Managed laptops for your whole team. Deployed in a day.

Encrypted, MFA-protected, and ready to roll out — without an MSP retainer or a two-week consultant project.

Get started → How it works

$3,000 one-time · no ongoing fees · complete-build guarantee

Live in your browser when you deploy

Baselines / Live deploy running 00:00

✓Creating Azure AD app registration00:01

✓Creating AutoPilot import script00:02

✓Deploying configuration policies00:04

✓Deploying AutoPilot deployment profile00:06

✓Deploying Windows Update policies00:08

✓Deploying app configuration00:10

✓Deploying compliance policies00:12

✓Deploying Conditional Access policies00:14

✓Deploying Windows LAPS00:16

✓Deploying ASR rules (audit mode)00:18

✓Deploying Firewall profile00:19

→Granting admin consent to importer00:21

✓All 14 steps land in your tenant~ 00:25

// every step is a Microsoft Graph call from your browser run a deploy →

§ 02 built by

Built by someone who's done this at scale.

Dylan Lang

Founder · The Galway Group

Senior Cloud Engineer with 10+ years operating Microsoft 365 and Azure at scale — 500+ subscriptions, 2,000+ VMs, and Intune across finance, healthcare, and government. The audit reference doc isn't optional in any of them.

View on LinkedIn

“I built Baselines because too many small teams were stuck choosing between an MSP retainer, weekends learning Intune, or leaving devices unmanaged. So I shipped what I wished I'd had — the deployment a senior Intune admin would build, ready in an afternoon.”

§ microsoft certifications

Endpoint Administrator · Intune

Associate

Azure Solutions Architect

Expert

Microsoft 365 Administrator

Expert

The Endpoint Administrator cert is for the exact stack Baselines deploys — Microsoft Intune.

§ 03 how it works

Five steps. One deployed, documented baseline.

As policies land in your tenant, they're written into the audit reference on the right — one document, every control, ready when your reviewer asks.

Sign in to verify your tenant

Read-only Microsoft sign-in to confirm Intune licensing before you pay.

Buy in the portal

Embedded Stripe checkout. Your order auto-links to your tenant.

Watch the live deployment

Sign in with full Intune scopes; the rollout runs in your browser with a checkmark per step. Every policy that lands is logged to your audit reference →

Admin consent — automatic

No second sign-in, no permissions pop-up. We grant it programmatically.

Hand off to your hardware vendors

Vendor handoff guide for Dell, HP, Lenovo, and Surface so future devices ship pre-registered.

Step 03 Output — audit reference document

Baselines — Deployment Reference v2.0

Document: Baselines Deployment Reference
Vendor: Baselines · The Galway Group, LLC
Audience: Tenant administrators & auditors

11. Conditional Access Policy

Display name: IOC - Require MFA - All Users
Excludes: Deploying admin (lockout-safe)
Mapped to: SOC 2 CC6.1 ISO 27001 A.9.4.2 CIS M365 1.1.1

8.2 BitLocker (Configuration Profile)

Display name: IOC - Bitlocker
Encryption: XTS-AES 256 · fixed + OS
Mapped to: SOC 2 CC6.7 ISO 27001 A.10.1.1

excerpt — sections 8 & 11 of 18 read full reference →

Every policy maps to a SOC 2 / ISO 27001 / CIS control. Hand it to your reviewer when audit season hits.

§ 04 also included

A complete jumpstart. Not just a deployment.

On Deploy

"Activate everything" switch

An optional toggle on the deploy page — off by default. Flip it on and your baseline goes live the moment the deploy completes.

MFA enforced for everyone except the deploying admin (lockout-safe)
Policies assigned, MDM auto-enroll on, AutoPilot dynamic group active

Post-Deploy

Hardware vendor handoff

A guided handoff so future hardware orders arrive pre-registered with AutoPilot — no manual hash imports, no chasing reps.

Walkthroughs for Dell, HP, Lenovo, reseller, and Surface
Tenant ID + primary domain auto-filled in a copy-paste email packet

§ 05 what you save

A typical Intune project vs. Baselines.

Otherwise: scope a 1–2 week consultant project ($7,500–$12,000) or learn Intune yourself over a couple of weekends. After that, an MSP retainer at $1,500–$3,500/mo for ongoing management — another cost you avoid here.

Phase / Task	MSP / DIY	Baselines
Discovery, scoping, & kickoff	~6 hr	Opinionated defaults
Azure AD app + AutoPilot hash-import script (the painful one)	~8 hr	Automatic
30+ Settings Catalog policies (security baseline)	~12 hr	Automatic
BitLocker, Defender, & compliance policies	~6 hr	Automatic
Conditional Access (Require MFA)	~3 hr	Automatic
Total (incl. testing + handover)	~59 hr / ≈ 1.5 weeks	< 5 min, live
Cost at typical rates	$7,500 – $12,000	$3,000

§ 06 frequently asked

Common questions.

Q.01 What licenses do I need? +

Microsoft Intune. It's bundled with M365 Business Premium, M365 E3 / E5, EMS E3 / E5, and is also available standalone. The deploy verifies you have an active Intune service plan before changing anything in your tenant.

Q.02 Will it overwrite my existing Intune setup? +

No. Every profile we create is checked by name first — if one with the same name already exists, we skip it. Your existing custom configurations are untouched.

Q.03 What if a step fails halfway through? +

Your purchase isn't burned — if anything fails, the order stays valid and you can retry. Steps already completed are detected and skipped. Our complete-build guarantee covers the rest: if the automated deploy can't land a configuration, we manually finish it at no extra cost.

Q.04 Do you keep access to my tenant? +

No. We never see your password, never store your access token beyond the deploy session, and have no recurring access. The Azure AD app we register lives in your tenant and you can revoke it at any time.

§ 07 working with a vcto?

Baselines is included with every vCTO plan.

Partner with The Galway Group and Baselines comes bundled — alongside bespoke Intune work, ongoing endpoint management, and device procurement through Dell, HP, and Lenovo.

See vCTO plans

§ Partner pricing

standalone $3,000

vCTO partner included · $0 extra

custom Intune at plan rate

device procurement Dell · HP · Lenovo

Average response time

Within one business day