Getting StartedUpdated July 3, 2026
Secure Administrative Workbench (SAW) Bootstrap
getting-startedsawsecurityprivilegedworkstations
<div class="getting-started-hero" markdown="1">
<h1><span class="platform-icon platform-saw"></span>Secure Administrative Workbench (SAW) Bootstrap</h1>
<h2>Provision a hardened, high-trust workstation for privileged infrastructure and security administration.</h2>
<p>Best for: actions requiring elevated roles not permitted on dev workstations.</p>
</div>
<ul class="platform-links">
<li><a class="platform-link" href="../bootstrap/">All workstation options</a></li>
<li><a class="platform-link" href="macos/">macOS</a></li>
<li><a class="platform-link" href="windows/">Windows (WSL2)</a></li>
<li><a class="platform-link" href="windows-vdi/">Windows VDI</a></li>
<li><a class="platform-link" href="saw/">SAW</a></li>
</ul>
At a glance
| Aspect | Summary |
|---|---|
| Purpose | Privileged administrative operations (infra, security) |
| Hardening focus | Minimal tools, enforced logging, restricted egress |
| Estimated time | 25–35 minutes (excludes access approval) |
| Tooling scope | Azure CLI, (optional) Terraform, (optional) Ansible, kubectl (if required) |
| When to choose | Actions requiring elevated roles not permitted on dev workstations |
Prerequisites
Steps
-
Obtain approved provisioning artifact
- For managed VDI/AVD: use the SAW gold image identifier listed in your team's access-ticket response (image IDs rotate; do not hard-code here).
- For self-built workstations: pull the baseline script from the SAW provisioning repository referenced in the same access ticket.
-
Verify cryptographic integrity
shasum -a 256 saw-bootstrap.sh # Compare output to published checksum in release manifest -
Execute minimal bootstrap (privileged shell)
sudo bash saw-bootstrap.sh -
Install required administrative tooling only
- Azure CLI (no preview extensions unless justified)
- Terraform (pinned) if infra changes performed from SAW
- Ansible (read-only unless explicit change window)
- kubectl / az aks (only if cluster admin tasks in scope)
-
Apply certificate trust and outbound proxy configuration per security baseline. Import both corporate CAs as on the developer workstation pages: Root CA and Internal Policy CA. Verify fingerprints against the published trust store before saving.
-
Enforce logging & monitoring agent installation (EDR, syslog forwarder, integrity monitor)
-
Disable non-required services (Bluetooth, AirDrop, consumer sync, etc.)
-
Run verification (below) and attach output to access ticket
Verification
Run the following commands and confirm only approved tools are present:
```bash
az version --output json | jq -r '."azure-cli"'
terraform version | head -1 || echo "Terraform not installed (OK if SAW infra-changes not required)"
ansible --version | head -1 || echo "Ansible optional"
```
Expected: Only approved tools present; no extraneous developer IDEs.
Minimum tool versions
| Tool | Minimum | Notes |
|---|---|---|
| Azure CLI | 2.54 | Remove unused extensions |
| Terraform | 1.5 | Install only if infra changes executed here |
| Ansible | 2.14 | Optional; prefer pipeline automation |
Troubleshooting
| Symptom | Context | Resolution |
|---------|---------|-----------|
| Outbound HTTPS blocked | Egress policy too restrictive | Confirm security rule set; request exception for required endpoints. |
| Terraform provider download fails | No proxy or CA mis-trust | Configure proxy variables; import corporate root CA. |
| Azure CLI login conditional access failure | Device not compliant | Verify device posture / Intune compliance state. |
Rollback and decommission
| Action | Command / Process | Note |
|---|---|---|
| Remove Terraform binary | sudo rm /usr/local/bin/terraform | Leaves state files untouched |
| Clear Azure tokens | az account clear | Required before handoff |
| Secure wipe (hardware) | Follow device sanitization SOP | Mandatory at lifecycle end |
Security notes
Related documentation
- Security & Compliance practices — controls and evidence requirements for privileged surfaces.
- Internal Policy CA and Root CA — corporate trust roots required on every SAW.
{{ doc_footer(page) }}