All managed endpoints are Windows 11 Pro, Entra ID joined, Intune enrolled, and licensed under Microsoft 365 Business Premium. No on-prem AD. No hybrid join. No BYOD. No unmanaged production Windows endpoints.
Fleet Overview
| Metric |
Value |
| Managed endpoints |
39 Windows 11 Pro |
| MDM authority |
Microsoft Intune (sole) |
| Enrollment method |
Autopilot + Entra ID join |
| Sites |
6 (DE, NY, PR) |
| BYOD |
None |
| Unmanaged production endpoints |
None |
Device Lifecycle Pipeline
Autopilot → Entra ID Join → Intune Enrollment → Config Profiles → Security Baselines → Compliance Enforcement
- Autopilot deployment profiles configured per site
- Entra ID joined at enrollment — no domain join, no hybrid
- Configuration profiles applied at enrollment: BitLocker, firewall, update rings, app deployment
- Microsoft security baseline for Windows 11 deployed via Intune
- Compliance policy evaluation with grace period and block enforcement for non-compliant devices
Defender for Business
- EDR in block mode — active threat remediation, not detection-only
- Tamper protection enabled — prevents endpoint security from being disabled
- Attack Surface Reduction (ASR) rules deployed via Intune policy
- Real-time protection, cloud-delivered protection, PUA blocking enforced
- Defender onboarding validated across all 39 endpoints