Business PC Implementation Guide 2026 : The Zero Trust Stateless Office using 365

In 2026, the “Standard Office” has evolved to require the next level of security. The days of using a local Windows login for your systems or sharing email accounts across a company especially where the browsers or emails sync with password, cookies or browsing history.

12th Feb 2026

Companies typically use cloud solutions like Microsoft 365 in todays office environment and no longer use expensive old on-site Active Directory Windows servers anymore which means we need to move our security into this new cloud ecosystem the right way.

2026 with AI phishing attacks means we need a new secure Windows login solution with secure file access – ideally we should use hardware authentication devices like YubiKey, activate bit locker drive encryption, isolated profiles, add zero trust locks on all new applications, stop browser extensions completely, activate enterprise anti-malware, add DNS phishing protection, implement a separate password manager with PIN auto lock (Proton Pass), add strong ransomware protection and finally ensure multi level backup/file versioning in multiple locations.

The biggest issue in implementing this is not the technical fix but the additional cost per month and to make sure staff cooperation with quarterly cyber security training.

A company using no protection would be paying a minimal amount but risking everything, a medium security system may be implementing 365 logins using 365 Business Standard, spending around £14 ($16) to £18 ($21) per user per month but the 2026 Secure Office system now requires 365 Business Premium along with Malware and Password protection which will total around £27 ($30) to £38 ($44) per user per month. The time required to transition will be unique for each company depending on the current setup.

This guide outlines how to build a Stateless, Zero-Trust Office using Microsoft 365 Business Premium, YubiKeys, Proton Pass, ThreatDown (by Malwarebytes) and Ubiquiti UNAS with UniFi Gateway. This setup ensures that your PCs are secure, staff are mobile, and your company data is “un-phishable.”

Please note that all computers critically need to be compatible with the latest Windows 11 Pro version which must be 9th Gen 2019 or newer with TPM 2.0 (not 1.2) – You cannot use 7th Gen or older but 8th Gen could work but there can be BIOS or TPM version issues at this age. Keep drive space above 30Gb to ensure updates run automatically. You will also need to enable Secure Boot if it is not already activated with latest BIOS.

Windows 11 version 23H2 (Home and Pro editions) reached its official “End of Life” on November 11, 2025 for systems older than 2019.
You system will silently stop updating without you realising it. In fact it will say ‘up to date’ if you click ‘check updates’.
It must be version 25H2 or newer.
Recommended minimum 2026 specs are: 13th Gen Intel (2022/23+ AMD), 16Gb Ram, 500Gb NVMe, 24 to 27″ Monitor.
If buying new, get the Intel Ultra (Series 2) Processor based systems, huge speed advantages, thunderbolt 4 and very energy efficient.

Secure your Office PC using Modern Methods

1. Identity: The “Un-Phishable” Login

Password-based security is a relic. To prevent hackers from “stealing” a session or a password, we move to Hardware Identity.
Adding weak backup methods defeats this, so ensure you have this locked down for everyone including administrators.
Note: Start with nice clean systems, striped of bloat software.

The Setup: Entra ID + FIDO2

M365 Licensing: Assign Microsoft 365 Business Premium to all staff members.
Authentication Policy: In the Microsoft Entra admin center, enable FIDO2 Security Key as a primary authentication method.
Hardware: Issue each staff member a YubiKey 5 Series key. (See Key+PIN implementation further down)
Enrollment: Staff register their keys at aka.ms/mysecurityinfo.

The Result: Staff walk up to any of the PCs, plug in their key, and tap the sensor. They are logged in instantly. Because the key is physical, a remote hacker cannot “phish” it, even if they trick a user into clicking a link.

2. Protection: The ThreatDown “Silver Bullet”

The attack you experienced relied on “portable” remote-access software (like AnyDesk or ScreenConnect or Automox) that runs without Admin rights. We stop this using ThreatDown’s Application Block (This is in addition to the standard anti-malware protection. You can also use ThreatLocker or AppLocker.

Step 1: Endpoint Isolation & EDR

Ensure ThreatDown EDR (Endpoint Detection & Response) is active. This provides a “Flight Recorder” of every action on the PC. If a computer acts strangely, you can Isolate it with one click, freezing the hacker out while keeping your console connection active.

Step 2: Advanced Application Blocking

Standard antivirus only blocks “known malware.” To block “legitimate but unauthorized” tools, use Advanced Rules:

Target Locations: Create a rule in ThreatDown to block all .exe files executing from \Downloads\*, \Desktop\*, and \AppData\*.
Category Blocking: Enable the “Remote Management” category block to prevent AnyDesk, TeamViewer, and similar tools from ever initializing.
The Outcome: If a staff member downloads a hacker’s remote tool, ThreatDown kills the process the millisecond it tries to start.

3. Experience: The “Roaming Personality”

So although we always recommend each user has their own system, in this particular configuration we are also catering for the ‘hot-desk’ environment allowing you to push your Windows Profile to any system rapidly.

Windows Shared PC Mode

Using Microsoft Intune, deploy a Shared PC configuration profile.

Account Management: Set the deletion policy to Delete at disk space threshold. Windows will automatically “clean” old profiles when the SSD hits 75% capacity, ensuring the PCs never slow down.
Fast Account Switching: Optimized for quick “tap-and-go” environments.

OneDrive Known Folder Move

Configure OneDrive via Intune to “Silently move Windows known folders.”

How it feels: When Sarah saves a file to her “Desktop” on PC #1, it is immediately there when she logs into PC #8 five minutes later.

4. Passwords: The Disposable Vault

Staff should never save passwords in the browser. Use a dedicated manager like Proton Pass or Bitwarden.

Deploy Extension: Use Intune to “Force-Install” the browser extension to all PCs.
Shared Access: If staff need a shared login, they can do this by using the Shared Vault option. Staff can “Use” the password to log in without ever actually seeing it or knowing what it is.

5. Technical Implementation: The Office XML

When deploying Microsoft Office via Intune, you must use Shared Computer Activation (SCA). This allows multiple people to use any number of machines without hitting activation limits.

Use this Configuration XML in Intune:

XML

<Configuration>
  <Add OfficeClientEdition="64" Channel="MonthlyEnterprise">
    <Product ID="O365BusinessRetail">
      <Language ID="en-us" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="1" />
  <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />
</Configuration>

7. Administration Access

Removing local administrator rights is the single most important step you can take to prevent the “overlay attack” you experienced, as it stops hackers from installing background software. However, in a company with any number of PCs, you still need a way to install legitimate software (like printer drivers or office tools) without a headache.

In 2026, there are three professional ways to handle this within a Microsoft 365 Business Premium environment.

A. The “Zero Trust” Way: Intune Company Portal (Recommended)

Instead of giving users “Admin Rights” to install an app, you “Publish” the app to them.

How it works: You upload the installer (e.g., Chrome, Zoom, or your specific industry software) to the Intune Admin Center.
The User Experience: The staff member opens the Company Portal app (pre-installed on Windows). They see a list of approved apps and click “Install.”
The Security: The installation runs with “System” privileges in the background. The user never becomes an administrator, and no password is required.

B. The “On-Demand” Way: Endpoint Privilege Management (EPM)

If you want to allow staff to run any installer but still keep them as Standard Users, you use Microsoft Intune EPM (or a third-party tool like Admin By Request).

How it works: When a staff member double-clicks an installer, they right-click and choose “Run with managed elevation.”
The Approval Flow: * Automatic: You can set rules to “Auto-Approve” certain trusted publishers (like Microsoft or Adobe).
- Manual: The staff member types a reason (e.g., “Installing new printer”), and you get a notification on your phone/computer to click “Approve.”
The Security: The admin rights only last for that specific installer. Once the app is installed, the user immediately reverts to a safe “Standard User” status.

C. The “Emergency” Way: Windows LAPS

If an engineer is physically at the machine or on a remote support call, you use the Windows Local Admin Password Solution (LAPS), which is built into Business Premium.

How it works: Intune creates a unique, “secret” local admin account on every PC.
The Workflow: When you need to install something, you look up the password in the Intune portal. The password is “one-time use” and automatically rotates (changes) every few hours after it is used.
The Security: No staff member knows the password, and there is no “universal” admin password for a hacker to steal.

8. Hardening Authentication

adding “Hardened” Login (PIN + Hardware Token) is achieved through the FIDO2/WebAuthn standard.

In 2026, Windows 11 has transitioned to requiring a PIN by default for security keys to comply with global security standards.

This setup creates a Possession + Knowledge factor: a hacker would need both your physical YubiKey and your local PIN to get in.

A. Setup: How to enable the PIN

Windows handles the YubiKey PIN natively—no extra software is required.

Open Settings: Go to Accounts > Sign-in options.
Select Security Key: Click on Security Key and then click Manage.
Insert & Touch: Insert your YubiKey and touch the gold sensor when prompted.
Create PIN: Click Add (or Change) under the PIN section.
Requirement: Set a 6-digit numeric or alphanumeric PIN.

Security Note: This PIN is stored locally on the YubiKey hardware, not on the PC or the internet. Even if the PC is hacked, the PIN remains inside the encrypted chip of the YubiKey.

B. Registration: Linking to the Company

Once the key has a PIN, it must be linked to the staff member’s Microsoft 365 account.

Visit MySignIns: Have the staff member go to mysignins.microsoft.com/security-info.
Add Method: Click Add sign-in method and choose Security Key.
Choose USB: Follow the prompts to insert the key, enter the PIN you just created, and touch the key.
Name the Key: (e.g., “John’s Office Key”).

C. Login: The Daily Workflow

When a staff member walks up to any of the 10 shared PCs:

Insert Key: Plug the YubiKey into a USB port.
Sign-in Options: On the Windows login screen, click “Sign-in options” and select the Security Key icon (it looks like a USB drive).
Enter PIN: Windows will pop up a box asking for the Security Key PIN.
Tap: Once the PIN is accepted, the YubiKey will flash. Touch it.
Access: The user is instantly logged into their specific, private profile.

Why this is “Hardened”

Anti-Hammering: If someone finds a lost YubiKey and tries to guess the PIN, the YubiKey will permanently lock its FIDO2 application after 8 failed attempts. The key must then be factory reset, wiping all access.
No Network Leak: Because the PIN verification happens between the OS and the USB hardware, the PIN is never sent over the Wi-Fi or the internet.
Overlay Immunity: Unlike a software password, a “Tap” requires a human to be physically present. A hacker sitting in another country cannot “tap” the button for you.

9. Bypassing on Windows 11 (The “TAP” Method) for Lost YubiKeys

If a staff member loses their YubiKey, you do not want to revert them to a standard password (which a hacker could use). Instead, you use a Temporary Access Pass (TAP).

What it is: A time-limited, one-time-use passcode (e.g., 8J2-K9L-P0Q) that you generate in the Microsoft Entra admin center.
The Workflow: 1. The user calls you: “I lost my key.” 2. You generate a TAP in the portal and set it to expire in 2 hours. 3. The user logs into the PC using the TAP instead of their key. 4. The user immediately registers a new YubiKey while logged in.
The Security: Once the new key is registered or the 2 hours are up, the TAP becomes useless.

The Best Practice: The “Spare Key” Strategy

The most professional way to handle this in 2026 is to require two keys per user:

Key A: On their keychain for daily use.
Key B: Kept in the company safe or the manager’s desk.

Why? If Key A is lost, the staff member is “back in business” in 30 seconds by grabbing Key B. You then delete Key A from the system and order a replacement.

10. File Storage

File storage considerations. If you have for example 100’000 files and less than 500Gb of storage for your day to day operations, simply put all your files into OneDrive/Sharepoint with a local versioned backup in case of ransomware hacks or internet failures. Of course you get 1Tb with your account, but the problem is 365 versioning eats up a lot of space in no time and syncing too many files also slow sync problems. So if you need better storage options then aim for a dedicated on-site NAS (not Window server) that does not have additional apps installed as this causes a massive security problem with frequent CVE announcements every other day. We recommend a UniFi UNAS as this ticks all the boxes, in fact it is so cheap, you should buy two of them and have the second one in another building acting as a daily backup.

The latest UniFi UNAS (and the UniFi Drive application) is designed specifically to integrate with the secure, cloud-first setup we’ve built. In 2026, Ubiquiti has tight integration with Microsoft Entra ID through a service called UniFi Identity Enterprise.

In your “Stateless” environment, the UNAS acts as the central vault, but it doesn’t manage its own list of users. Instead, it “asks” your Microsoft 365 tenant if the person is allowed in.

A. The Integration Bridge

To make the UNAS work with your YubiKey-secured Windows logins, you use UniFi Identity Enterprise.

User Sync: You link your Microsoft 365 tenant to UniFi. Your staff members are automatically synced into the UniFi ecosystem.
Delegated Authentication: When a user tries to access a file share, the UNAS delegates the “handshake” to Microsoft.
The Security Win: Because you’ve already enforced Conditional Access in M365, the UNAS won’t let someone in unless they’ve met your security requirements (like having a valid, active account in your tenant).

B. The User Experience (The “Stateless” Way)

When your staff member taps their YubiKey and logs into a PC:

Auto-Mount: You can use Intune to push a script that automatically maps the UNAS drive (e.g., the S: drive) the moment they log in.
Single Sign-On (SSO): Because the Windows session is already authenticated with their Entra ID, the UNAS recognizes the “token” and lets them in without asking for another password.
Remote Access: If a staff member is working from home, they use the UniFi Identity Endpoint app. It creates a secure VPN tunnel that also respects the YubiKey/MFA requirements.

C. Why this Works

No “Ghost” Files: Unlike OneDrive, which syncs files locally, the UNAS uses SMB (Server Message Block). This means files stay on the NAS and only travel to the PC when opened. This saves massive amounts of disk space on those 10 shared PCs.
Centralized Permissions: If a staff member leaves, you disable them in the Microsoft 365 Admin Center. Instantly, they lose access to the Windows PCs, their Email, and the UniFi UNAS. No more chasing down local passwords.
High Speed: By using the 10G SFP+ port on the UNAS Pro, your staff can open large files (like 4K video or massive databases) across the network as if they were stored on the local SSD.
Remote Workers: Should use UniFi Identity One Click VPN to access office network or for quick one time access via secure UniFi Drive Browser.

Technical Requirements for this Setup:

Feature	Requirement
UNAS Firmware	UniFi OS 4.4.11 or later
App	UniFi Drive 3.3.10 or later
Identity Service	UniFi Identity Enterprise (Free and Standard tiers available)
Windows Config	“Use Active Directory Credentials for SMB” enabled in UniFi Drive settings

11. Mobile Email

Microsoft Outlook App

For a company using Microsoft 365, the Outlook app is the only recommended method. It supports the “Hardened” YubiKey login and keeps work data isolated from personal data.

Download: Install the Microsoft Outlook app from the App Store (iOS) or Google Play Store (Android).
Add Account: Open the app and enter the work email address (name@company.com).
The “Hardened” Challenge: Instead of just a password, a Microsoft login screen will appear.
Hardware Verification: * NFC (The Tap): If using a YubiKey 5C NFC, the staff member simply taps the key against the back of their phone when prompted.
- USB-C: If using a non-NFC key, they plug the YubiKey directly into the phone’s charging port.
PIN: They enter the 6-digit Security Key PIN they created earlier.
Done: The email, calendar, and contacts will begin syncing immediately.

Summary Checklist

Component	Technology	Security Win
Login	YubiKey 5C NFC	Zero risk of password theft or phishing.
Antimalware	ThreatDown EDR	Real-time monitoring with ransome”Rollback” capability.
Apps	ThreatDown App Block or ThreatLocker	Stops “Portable” hacker tools from running.
Files	OneDrive KFM /and/or UniFi UNAS	Files follow the user to any PC instantly.
Backup	UniFi UNAS	Use to backup 365 or primary UNAS
Disk Space	Shared PC Mode (optional)	Automated self-cleaning of the computers.
Browsers and Extensions	Edge for Profile Sync & Block Extensions	Any extensions are now high risk.
Firewall	Use UniFi Gateway with IDS/IPS	A quality gateway/firewall adds extra layers
DNS	Quad 9.9.9.9 or NextDNS Paid with Blocks	Block Malware/Phishing using DNS Protection
Email	ThreatDown Email Protection	Add the extra layer of Email Protection
Passwords	Proton Pass with time out PIN lock	Get Business Proton Pass use YubiKey Setup

The Final Result

If a hacker attempts to attack:

They cannot log in because they don’t have the physical YubiKey.
If they find a way in, they cannot install software because the user is a Standard User.
If they try to run a “Portable” tool, ThreatDown kills it instantly with App Blocking.
Your business stays online, and your money stays in the bank.
This would ensure the best possible protection along with staff training but nothing is 100% but this is close.

This guide is the definitive blueprint for transforming a high-risk office into a Stateless, Zero-Trust Environment. By moving from shared local logins to individual hardware-backed identities, you eliminate the “perfect storm” that led to your previous breach.

The Linux to Intune Integration Instructions

You can do a similar setup on Linux but its only possible if you use “Ubuntu Desktop 24.04 LTS” [GNOME Only] or “Enterprise RHEL Red Hat Linux” (nothing else is compatible with Microsoft Intune). You can’t use Intune with any other Linux version like Linux Mint or Zorin.
To get a file sync working with OneDrive/Sharepoint you might have issues with Microsoft OneDrive for Ubuntu but you can use ‘insync‘ as a good solution or try Rclone but that is a lot more complex.

Here is a comprehensive, end-to-end walkthrough for enrolling an Ubuntu 24.04 LTS device into Microsoft Intune.

Phase 1: System Readiness

Before running commands, ensure your system is prepared:

Graphical Interface: You must be using the desktop version (GNOME).
Encryption: Most corporate policies require Full Disk Encryption (LUKS). If you didn’t enable this during Ubuntu installation, the device may report as “Non-compliant.”
Time Sync: Ensure your system time is set to “Automatic” to prevent authentication errors.

Phase 2: Install Microsoft Edge

Microsoft Edge is the required authentication broker for Linux enrollment.

Download the package:Bashcurl -fSsL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-edge.gpg > /dev/null echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-edge.gpg] https://packages.microsoft.com/repos/edge stable main" | sudo tee /etc/apt/sources.list.d/microsoft-edge.list
Install the browser:Bashsudo apt update && sudo apt install microsoft-edge-stable -y

Phase 3: Install the Intune Portal App

This phase registers the Microsoft software repository and installs the management agent.

Add the Microsoft GPG Key:Bashcurl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-archive-keyring.gpg > /dev/null
Add the Ubuntu 24.04 Repository:Bashecho "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/ubuntu/24.04/prod noble main" | sudo tee /etc/apt/sources.list.d/microsoft-intune.list
Install the Intune Portal:Bashsudo apt update && sudo apt install intune-portal -y
Critical Step: Reboot your computer now. The registration service often fails to initialize correctly until the system has restarted.

Phase 4: Device Registration & Enrollment

Now that the software is installed, you must link the hardware to your organization.

Launch the App: Open the Microsoft Intune app from your Applications menu.
Sign In: Click Sign In and enter your organization’s credentials. This will likely open a sign-in window via the Edge browser engine.
MFA: Complete any Multi-Factor Authentication (MFA) requirements.
Register: Once signed in, you will see a “Set up your device” screen. Click Begin.
Compliance Check: The app will scan your system for encryption, password strength, and OS version.
- Note: If a check fails, the app will provide a link explaining how to fix the specific issue (e.g., “Set a stronger password”).
Success: Once finished, the status will change to “Your device is set up.”

Phase 5: Final Verification

To ensure everything is working correctly:

Open the Microsoft Intune app on your Ubuntu desktop; it should show “Device is compliant.”
Check the Intune Admin Center (on another machine) under Devices > Linux to see your Ubuntu 24.04 device listed with a “Success” status.