
  • Virtualization extensions enabled (for Credential Guard)
  • UEFI password set

Operating System Security

  • Windows 11 Enterprise (latest version)
  • Credential Guard enabled
  • Device Guard/WDAC application control enabled
  • BitLocker full disk encryption enabled
  • Windows Defender enabled and updated

Network Security

  • Wi-Fi disabled or restricted to corporate networks only
  • Bluetooth disabled
  • USB storage blocked (except for FIDO2 keys)
  • Direct internet access blocked (proxy required)

Application Control

  • Only approved admin tools installed
  • No email client
  • No personal productivity apps
  • AppLocker or WDAC policies enforced

Administrative Controls

  • Local admin rights restricted
  • Separate local admin credentials from domain
  • Audit logging enabled for all activities

Related Controls

  • PA-05: Require Phishing-Resistant MFA for Admins (additional authentication)
  • PA-06: Require FIDO2 Security Keys for Administrators (hardware MFA)
  • PA-07: Enable Continuous Access Evaluation (token protection)
  • DV-01: Require Compliant Devices for Admin Access (prerequisite concept)
  • DV-02: Require Compliant Devices for Global Admins (device compliance)

Additional Resources