We use cookies and similar tech for analytics and marketing. See our privacy notice.

Zimbabwe • 1 min read

device-baseline-checklist-windows-macos

Nov 08, 2025
Share on LinkedInFacebookWhatsApp

A secure device baseline for new hires (Windows & macOS)

New hires should land on laptops that are encrypted, patched, protected, and recoverable—day one. Use this baseline to keep settings consistent across Windows & macOS.

Baseline goals
  • 100% MFA, 100% disk encryption, ≥95% patch compliance
  • Standard user by default (no permanent local admin)
  • Measurable, auditable, and easy to roll out with MDM/Intune/Jamf
MFA 100%BitLockerFileVaultAutopatchEDRASR rulesKFM OneDriveLAPSJust-in-Time adminMonthly restores

Device baseline (tap to expand)

1) Identity & access
  • SSO + MFA enforced for all workforce apps (Entra ID / Google Workspace).
  • Conditional Access: block legacy/basic auth; require compliant or hybrid-joined device for risky apps; alert on impossible travel.
  • Least privilege: standard user by default; elevate via on-demand (PIM/JIT local admin).
  • Local admin management: Windows LAPS for rotating local admin; demote ad-hoc admin on macOS after setup.
  • Optional: passwordless (FIDO2/Passkeys) for admins/finance.
2) Disk encryption
  • Windows: BitLocker (XTS-AES 256) bound to TPM; escrow recovery keys to Entra/AD; pre-boot PIN only for high-risk roles.
  • macOS: FileVault with MDM escrow (per-machine key), auto-enable for all users.
Verify quickly
# Windows (PowerShell)
manage-bde -status
(Get-BitLockerVolume).KeyProtector | ft KeyProtectorType

# macOS (Terminal)
fdesetup status
sudo fdesetup list
Do not ship unescrowed devices

If a device leaves IT without a confirmed escrowed key, it’s a data-loss risk. Block until escrow appears in directory/MDM.

3) OS & app updates
  • Windows: Windows Update for Business / Autopatch. Rings: Pilot (0–3d)Broad (7–14d); reboots outside business hours.
  • macOS: enforce auto updates + Rapid Security Responses via MDM; major versions within 30–60 days.
  • Targets: ≥95% patch compliance; ≤7 days median age for critical updates.
4) Endpoint protection
  • Defender for Endpoint (Win/macOS) or reputable EDR; Tamper protection ON.
  • ASR rules: block Office child processes / Win32 API, block credential theft (LSASS), block executable content from email/web downloads.
  • SmartScreen / Gatekeeper ON; firewall enabled.
  • Disable/remediate unsigned kernel/system extensions (macOS) unless approved.
5) Baseline apps & settings
  • Password manager (business tier).
  • Enterprise browser (Edge/Chrome) with sign-in, sync, and extension allow-list.
  • Screen lock 5–10 min; disk sleep 30–60 min on battery.
  • Secure DNS (DoH) via policy; safe-browsing enabled.
  • Hide built-in admin tools for non-IT; disable AutoRun/Autorun.inf on Windows.
  • Optional per role: restrict USB mass-storage, AirDrop/Bluetooth.
6) Backups & recovery
  • User data → OneDrive/Drive with Known Folder Move (Desktop, Documents, Pictures).
  • Critical roles: image/volume backup + cloud copy; use immutable storage where available.
  • Monthly restore test: 1 user folder, 1 shared drive library, and 1 image restore to a spare device.
Quick checks
# OneDrive KFM (PowerShell)
(Get-ItemProperty HKCU:\Software\Microsoft\OneDrive\).KFMSilentOptIn

# Defender health (PowerShell)
Get-MpComputerStatus | fl AMServiceEnabled,AntispywareEnabled,RealTimeProtectionEnabled
7) Joiners – Movers – Leavers (JML)
Joiner
Zero-touch enrollment (Autopilot/ABM), device naming, baseline profile + apps, BitLocker/FileVault escrow verified.
Mover
Re-scope policies/roles; review group access; migrate data if device changes.
Leaver
Remote lock & wipe, collect hardware, revoke tokens, transfer cloud ownership, archive mailbox/Drive.
8) Day-1 handover checklist (print)
  1. MFA works (primary + backup factor).
  2. BitLocker/FileVault ON and escrowed.
  3. Defender/EDR healthy; ASR rules applied.
  4. Browser signed in; extensions synced; password manager active.
  5. OneDrive/Drive syncing Documents/Desktop; sample restore tested.
  6. Screen lock 5–10 min; device rename and inventory tag recorded.
Compliance dashboard

Track: Encryption 100%, MFA 100%, Patching ≥95%, EDR healthy ≥98%, Backups tested monthly. Review weekly; remediate exceptions within 2 business days.

Templates: add these controls to your MDM runbook and review quarterly. Need help? See Managed IT and Cybersecurity.

Need help implementing this?

We’ll align on priorities, secure your environment, and put recoveries to the test.

CybersecurityBackup & Recovery