What this SOP delivers
The goal is a repeatable, production-ready deployment that covers the full endpoint lifecycle: Provision → Secure → Monitor → Remediate → Maintain → Retire. This approach standardizes the native Microsoft stack:
- Microsoft Entra ID for identity-backed device trust
- Microsoft Intune for enrollment, compliance, configuration, patching, and application delivery
- Microsoft Defender for endpoint protection, detection, and response
- Windows Autopilot for modern provisioning (cloud-native and hybrid)
Audience & assumptions
This guide is written for mixed environments—SMBs and enterprises—where the desired end state is a single, cloud-first endpoint management and security platform. Variations are noted where licensing tier or scale materially affects available capabilities.
Licensing & cost considerations
Path A — SMB security stack (Microsoft 365 Business Premium)
- Up to 300 users
- Includes Intune, Defender for Business, Entra ID P1, and Autopilot
- Strong fit for organizations prioritizing security baseline + manageability
Path B — Enterprise security stack (Microsoft 365 E5 / EMS E5)
- Advanced EDR, remediation, device discovery
- Designed for regulated or high-risk environments
Deployment phases (high-level)
- Phase 0: Pre-flight checks
- Phase 1: Intune tenant foundations
- Phase 2: Windows Autopilot provisioning
- Phase 3: Update and patch strategy
- Phase 4: Application baseline
- Phase 5: Defender portal activation
- Phase 6: Defender + Intune integration
- Phase 7: Endpoint hardening controls
- Phase 8: Operational hygiene and validation
Phase 0 — Pre-flight checks
- Licenses assigned correctly
- Global Administrator access available for Defender activation
- Autopilot enrollment model selected (cloud or hybrid)
Phase 1 — Intune tenant foundations
MDM enrollment configuration
- MDM authority set to Microsoft Intune
- MDM scope set to All (or controlled enrollment group)
Scope tags and device filters
Create separation between corporate and personal devices early to avoid misapplication of encryption, compliance, and hardening policies.
Phase 2 — Windows Autopilot provisioning (cloud-native and hybrid)
Autopilot is the cleanest way to standardize provisioning, enforce enrollment, and ensure devices land in the correct management and security posture from first boot.
3.1 Cloud-native Autopilot (Entra ID joined)
Use this path for cloud-only environments.
-
Create a dynamic device group:
- Group name: AutoPilotDevices
- Membership: Dynamic Device
- Rule:
(device.devicePhysicalIDs -any _ -contains "[ZTDID]")
-
Create an Autopilot deployment profile:
- Name: AutoPilot System Initiated
- Convert all targeted devices to Autopilot: Yes
- Deployment mode: Self-Deploying
- Apply device name template: Yes
- Assign: AutoPilotDevices
3.2 Hybrid Autopilot (Hybrid Entra joined + domain join)
Use this path when devices must be domain joined.
-
Create a dynamic device group:
- Group name: AutoPilotDomainDevices
- Membership: Dynamic Device
- Rule:
(device.devicePhysicalIDs -any (_ -contains "[ZTDID]")) or (device.deviceTrustType -eq "ServerAD")
-
Create an assigned group:
- Group name: AutoPilotRemoteDevices
-
Create Autopilot profile: AutoPilot Domain Join
- Convert all targeted devices: Yes
- Join as: Hybrid Entra Joined
- Pre-provisioning: Enabled
- Include: AutoPilotDomainDevices
- Exclude: AutoPilotRemoteDevices
-
Create Autopilot profile: AutoPilot Remote Users
- Deployment mode: Self-Deploying
- Include: AutoPilotRemoteDevices
3.3 Hybrid-only: Domain Join and Connector
- Install Intune Connector on Server 2019+
- Create dedicated Autopilot OU
- Delegate control to connector server
- Deploy Domain Join configuration profile
Phase 3 — Patch and update strategy
Windows Autopatch
Preferred servicing model where licensing permits. Enables Microsoft-managed update rings with minimal administrative overhead.
Update Rings
Fallback model using Intune update rings and exemption groups.
Phase 4 — Application baseline
- M365 Apps for enterprise productivity
- Company Portal for visibility and self-service
Phase 5 — Defender portal activation
- Activate Defender portal
- Enable advanced endpoint features
- Configure standardized alerting rules
Phase 6 — Defender + Intune integration
Integrating Defender with Intune enables security posture to drive compliance and remediation. Devices are onboarded via Intune policies and assessed continuously by Defender.
- Defender Antivirus baseline
- Endpoint Detection & Response onboarding
- Risk-based compliance evaluation
- Attack Surface Reduction (audit-first)
Phase 7 — Endpoint hardening controls
- BitLocker: enforce encryption with key escrow
- OneDrive KFM: protect and recover user data
- LAPS: eliminate standing local admin passwords
Phase 8 — Operational hygiene and validation
- Device cleanup for stale endpoints
- Enrollment, compliance, and Defender validation
- Patch compliance and alert monitoring
Common pitfalls avoided
- Incorrect MDM authority
- ASR disruption (audit-first rollout)
- Hybrid Autopilot OU or connector misconfiguration
Closing guidance
A native Microsoft deployment reduces tooling sprawl, accelerates provisioning, and improves security posture without introducing unnecessary complexity. This SOP provides a foundation that scales with organizational maturity.