What's Included | Baselines

Stage 1 — Deployed in under 5 minutes

What lands in your tenant on every deploy

These artifacts are created in your tenant on every Baselines purchase, regardless of whether you toggle the optional auto-activate.

AutoPilot & Hash Importer

Devices › Windows › Enrollment

AutoPilot deployment profile (single-user, admin) with auto-hash extraction
"AUTO-%SERIAL%" device naming template
Skipped EULA, hidden privacy & account-change OOBE pages
Hash importer PowerShell script deployed enterprise-wide
Dedicated Azure AD app registration for the importer (admin consent granted automatically)

Conditional Access — Require MFA

Entra ID › Protection › Conditional Access

Single CA policy: Require multi-factor auth on all cloud apps
Created enabled but unassigned by default (you choose who it applies to)
Optional auto-assign sets it to All Users except the deploying admin (lockout-safe)

Device Compliance Policy

Devices › Compliance

To be compliant, devices must:

Be BitLocker-encrypted
Have Defender Antivirus enabled
Have Windows Firewall on
Have a usable TPM 2.0
Use a complex password

If non-compliant:

Marked non-compliant immediately
Auto-retired from Intune after 45 days

7 Configuration Profiles

Devices › Configuration

BitLocker — XTS-AES 256-bit, recovery keys escrowed to Entra ID
Defender — Antivirus, SmartScreen, network & email protection
Edge — Force sign-in, hide first-run, managed favorites
OneDrive — Silent account config, Known Folder Move enabled
Forced Passwords — Complex local password policy
Bloat Removal — Strips Candy Crush, ad placements, consumer cloud features
Dock Settings — Lid-closed power policy for docking-station use

Microsoft 365 Apps

Apps › Windows

M365 Apps for Enterprise (Click-to-Run, x64, Current Channel)
Auto-accept EULA, uninstall older Office versions
Excludes Skype for Business, InfoPath, SharePoint Designer, Groove
Default file format: Open Document

Windows Update for Business

Devices › Windows › Update rings

Auto install & reboot, no end-user pause
Quality updates: 3-day defer, 2-day deadline
Feature updates: 60-day defer, 7-day deadline, 7-day rollback window
Drivers managed by Windows Update

Windows LAPS

Devices › Configuration › IOC - Windows LAPS

Local admin password rotated every 30 days
Escrowed to Entra ID (retrievable by Cloud Device Admin)
14-character complex passwords (upper + lower + digits + specials)
Reset + log off after authentication (24h max)
Closes the static-shared-local-admin SOC 2 finding

Defender ASR Rules (14, audit mode)

Devices › Configuration › IOC - ASR Rules (Audit)

14 ASR rules covering credential theft, Office macro abuse, JS/VB drop, USB threats, ransomware, exploited drivers
Deployed in audit mode — Defender logs activity without blocking
Promote rules to block individually after 30 days of clean audit data
Aligned with CIS Microsoft 365 §8 Endpoint Protection

Defender Firewall (3 profiles)

Devices › Configuration › IOC - Firewall Profile

Domain, Private, and Public profiles all enabled
Default-deny inbound traffic across all three profiles
Default-allow outbound
Pairs with the compliance policy that requires the firewall be active

Stage 2 — Optional one-click activation

"Activate everything immediately"

A single opt-in checkbox on the deploy page. Off by default. Flip it on and the deployment also wires up these tenant-wide settings before redeeming the order.

Profile assignment

All 7 configuration policies → All Devices
Compliance policy → All Devices
Windows Update rings → All Devices
M365 Apps → All Licensed Users (intent: required)
Conditional Access MFA → All Users except deploying admin

Tenant-wide auto-enroll

Entra ID MDM mobility policy → All Users (devices auto-enroll on work-account sign-in)
Dynamic Entra group "IOC - Windows Devices (Dynamic)" containing every Windows device
AutoPilot deployment profile assigned to that group → any Windows device that enrolls auto-converts to AutoPilot

Auto-assign requires Entra ID Premium P1 (bundled with M365 Business Premium and all M365 Enterprise SKUs).

Stage 3 — Hardware vendor handoff

Future hardware, pre-registered

After deployment, your confirmation page links to a guided handoff for every major OEM. Set up each vendor once and every future order ships pre-registered with AutoPilot.

Walkthroughs included for

Dell — TechDirect, named rep, reseller channel
HP — TechPulse / HP Connect, named rep, reseller channel
Lenovo — Customer ID + rep, reseller, Lenovo Cloud Deploy
Reseller-first option (CDW, Insight, SHI, Connection)
Microsoft Surface (CSP-channel guidance)

Each vendor has multiple paths (self-service, account rep, reseller, troubleshooting) so you can route around portal changes and account quirks.

Saveable, vendor-agnostic

Tenant ID and primary domain pre-filled with copy-buttons
Universal handoff packet — copy-paste email that works for any vendor
Print to PDF for offline reference
Bookmark-friendly URL with your tenant info baked in

Vendor calls rarely happen the same day. The page is designed to be revisited.

Things to know

Profiles deploy unassigned by default

Designed so you can review every policy before applying it. Auto-assign is one explicit checkbox away.

Built for cloud-only Windows fleets

Entra-joined / cloud-only environments. Hybrid Azure AD join and non-Windows platforms are out of scope.

Retry-safe redemption

Your order is only marked redeemed after a fully-successful deploy. Failures don't burn the order.

Complete-build guarantee

You always end up with the full environment. If our automated deploy doesn't land every configuration, we'll manually build out the rest ourselves at no extra cost.

Need every detail for an audit?

This brochure is the customer-friendly view. For a full compliance reference with every setting, framework mapping (CIS / NIST CSF / SOC 2), and verification procedures, open the Audit Reference Document.

A complete inventory of what gets deployed.