Jackie Ramsey March 3, 2026 0

If you administer Microsoft 365 or servers for a defense contractor, you already know the weak spot: admin credentials. One phish, one token theft, one reused browser session, and an attacker gets the keys.

For CMMC Level 2 work in 2026, I treat a secure admin workstation (SAW) as non-negotiable for privileged actions. It reduces credential exposure and makes your evidence cleaner when assessors ask, “Show me how you prevent admin actions from everyday endpoints.”

I build SAWs with Microsoft-native tools because that keeps operations sane for Small Business IT teams. It also fits well with the same stack many clients already use for Cloud Infrastructure, Office 365 Migration, and day-to-day Cybersecurity Services, even if I’m also helping them with Restaurant POS Support and Kitchen Technology Solutions on the side.

Why SAWs matter for CMMC Level 2 in 2026 (and what to scope)

Clean professional vector diagram of CMMC Level 2 SAW architecture using Microsoft Intune and Defender for Endpoint, featuring security components, cloud management, and privileged access.
Diagram of a SAW managed by Intune and monitored by Defender for Endpoint, created with AI.

CMMC Level 2 maps to NIST SP 800-171 Rev. 2 (110 controls). As of March 2026, many contractors are still in the self-assessment window, with broader third-party certification requirements phased in starting November 2026. That timeline is exactly why I push SAWs now: they take time to operationalize, and they touch Access Control, Audit and Accountability, and Configuration Management.

Microsoft has published CMMC-focused guidance for identity and access control, which is a useful cross-check when you tune Conditional Access and account policies. I keep this bookmarked: CMMC Level 2 access control configuration guidance.

Dedicated hardware vs. a separate admin profile (my decision rule)

I don’t force dedicated hardware for every admin, but I do for high-risk roles.

Use dedicated SAW hardware when:

  • The user holds Global Admin, Privileged Role Admin, or on-prem Domain Admin rights.
  • They manage CUI enclaves, VPN, firewalls, or virtualization (classic Data Center Technology).
  • They need admin browser access to multiple tenants or partner portals.

A separate admin profile on a standard device can work when:

  • The user only performs low-frequency admin tasks.
  • You can enforce strict Conditional Access, app control, and no local admin.
  • You accept higher risk and document compensating controls.

My simple analogy: if your admin session is the master key, don’t hang it on the same keyring as your coffee shop browsing.

Build the SAW with Intune, Entra ID, Autopilot, and Conditional Access

Clean professional vector diagram showing Intune config profiles for CMMC Level 2 secure admin workstation on Windows 11, including antivirus, BitLocker, WDAC, ASR rules, device restrictions, and compliance checks.
Intune policy flow for SAW provisioning and compliance enforcement, created with AI.

I start with Windows 11 Enterprise (or Business Premium plus add-ons where appropriate), then I let Autopilot do the boring work. The goal is repeatability: a wiped device should rebuild into the same hardened posture every time.

Core build pattern I use

  1. Autopilot for provisioning (standard user by default, no local admin).
  2. Entra ID join (or Hybrid join if you must, but keep SAWs tightly controlled).
  3. Intune configuration profiles for device restrictions, BitLocker, firewall, and hardening.
  4. Intune compliance policies that feed Conditional Access.
  5. Defender for Endpoint onboarding for EDR, TVM, and response actions.

A practical CA stance: SAWs can reach admin portals, standard workstations cannot.

If you allow admin portal access from “any compliant device,” you’ll end up with too many devices that qualify. I scope admin access to a SAW device group, not just compliance.

Here’s a baseline set I commonly deploy:

Control areaRecommended baseline for SAWs (example)
IdentityWindows Hello for Business, phishing-resistant MFA for admins, separate admin accounts
Conditional AccessRequire MFA, require compliant device, restrict admin portals to SAW group
EnrollmentAutopilot, Intune-managed, block personal device enrollment for admin roles
Admin rightsNo permanent local admins, use Windows LAPS for local admin password rotation

For Defender onboarding and validation steps, Microsoft’s docs are a solid reference point, even if you’re not using ConfigMgr day-to-day: Defender for Endpoint deployment guidance.

Break-glass done like you mean it

I keep two emergency accounts, cloud-only, long passwords, stored in a secure process. I exclude them from some Conditional Access controls only if I also add tight monitoring, named locations, and alerting on any sign-in. I also make sure those accounts have no day-to-day mailbox use.

Device hardening on SAWs with Defender for Endpoint, WDAC, LAPS, and browser controls

This is where Device Hardening becomes real, not aspirational. I’m trying to make the SAW boring to attack.

For Windows security configuration, I align Intune endpoint security policies with Defender’s capabilities. Microsoft’s guidance on managing AV settings in Intune is a good anchor when you document your configuration intent: Intune antivirus endpoint security policies. I also like Microsoft’s write-up on combining Intune and MDE for baselines and drift control: hardening Windows clients with Intune and MDE.

My go-to SAW restrictions (practical and enforceable)

I keep the installed app set tiny, then I enforce controls that stop common admin-credential attacks:

AreaWhat I set on SAWs (example)Why it helps
BitLockerXTS-AES 256, silent enable, recovery keys escrowed to Entra IDProtects data at rest, supports evidence collection
WDACAllow signed apps only (start in audit, then enforce)Blocks random tooling and user-installed binaries
ASR rulesBlock Office child processes, block credential stealing from LSASS, block executable content from email/webReduces common initial access paths
Device ControlBlock USB mass storage (or allow approved devices only)Limits data exfil and malware ingress
Local adminNo local admin for users, Windows LAPS for the break-glass local adminPrevents “oops” privilege creep
BrowsingAdmin browsing limited, extensions controlled, SmartScreen onCuts phishing and token theft exposure

For admin tools, I restrict PowerShell to signed scripts where possible, remove unnecessary RSAT components, and avoid “daily driver” apps on SAWs. When I need remote admin, I prefer controlled jump patterns and strong logging.

This is also where I tie in my broader Technology Consulting work: SAWs are part of Secure Cloud Architecture, Cloud Management, and Infrastructure Optimization. They support Digital Transformation without turning compliance into chaos. That’s the difference between buying “Innovative IT Solutions” and actually operating them.

Assessment Evidence: what I collect so the auditor doesn’t guess

Clean, professional vector diagram for CMMC Level 2 assessment evidence on secure admin workstations, showing checklists for Intune compliance, MDE inventory, BitLocker keys, WDAC policies, ASR alerts, LAPS logs, and Conditional Access logs, with arrows to Auditor Review Folder.
Evidence artifacts that support SAW control implementation, created with AI.

When I’m preparing an evidence package, I assume the assessor has one question: “Prove it’s enforced, and prove it’s used.”

Here’s what I gather for SAWs:

  • Intune policy exports for configuration profiles, endpoint security policies, and compliance policies (JSON exports or screenshots with timestamps).
  • Device compliance reports showing SAWs as compliant, plus non-compliance actions.
  • Conditional Access policies and sign-in logs that prove admin portals require compliant SAWs plus MFA.
  • MDE onboarding proof (device inventory list showing onboarded SAWs, plus at least one alert or EDR timeline example).
  • BitLocker escrow proof (sample device showing recovery key escrowed and encryption status).
  • WDAC policy evidence (audit-to-enforce change record, plus event logs or MDE indicators).
  • Windows LAPS evidence (policy assignment and rotation proof, plus access controls on password retrieval).

I put these into a single “Auditor Review” folder mapped to the relevant control families, then I cross-reference them in the SSP.

Closing thoughts and a short SAW checklist

CMMC prep goes smoother when I can point to one enforced pattern for privileged access. A secure admin workstation gives me that pattern, plus stronger Endpoint Security and clearer Business Continuity & Security outcomes. If you want a Business Technology Partner who can connect SAWs to your IT Strategy for SMBs (and still support the rest of your stack with Tailored Technology Services and Managed IT for Small Business), this is one of the first builds I recommend.

SAW quick checklist

  • SAWs are in a dedicated Intune device group and labeled in asset inventory.
  • Admin portals are restricted by Conditional Access to SAWs plus MFA.
  • BitLocker is enforced, keys escrowed, and compliance is reported.
  • MDE is onboarded, reporting, and alerting for SAWs.
  • WDAC and ASR rules are deployed (audit first, then enforce).
  • USB storage is blocked or tightly controlled.
  • Windows LAPS is enabled, with access limited and audited.
  • Evidence artifacts are exported, dated, and mapped to the SSP.

Discover more from Guide to Technology

Subscribe to get the latest posts sent to your email.

Category: 

Leave a Reply