Reuters reported on March 19 that the U.S. Cybersecurity and Infrastructure Security Agency urged organizations to strengthen the security of endpoint management systems after the March 11 cyberattack on Stryker. Reuters said CISA was aware of malicious activity targeting endpoint management systems at U.S. organizations and told companies to implement Microsoft’s best practices for securing Intune.
Stryker said the March 11 incident caused a global disruption to its Microsoft environment and affected order processing, manufacturing, and shipping. The company, headquartered in Portage, Michigan, also said it had no indication of malware or ransomware in its internal Microsoft environment. Cyberwarzone previously covered the Stryker cyberattack claimed by the Iran-linked Handala group and the wider Iranian Revolution 2026 conflict briefing.
What CISA told organizations to do
Reuters reported that CISA told organizations to review and harden Microsoft Intune configurations, restrict administrative privileges, and apply Microsoft’s security best practices for endpoint management systems. The agency did not publicly attribute the broader malicious activity it referenced, and the reporting reviewed does not publish a public IOC set tied to this advisory. What is public is the hardening direction.
Microsoft’s March 2026 Intune guidance gives that direction more substance. The company says tenants should enforce least-privilege administration through Intune RBAC, use phishing-resistant MFA and Conditional Access for administrative access, apply Multi Admin Approval for sensitive actions such as remote device actions, script deployment, and role or policy changes, and use scope tags and scoped roles to limit what each administrator can see or change. Those are concrete controls, not generic hygiene.
Stryker said the March 11 disruption affected order processing, manufacturing, shipping, and other internal systems. That is why the advisory matters: if an attacker gains leverage over endpoint management, the effect can move quickly from identity and device control into production and logistics. Related Cyberwarzone coverage includes the foiled cyberattack on Poland’s nuclear research centre, our report on Greek firms scanning networks as the Iran war raises cyberattack risk, and the earlier Stryker cyberattack claimed by Handala.
