Skip to content

Usage Guide

The Defend module in SHIELD provides lifecycle management for users and devices after the infrastructure is deployed. This guide explains how to perform key operations such as commissioning, decommissioning, assigning, and unassigning users or devices, all while respecting security class boundaries (Enterprise, Specialized, Privileged).

Lifecycle Management Overview

Lifecycle Management is triggered from within the SHIELD web interface and allows you to:

  • Onboard or offboard users and devices
  • Assign users to Privileged Access Workstations (PAWs)
  • Enforce metadata tagging and Intune integration
  • Apply group policies and conditional access boundaries

All actions are class-aware and scoped by SHIELD’s infrastructure.

Device Lifecycle Operations

Device lifecycle flows differ by class. Devices marked as Privileged undergo more stringent controls, such as wiping during onboarding.

Commission a Device

Commissioning a device registers it with SHIELD and assigns lifecycle metadata. Privileged devices will be wiped if they are Intune-managed to ensure a clean baseline.

πŸ“– Commission a Device
πŸ“Š Workflow Diagram

UI Example

. Select Device - Light Select Device - Dark

Privileged Commissioning

Wipe commands are issued to Intune-managed devices during commissioning to protect against residual compromise.

Decommission a Device

Removes a device from SHIELD’s lifecycle system.

πŸ“– Decommission a Device
πŸ“Š Workflow Diagram

Assign a User to a PAW

Assigns one or more users to a privileged device (PAW). All others will be denied access.

πŸ“– Assign User
πŸ“Š Workflow Diagram

Unassign a User from a PAW

Removes a user’s access from a PAW. If no users remain, a wipe is issued.

πŸ“– Unassign User
πŸ“Š Workflow Diagram

User Lifecycle Operations

SHIELD supports onboarding and offboarding for both privileged and non-privileged users.

Commission a User

Privileged users are created as new cloud-only accounts. Others are brought into management using existing identities. Temporary credentials are generated at creation.

πŸ“– Commission a User
πŸ“Š Workflow Diagram

UI Example

Select User - Light Select User - Dark

Temporary Credential Dialog

Temp Credentials - Light Temp Credentials - Dark

Decommission a User

Privileged users are deleted from Entra ID. Non-privileged users are simply removed from SHIELD management.

πŸ“– Decommission a User
πŸ“Š Workflow Diagram

Security Classes

All operations respect SHIELD’s class-based enforcement:

  • Enterprise: standard users/devices with baseline protections
  • Specialized: enhanced controls and policy targeting
  • Privileged: strict isolation, hardware requirements, auto-wiping, credential controls

Class is selected at the top of the UI before performing lifecycle actions.

Default Class

The UI defaults to Privileged. Make sure to adjust if managing non-privileged assets.