Petrobras achieves cloud-only strategy, managing thousands of devices remotely, with Microsoft Intune

Being in tune with demands of a remote workforce

When Petrobras’ administrative employees were forced out of shared spaces and into their home offices in March 2020, the multinational oil and gas company acted quickly to implement highly secure infrastructure to enable remote work. After it developed a return-to-work model, it kept policies in place to support employees’ ability to work remotely part time.

Although this structure is efficient and at times necessary, Petrobras recognizes that it creates challenges for device security. “We have to ensure that devices can be connected through the internet and receive all the correct security, policy, and patch updates,” says Alaor Barroso de Carvalho Neto, End User Technology Manager at Petrobras. “As part of our company’s ongoing transformation, we’re also strongly focusing on employee experiences and offering more features and capabilities to enhance device usage.”

While many of its more than 96,000 workforce, including employees and contractors, use corporate laptops, Petrobras’ information security and technology teams wanted to enhance productivity by allowing employees to connect to corporate services, applications, and documents using their own iOS or Android devices. Key to this journey has been Microsoft Intune, which Petrobras uses to remotely manage employees' corporate devices and clearly distinguish how employees interact with both corporate and personal data on their mobile devices.

“We had a really restrictive environment in 2019 because everything had to be inside our corporate network to access company data,” says Barroso de Carvalho Neto. “Our new work model relies heavily on Microsoft Intune, which has helped safeguard our employees and data since the start of the pandemic without creating security vulnerabilities or compliance issues.”

Navigating a cloud only strategy with enhanced visibility and empowered employees

As a state-owned and publicly traded Brazilian corporation in a highly regulated industry, Petrobras faces unique IT challenges with much of its operations and workers at sea or working on offshore oil rigs. It also has international offices in countries including the United States, the Netherlands, and China where employees had to connect to a VPN to receive policy updates through Microsoft Endpoint Configuration Manager and Microsoft Entra ID. “In our unique situation where we face a lot of regulations, we must understand the policy and data compliance status of every device at all times because we often have to answer queries from multiple players,” remarks Barroso de Carvalho Neto.

Connecting devices to the company VPN for configuration was a slow and cumbersome process, but Intune only requires an internet connection to support the delivery of policy updates and protections to all of its workers, regardless of location. Petrobras is also able to deploy updates quicker, such as the latest version of the Windows operating system, as early as the week of release. And it doesn’t have to worry about bureaucratic, multistep processes, long testing cycles, or bringing employees in to upgrade systems manually. In fact, employees can now use Company Portal managed through Intune to deploy software themselves, including more than 300 Windows apps, without service desk intervention.

“Intune is a core piece of technology that helps align us with our company’s digital strategy,” says Gustavo José Barbosa Silva, IT Services Manager at Petrobras. Adds Barroso de Carvalho Neto, “Intune by itself has so much power and value that we decided to have new devices born cloud only. We’re currently 65 percent cloud only with Windows Autopilot and are transitioning the remaining Microsoft Entra hybrid–joined devices.”

Supporting contractors with device security and expanded permissions

It’s no simple feat for Petrobras to manage 82,000 company computers, 6,000 corporate mobile devices, and 30,000 personal devices linked to Intune mobile application management, but its new Microsoft tools make it easy. The solution has not only greatly benefitted existing employees but also broadened the scope of IT services and support for thousands of the company’s contractors. “Instead of us giving contractors corporate devices, they’re increasingly bringing devices from their direct employers,” explains Barroso de Carvalho Neto. “So, the number of devices outside of our direct management is increasing every day.”

Petrobras’ IT team uses Intune and Windows Autopilot to manage and deploy the appropriate policies on these new devices. In doing so, it’s made the process of delivering devices to its workers faster and easier than before. “Today, we have contractors and subsidiaries from all over, including Colombia, Singapore, and China, and with Intune we can make sure their personal devices are highly secure and follow Petrobras guidelines,” notes Barroso de Carvalho Neto. “This wasn’t possible prior to Intune, and onboarding contractors outside of Brazil was a really big project, especially outside the corporate network.” In some cases, contractors are receiving widescale system and information access for the first time.

Saving time on employee onboarding and device setup

Previously, device provisioning during employee onboarding was a complex and time-consuming process. Petrobras’ IT team typically undertook an eight-hour process—even when working from an image—going from machine to machine, formatting them to a blank slate, and installing all the required applications and information. After delivering the devices, employees had to complete an initial sign-in onsite and still might have to restart the devices multiple times to complete various installations.

In its new environment, Petrobras’ IT team deployed almost 22,000 devices in the second half of 2022—a stark contrast to what it could do before. “With Windows Autopilot and Intune, our IT team can have a device operational in about 40 minutes,” says Gustavo Antonio Gomes Alves, Senior System Analyst at Petrobras. “Employees can get to work using their devices within 15 minutes of receiving them while other less essential applications are installed in the background without causing interruptions.”

Making the most of the Microsoft ecosystem

To maximize the benefits of its Intune investment and elevate its cloud-first strategy, Petrobras joined together multiple remote access solutions, including Windows Hello for Business, Windows Autopatch, and single sign-on with Entra ID. “We’re always trying to obtain the best features of different solutions, not only to gain more control but to drive innovation for the business,” says Alexandre Ribeiro Dantas, Information Security Manager at Petrobras.

Petrobras’ personal ecosystem of products includes security solutions such as Microsoft Defender for Endpoint, Microsoft Defender for Servers, Microsoft Defender for Cloud, and Microsoft Defender for Identity, alongside Microsoft 365 collaboration and communication tools. “More than the cost savings from licensing, the simplicity and access to everything within Microsoft 365 is valuable,” says Barroso de Carvalho Neto. “Making the move to Microsoft in 2019 helped save us during the pandemic and is now helping us adapt to change going forward.”

Working from anywhere and at any time with vastly improved security

Petrobras’ information security and technology teams are now more comfortable knowing that employees, contractors, data, and devices around the world are safeguarded. The company is currently pushing delivery optimization through Windows Autopilot and Azure-only devices in its offshore environments, having proved the immense benefits of the solution onshore. “Previously, allowing a user to connect and work from another country that didn’t have our infrastructure was a nightmare,” says Barroso de Carvalho Neto. “With Intune, our workforce can now do their jobs from anywhere in the world and be as secure and productive as they were on the company network.”

In many cases, productivity has increased following the company’s adoption of Intune. Employees can access everything they need from Petrobras anywhere, any time. “I can join Microsoft Teams calls and respond to emails in Outlook all day long from my phone while I’m on the go,” explains Marcelo Eduardo Spessatto Ramis, Operational Efficiency General Manager at Petrobras. “It’s much more portable, and I’m not tied to sitting in my office.”

Ribeiro Dantas has been able to validate the security stature of this new Intune-led environment while performing internal audits on company infrastructure. He notes that Petrobras is always only a few clicks away from remotely updating or patching devices and avoiding potential risk. “Despite the increased access by our remote workforce, our recent audits have quite surprisingly revealed that we haven’t had any security incidents or data leakage,” he says. “People want to work from anywhere and at any time without security controls getting in the way, and using Intune and other Microsoft tools have made this possible and sustainable for us.”

Find out more about Petrobras on YouTube, Twitter, Facebook, and LinkedIn.