Microsoft Zero Trust Assessment v2: Operationalizing Security with Precision
In an era where cyber threats evolve faster than ever, organizations can’t afford blind spots. Zero Trust is no longer optional it’s the foundation of modern security. With the release of the Microsoft Zero Trust Assessment v2, enterprises now have a powerful tool to measure, prioritize, and remediate security gaps with actionable intelligence. What Is Zero Trust Assessment v2? The Zero Trust Assessment is a security posture evaluation tool designed to help organizations operationalize Zero Trust principles. It automates checks across hundreds of configuration items aligned with: Secure Future Initiative (SFI) Zero Trust pillars: Identity, Devices, Applications, Data, Infrastructure and Networks Industry standards: NIST, CISA, CIS Microsoft’s internal security baselines Insights from thousands of real-world customer implementations How Does It Work? The assessment follows a structured, automated workflow: 1. Data Collection & Configuration Analysis Scans your Microsoft 365 environment and connected workloads. Evaluates identity configurations (e.g., MFA enforcement, conditional access policies). Reviews device compliance (e.g., Intune policies, OS hardening). Pulls telemetry from Azure AD, Microsoft Defender, and other integrated services. 2. Automated Testing Against Standards Runs hundreds of tests mapped to Zero Trust principles. Benchmarks your settings against: NIST Cybersecurity Framework CISA Zero Trust Maturity Model Microsoft security baselines Flags misconfigurations and policy gaps. 3. Risk Scoring & Prioritization Assigns risk levels based on: Impact (how critical the gap is) Effort (complexity of remediation) Provides a prioritized list of actions so you can focus on what matters most. 4. Actionable Recommendations Generates clear remediation steps not vague advice. Links to Microsoft Learn and security documentation for quick implementation. Suggests policy templates and automation scripts where applicable. 5. Comprehensive Reporting Delivers a detailed report with: Trends over time Risk heatmaps Compliance scores Enables executive dashboards for leadership visibility. Integration with Microsoft Security Tools Zero Trust Assessment v2 doesn’t operate in isolation it integrates seamlessly with Microsoft’s security ecosystem: Microsoft Defender for Endpoint Detects device vulnerabilities and feeds compliance data into the assessment. Microsoft Intune Ensures device configuration policies align with Zero Trust principles. Microsoft Sentinel Correlates assessment findings with threat intelligence for proactive incident response. Azure AD Conditional Access Validates identity policies like MFA and session controls. Microsoft Purview Extends Zero Trust to data governance and compliance. This integration ensures that remediation steps can be automated and enforced across your environment, reducing manual effort and accelerating security posture improvement. Sample Remediation Workflow Diagram Below is a simplified view of how remediation flows after an assessment: This closed-loop process ensures continuous improvement and operationalization of Zero Trust. Key Benefits Speed: Automates what used to take weeks of manual audits. Accuracy: Aligns with global standards and Microsoft’s own security posture. Operationalization: Moves Zero Trust from theory to practice with actionable steps. Future-Ready: Tests will soon be available enabling continuous improvement. Why This Matters Blind spots in identity or device security can lead to breaches, financial loss and reputational damage. Zero Trust Assessment v2 helps you: Respond faster to evolving threats. Reduce risk with prioritized remediation. Build resilience by embedding Zero Trust principles into daily operations.Start strong with MCSB v2
Cloud adoption is accelerating, but so are threats. Organizations often rush to deploy workloads without a clear security baseline, leaving critical gaps that attackers can exploit. Enter Microsoft Cloud Security Benchmark (MCSB) v2, now in public preview, designed to help you start well-protected and evolve securely. What Is Microsoft Cloud Security Benchmark v2? MCSB v2 is a comprehensive set of best practices and controls for securing cloud resources across Azure and hybrid environments. It aligns with: Industry standards: NIST, CIS, ISO Microsoft Secure Future Initiative (SFI) Zero Trust principles This benchmark provides prescriptive guidance for identity, network, data, and workload security helping organizations establish a strong foundation before customizing for their unique needs. Security Domains in MCSB v2 The benchmark organizes guidance into security domains, each representing a critical area of cloud security: Identity Management MFA enforcement, Conditional Access, privileged identity management. Network Security Segmentation, firewall rules, private endpoints. Data Protection Encryption at rest and in transit, key management. Asset Management Resource inventory, tagging, and governance. Logging & Monitoring Centralized logging, alerting, and SIEM integration. Incident Response Playbooks, automation, and escalation workflows. Application Security Secure coding practices, vulnerability scanning. Compliance & Governance Policy enforcement, regulatory alignment. Security Control Structure Each control in MCSB v2 follows a structured format for clarity and implementation: Control ID: Unique identifier for tracking. Control Name: Descriptive title (e.g., “Enable MFA for all users”). Control Category: Maps to a security domain. Control Objective: What the control aims to achieve. Implementation Guidance: Detailed steps for configuration. Azure Policy Mapping: Built-in policy definitions for automation. References: Links to Microsoft Learn and industry standards. This structure ensures consistency, traceability and ease of adoption across large environments. Integration with Azure Policy & Defender for Cloud One of the most powerful aspects of MCSB v2 is its native integration with Azure governance and security tools: Azure Policy Pre-built policy initiatives mapped to MCSB controls. Enables policy-as-code for automated enforcement across subscriptions. Supports compliance dashboards for visibility and reporting. Microsoft Defender for Cloud Monitors compliance against MCSB controls in real time. Provides secure score and recommendations for remediation. Integrates with workflows for alerting and automation. How to Get Started Review the Benchmark Explore the full guidance here: https://learn.microsoft.com/en-us/security/benchmark/azure/overview Apply Built-In Policies Use Azure Policy initiatives mapped to MCSB controls for quick enforcement. Monitor Compliance Leverage Microsoft Defender for Cloud to track adherence and remediate gaps. Tune for Your Needs Start with the baseline, then customize based on workload sensitivity and business requirements. Best Practices for Organizations Enable MFA and Conditional Access for all identities. Segment networks and enforce least privilege. Encrypt data at rest and in transit using Azure-native capabilities. Enable Defender for Cloud for continuous posture management. Automate compliance with policy-as-code. Cloud security isn’t static. Threats evolve, and so should your defenses. MCSB v2 gives you a future-ready foundation that scales with your business and integrates with Microsoft’s security ecosystem.
Server 2025 Security Baseline breaks Failover Cluster
Hello everyone, while testing the Server 2025 Security Baseline with our Hyper-V Hosts in a Failover Cluster, we noticed the Cluster Service (ClusSvc) was unable to start correctly. It failed with Event 7024 - "A specified authentication package is unknown". From testing and the event logs, we noticed that the .dll file "CLUSAUTHMGR.DLL" was unable to load. After setting "Allow Custom SSPs and APs to be loaded into LSASS" to "Disabled", we were able to start the service again. I assume that the cluster auth manager .dll is not recognized as a trusted Microsoft SSP/AP and therefore blocked as "custom" when enabling this setting. Has anyone tested this using Hyper-V clusters and/or made similar observations? (P.S.: Before debugging, we should have googled, since apparently we are not the only one to have this issue: https://jigsolving.com/failover-cluster-service-wont-start-server-2025/Windows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline ( Windows 10, version 22H2 Security baseline - Microsoft Community Hub ) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.Security Baselines for Linux
Currently only Windows OS is in scope of the Security Baseline assessments. Are there any plans to expand it for Linux (RedHat) as well? I mean our organization has deployed Defender on Linux, so it might be possible Microsoft will support this on Linux OS'es as well. Thanks, Dragi
Exploit Prevention Blocking EXE files
My environment is having an issue where exe files are being blocked when executed via a remote share. It appears Exploit Prevention is blocking but it does not happen for every user. I have placed an exclusion using Set-ProcessMitigation -Name filename.exe -Disable BlockRemoteImageLoads and the issues still persist. We do not use Defender for Endpoint as a solution and are not managing Exploit Guard policy via GPO, SCCM, or InTune. Also I have verified the process mitigation is disabled using PowerShell. ImageLoad: BlockRemoteImageLoads : OFF AuditRemoteImageLoads : NOTSET Override BlockRemoteImages : False BlockLowLabelImageLoads : OFF AuditLowLabelImageLoads : NOTSET Override BlockLowLabel : False PreferSystem32 : NOTSET AuditPreferSystem32 : NOTSET Override PreferSystem32 : False This randomly started a few days ago and I'm at a loss for how to move forward and why this occured all the sudden.
collecting activity logs via API for security
Hello Everyone! We are planning to collect MCAS activity event logs for security monitoring via API for applications we connected (O365, Azure, Workday, Salesforce, Service Now, Docusign). Can you please sare information about best practises, playbooks or guides regarding this scenario? Or if you have experience in similiar cases, I'll be thankful for information 🙂DCOM Hardening: Different Versions of Windows
My version is win10 19042. when i try to execute any wmi command in my domain; (such as; wmic /node:IPADDR computersystem get username ) If server and client versions are the same, command success; (Windows 10 19042) If server and client versions are different; (Win10 19044, Win10 19042) it gives an error: The server-side authentication level policy does not allow the user domain\User SID (xxx) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application. I also created the registry key named "RequireIntegrityActivationAuthenticationLevel" on the remote computer and set its value to 0 but it doesn't affect it and gives the same error. How to overcome this situation except upgrade all remote computers?
