Audit Reference | Baselines

1. Executive Summary

Baselines deploys a complete Microsoft Intune endpoint-management baseline to a customer's tenant in under 5 minutes. The deployment is performed entirely through delegated Microsoft Graph API calls authenticated as an admin from the customer's tenant; no Galway Group account, agent, or persistent connection is created. After the deployment completes, The Galway Group has no continued access to the tenant.

This document inventories every object created or modified by the deployment and is intended to support compliance reviews, audit evidence collection, and internal change-management processes. Each section identifies the artifact by its display name and Microsoft Graph resource type, lists the configured properties, names the location in the Intune / Entra admin centers, and (where applicable) maps the controls implemented to the CIS Microsoft 365 Benchmark and NIST Cybersecurity Framework subcategories.

Default deployment posture: All Intune profiles and policies are deployed unassigned by default so the customer can review and pilot before enforcement. An optional opt-in toggle on the deploy page assigns every applicable policy to All Users / All Devices and enables MDM auto-enrollment tenant-wide; the affected sections are flagged below.

2. Required Licensing & Administrative Roles

Tenant licensing

The deployment requires an active Microsoft Intune service plan in the tenant. Intune is bundled in the following Microsoft SKUs:

SKU	Includes Intune	Includes Entra ID Premium P1 (required for dynamic group, opt-in only)
Microsoft 365 Business Premium	Yes	Yes
Microsoft 365 E3 / E5	Yes	Yes
Microsoft 365 F1 / F3	Yes	Yes
Enterprise Mobility + Security E3 / E5	Yes	Yes
Microsoft Intune (Standalone)	Yes	No (must be added)

Administrative role required to deploy

The signed-in account performing the deployment must hold one of the following Entra ID directory roles:

Global Administrator, or
Intune Administrator AND Application Administrator AND Cloud Application Administrator (combined)

The optional auto-assign features additionally require Privileged Role Administrator or Global Administrator to grant admin consent on the importer app's permissions and modify the tenant-level mobility policy.

3. OAuth Scopes Requested by the Deploy

The Galway Group's Baselines multi-tenant Azure AD application requests the following delegated Microsoft Graph permissions during sign-in. Each scope is listed with its purpose so reviewers can confirm the deployment uses the minimum permissions required for its function.

Scope	Type	Purpose
User.Read	Delegated	Read the signed-in user's profile (used for self-exclusion in Conditional Access and tenant identification)
Application.ReadWrite.All	Delegated	Create the AutoPilot importer Azure AD app registration and its client secret
AppRoleAssignment.ReadWrite.All	Delegated	Programmatically grant admin consent to the importer app (replaces a second OAuth round-trip)
DeviceManagementConfiguration.ReadWrite.All	Delegated	Create Settings Catalog configuration policies
DeviceManagementServiceConfig.ReadWrite.All	Delegated	Create Windows Update for Business and AutoPilot deployment profiles
DeviceManagementServiceConfig.Read.All	Delegated	Read existing Intune service configurations to detect and skip duplicates on retry
DeviceManagementApps.ReadWrite.All	Delegated	Create the Microsoft 365 Apps deployment
DeviceManagementScripts.ReadWrite.All	Delegated	Create the AutoPilot hash importer PowerShell script
Policy.ReadWrite.ConditionalAccess	Delegated	Create the Require MFA Conditional Access policy
Policy.Read.All	Delegated	Read existing Conditional Access policies to detect and skip duplicates
Policy.ReadWrite.MobilityManagement	Delegated	Set Entra ID's MDM mobility scope to All Users (opt-in only)
Group.ReadWrite.All	Delegated	Create the dynamic Windows-devices group for AutoPilot auto-assignment (opt-in only)
ManagedTenants.Read.All	Delegated	Multi-tenant context lookup

Token lifecycle: The access token is held in the customer's browser session for the duration of the deployment (typically under 5 minutes) and is discarded immediately after. The Galway Group's server never persists Microsoft access tokens.

4. Deployment Inventory (Quick Reference)

The following objects are created or modified in the customer's tenant. Names below are the literal display names used in Intune / Entra so an auditor can search for and verify each artifact.

#	Display name	Microsoft Graph resource type	Location in admin center
1	Intune One-Click Importer	application	Entra ID › App registrations
2	IOC - AutoPilot Importer	deviceManagementScript	Intune › Devices › Scripts and remediations
3	IOC Standard AutoPilot	azureADWindowsAutopilotDeploymentProfile	Intune › Devices › Windows › Windows enrollment › Deployment profiles
4	IOC - Edge	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
5	IOC - Defender	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
6	IOC - BitLocker Encryption	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
7	IOC - Dock Settings	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
8	IOC - OneDrive	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
9	IOC - Windows Bloat Removal	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
10	IOC - Forced Passwords	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
11	IOC - Windows Compliance	windows10CompliancePolicy	Intune › Devices › Compliance
12	IOC - Standard Update Rings	windowsUpdateForBusinessConfiguration	Intune › Devices › Windows › Update rings
13	IOC - Microsoft 365 Apps	officeSuiteApp	Intune › Apps › Windows
14	IOC - Require MFA	conditionalAccessPolicy	Entra ID › Protection › Conditional Access › Policies
15	IOC - Windows LAPS	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
16	IOC - ASR Rules (Audit)	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
17	IOC - Firewall Profile	configurationPolicy (Settings Catalog)	Intune › Devices › Configuration
18	IOC - Windows Devices (Dynamic)	group (dynamic, security)	Entra ID › Groups

Row 18 is created only if the customer enables the optional auto-assign toggle.

5. Azure AD Application — Intune One-Click Importer

Entra ID › App registrations › Intune One-Click Importer

An Azure AD application registration is created in the customer's tenant to provide the credentials the AutoPilot hash-importer script uses to authenticate to Microsoft Graph. This app is owned by the customer's tenant and is independent of The Galway Group's multi-tenant deploy app.

Property	Value
Display name	Intune One-Click Importer
Sign-in audience	Single tenant (customer's tenant only)
Redirect URI	https://baselines.cloud/portal/success
Required API permissions	Microsoft Graph DeviceManagementServiceConfig.ReadWrite.All (Application) DeviceManagementManagedDevices.ReadWrite.All (Application)
Client secret	One client secret generated at deployment time. The secret value is embedded in the AutoPilot hash importer script (next section) and never transmitted off-tenant.
Admin consent	Granted programmatically during deploy via /servicePrincipals/{id}/appRoleAssignments

Auditor note: The required permissions are scoped to Intune service configuration and managed device data only. The app cannot read user mailboxes, files, calendars, or directory data. The client secret is generated by Microsoft Graph at app creation time; the deployment never sees a Galway-supplied secret.

6. PowerShell Script — IOC AutoPilot Importer

Intune › Devices › Scripts and remediations › Platform scripts

Property	Value
Display name	IOC - AutoPilot Importer
Script source	The community-maintained Get-WindowsAutoPilotInfo.ps1 from the PowerShell Gallery, invoked with the importer app's tenantId / appId / appSecret to register the running device's hash with the tenant's AutoPilot service.
Run as	system (LocalSystem)
Signature check	Disabled (the script is dynamically generated per tenant)
File name	Import.ps1
Executes	Once per device on Intune enrollment
Network endpoints contacted	graph.microsoft.com, login.microsoftonline.com, www.powershellgallery.com

Data flow: The script reads the device's hardware hash (a Microsoft-defined identifier built from chassis serial, MAC, and TPM data) and POSTs it to graph.microsoft.com using the importer app's credentials. No data is sent to The Galway Group. The hash itself is the same identifier Microsoft would request if the device were registered manually via the Intune admin center.

7. Windows AutoPilot Deployment Profile

Intune › Devices › Windows › Windows enrollment › Deployment profiles

Property	Configured value
Display name	IOC Standard AutoPilot
Deployment mode	User-driven (single user)
Join type	Microsoft Entra ID joined
User account type	Administrator
Device name template	AUTO-%SERIAL%
Pre-provisioning (white-glove) allowed	Yes
Hardware hash extraction	Enabled — devices in the assigned group auto-register as AutoPilot devices on next check-in
OOBE settings	Skip EULA · Hide privacy settings · Hide change account options · Skip keyboard selection
Locale	OS default

8. Configuration Profiles (Settings Catalog)

Intune › Devices › Configuration

Seven Windows-platform Settings Catalog configuration policies, all using MDM technology. Each policy is purpose-scoped so individual settings can be toggled or reverted without affecting unrelated controls.

IOC - BitLocker Encryption

CIS L1 1.1PR.DS-1CC6.1

Enforces BitLocker on the operating system drive with cloud-backed recovery keys.

Encryption method: XTS-AES 256-bit (OS drive, fixed drives, removable drives)
Recovery key escrow: Microsoft Entra ID (BitLocker recovery keys auto-uploaded to the device's Entra object)
Pre-boot authentication: TPM with PIN / password fallback as available
Allow standard users to enable: enabled (silent enablement)

IOC - Defender

CIS L1 8.xDE.CM-4 / PR.PT-1

Enables and enforces Microsoft Defender Antivirus best-practice settings so the user does not see Defender warnings or have the option to disable protection.

SmartScreen for Windows Explorer: Enabled, action: Warn
Archive scanning, behavior monitoring, cloud-delivered protection: Enabled
Removable drive scanning during full scan: Enabled
Email scanning, IOAV (downloaded files), real-time monitoring: Enabled
Network protection & reputation-based protection: Enabled (Block)
Tamper protection: Enabled

IOC - Edge

CIS L1 (Edge profile)

Configures Microsoft Edge for managed-browser experience and skips first-run prompts.

Browser sign-in: Force sign-in with Entra ID account
Force profile sync: Enabled
Hide first-run experience: Enabled (per-device and per-user)
Non-removable profile: Enabled (signed-in profile cannot be removed)
Managed favorites: pre-loaded with a "Quick Links" folder containing a TGG support link

IOC - Forced Passwords

CIS L1 1.1.1PR.AC-1

Enforces complex local password requirements on enrolled devices (independent of Entra ID password policy, which governs cloud accounts).

Require complexity (alphanumeric + special character)
Minimum length, history, and maximum age aligned with CIS Microsoft 365 Foundations Benchmark Level 1

IOC - OneDrive

CIS L1 (OneDrive)PR.IP-4

Configures OneDrive Known Folder Move and silent sign-in so user data is automatically backed up to the customer's tenant.

Silent account configuration: Enabled
Known Folder Move (Desktop, Documents, Pictures): Enabled with silent redirection
Files On-Demand: Enabled

IOC - Windows Bloat Removal

Removes pre-installed consumer applications (Candy Crush, third-party games, ad placements) and disables consumer-experience cloud content.

Disable consumer features (Cloud Content)
Disable Windows Spotlight on lock screen
Pre-installed bloatware uninstall list applied at OOBE

IOC - Dock Settings

Power-management profile aligned with docking-station use: device stays active when lid is closed and connected to a dock; sleeps when undocked.

Lid close action (plugged in): Do nothing
Lid close action (battery): Sleep

9. Device Compliance Policy

Intune › Devices › Compliance

Setting	Configured value	Compliance impact
Display name	IOC - Windows Compliance	—
Platform	windows10 (Windows 10/11)	—
BitLocker enabled	Required	Drive must be BitLocker-protected
Storage encryption	Required	Disk-level encryption must be active
Active firewall	Required	Windows Firewall (or third-party equivalent) must be on
TPM	Required	Device must report a usable TPM 2.0 module
Antivirus	Required	An AV solution must be present and active
Anti-spyware	Required	Anti-spyware / anti-malware must be enabled
Defender enabled	Required	Microsoft Defender Antivirus must be enabled (if no third-party AV)
Password required type	Device default	Inherit from Windows password policy
Action — non-compliant (immediate)	Block	Device immediately marked non-compliant; loses access to CA-protected resources
Action — non-compliant (after 1080 hours = 45 days)	Retire	Device is auto-retired from Intune after 45 days non-compliant

10. Windows Update for Business

Intune › Devices › Windows › Update rings

Setting	Configured value
Display name	IOC - Standard Update Rings
Microsoft Update service allowed	Yes (drivers and OS updates from Microsoft Update)
Automatic update mode	Auto install and reboot without end-user control
Quality update deferral	3 days
Quality update deadline	2 days (with 4-day grace period)
Feature update deferral	60 days
Feature update deadline	7 days
Feature update rollback window	7 days
Drivers excluded	No (drivers managed by Windows Update)
Allow Windows 11 upgrade	No (manual control)
User pause access	Disabled
User Windows Update scan access	Enabled (visibility only)

Audit framing: CIS Microsoft 365 Foundations Benchmark §1.5 and NIST CSF subcategory PR.IP-12 require timely application of vendor security updates. The combined 3-day quality-update deferral plus 2-day deadline ensures critical updates apply within ~5 days of Microsoft release.

11. M365 Apps Deployment

Intune › Apps › Windows

Setting	Configured value
Display name	IOC - Microsoft 365 Apps
Office Suite type	officeSuiteApp (Click-to-Run)
Architecture	x64
Update channel	Current Channel
Default file format	OfficeOpenDocumentFormat
Auto-accept EULA	Yes
Uninstall older versions of Office	Yes
Shared computer activation	No
Excluded apps	Skype for Business · InfoPath · SharePoint Designer · Groove (OneDrive for Business old client)
Product	o365ProPlusRetail (M365 Apps for Enterprise)

12. Conditional Access Policy

Entra ID › Protection › Conditional Access › Policies

Setting	Configured value
Display name	IOC - Require MFA
State	Enabled
Assignment — Users (default)	None (policy is enabled but not enforcing until reviewed)
Assignment — Users (auto-assign opt-in)	All Users, excluding the deploying admin's user object ID
Assignment — Cloud apps	All cloud apps
Assignment — Conditions	Client app types: All
Grant control	Require multi-factor authentication (single-factor AND mfa)

Lockout-prevention safeguard: When the auto-assign toggle is on, the deploying admin is added to excludeUsers automatically so a misconfigured MFA registration cannot lock them out of their own tenant. Reviewers may want to add additional break-glass / emergency-access accounts to the exclude list before the policy is broadened in production.

13. Windows LAPS (Local Administrator Password Solution)

Intune › Devices › Configuration › IOC - Windows LAPS

Native Windows LAPS rotates the local administrator password on a configurable schedule and escrows the new password to Entra ID, where retrieval is gated by Entra role-based access. Removes the all-too-common SOC 2 finding of static, shared local admin passwords across a fleet. Requires Windows 10 22H2 or Windows 11.

Setting	Configured value	Why
Backup directory	Entra ID	Passwords escrowed to Entra; visible to Entra admins via the Devices blade
Password age (days)	30	SOC 2-friendly rotation cadence
Password length	14 characters	Common SOC 2 / NIST minimum for privileged credentials
Password complexity	Upper + lower + digits + specials	Highest available complexity tier
Post-authentication actions	Reset password and log off (after 24h)	Limits credential blast radius if a session is captured

Auditor view: the rotated password for any device is retrievable in Entra ID › Devices › All devices › {device} › Local administrator password recovery. Read access requires the Cloud Device Administrator Entra role or higher; reads are logged in the Entra audit log under the Recover device local administrator password activity.

14. Defender Attack Surface Reduction (ASR) Rules

Intune › Devices › Configuration › IOC - ASR Rules (Audit)

Fourteen Defender ASR rules deployed in Audit mode. Audit mode generates Defender events without enforcing the block, allowing the customer to review activity and any false positives in their environment for ~30 days before promoting individual rules to Block mode.

#	Rule	Mode
1	Block executable content from email client and webmail	Audit
2	Block all Office applications from creating child processes	Audit
3	Block credential stealing from the Windows local security authority subsystem (lsass.exe)	Audit
4	Block untrusted and unsigned processes that run from USB	Audit
5	Block JavaScript or VBScript from launching downloaded executable content	Audit
6	Block execution of potentially obfuscated scripts	Audit
7	Block Adobe Reader from creating child processes	Audit
8	Block Office communication application from creating child processes	Audit
9	Block persistence through WMI event subscription	Audit
10	Block Win32 API calls from Office macros	Audit
11	Block Office applications from creating executable content	Audit
12	Block Office applications from injecting code into other processes	Audit
13	Use advanced protection against ransomware	Audit
14	Block abuse of exploited vulnerable signed drivers	Audit

The ruleset aligns with the CIS Microsoft 365 Benchmark §8 Endpoint Protection controls and Microsoft's published Defender ASR baseline. After the audit window, individual rules can be promoted to Block by editing the policy in Intune (toggle the rule from Audit to Block) — no redeploy required.

On-device verification: run Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions on a managed device. Action codes: 0 Off, 1 Block, 2 Audit, 6 Warn. Audit-mode events are surfaced in the Defender for Endpoint timeline and exportable from security.microsoft.com › Reports › Devices › Attack surface reduction.

15. Microsoft Defender Firewall Profile

Intune › Devices › Configuration › IOC - Firewall Profile

Configures all three Windows Defender Firewall profiles (Domain, Private, Public) with default-deny inbound and allow outbound. Pairs with the IOC - Windows Compliance policy in §9 which requires the firewall to be active for a device to be marked compliant — this section is the one that configures it.

Profile	Setting	Configured value
Domain	Firewall enabled	True
	Default inbound action	Block
	Default outbound action	Allow
Private	Firewall enabled	True
	Default inbound action	Block
	Default outbound action	Allow
Public	Firewall enabled	True
	Default inbound action	Block
	Default outbound action	Allow

Inbound exceptions must be created intentionally via additional firewall rules. The default-deny posture aligns with CIS Microsoft 365 Benchmark §9 Network Configuration controls.

16. Optional Auto-Assign Behavior

The deploy page presents an opt-in toggle labeled "Activate everything immediately." Defaults to off. When enabled, the following additional actions occur during the deployment in addition to the standard inventory above. Each is logged as a discrete step in the live deploy progress feed and is only attempted with the auto-assign opt-in.

Action	Endpoint	Effect
Assign 10 configuration policies (Edge, Defender, BitLocker, Dock, OneDrive, Bloat, Forced Passwords, Windows LAPS, ASR Rules, Firewall Profile) to All Devices	POST /configurationPolicies/{id}/assign	Each policy enforces on every Windows device on next check-in
Assign Update Rings to All Devices	POST /deviceConfigurations/{id}/assign	Windows Update for Business policy applies tenant-wide
Assign Compliance Policy to All Devices	POST /deviceCompliancePolicies/{id}/assign	Devices evaluate against the compliance baseline; Conditional Access can use compliance state
Assign M365 Apps as required for All Licensed Users	POST /mobileApps/{id}/assign	M365 Apps install silently on assigned users' devices
Patch CA policy: All Users excluding deploying admin	PATCH /conditionalAccess/policies/{id}	MFA enforced for all users; admin self-excluded for lockout safety
Create dynamic group "IOC - Windows Devices (Dynamic)"	POST /groups	Dynamic security group with rule (device.deviceOSType -eq "Windows"). Auto-membership requires Entra ID Premium P1.
Assign AutoPilot deployment profile to the dynamic group	POST /windowsAutopilotDeploymentProfiles/{id}/assignments	Combined with hardware-hash extraction, every Windows device that enrolls is auto-converted to an AutoPilot device
Patch Entra ID MDM mobility policy: All	PATCH /policies/mobileDeviceManagementPolicies/{id}	MDM auto-enrollment turned on tenant-wide. Any user signing into Windows with a work account auto-enrolls their device in Intune.

Auditor note: All auto-assign operations are explicit, surfaced on the deploy page with a yellow warning panel, and require the operator to check a separate consent box. None of these effects occur on a default deployment.

17. Compliance Framework Mapping

The following mappings position each control implemented by the deployment against the most commonly-cited compliance frameworks. The mapping is informational; it is not a substitute for a formal compliance audit. Customers operating under regulated frameworks (HIPAA, PCI-DSS, FedRAMP) should validate these controls against their specific control framework.

Control area	CIS M365 Benchmark	NIST CSF 1.1	SOC 2 Common Criteria
BitLocker / disk encryption	1.1, 1.4	PR.DS-1, PR.DS-5	CC6.1, CC6.7
Microsoft Defender Antivirus + SmartScreen	8.x	DE.CM-4, PR.PT-1	CC6.6, CC7.1
Device compliance policy (BitLocker, TPM, AV, firewall)	1.1, 1.4, 1.5	PR.DS-1, PR.PT-1	CC6.1, CC6.6, CC7.1
Conditional Access — Require MFA	1.1.1	PR.AC-1, PR.AC-7	CC6.1, CC6.6
Windows Update for Business (timely patching)	1.5	PR.IP-12, ID.RA-1	CC7.1, CC8.1
OneDrive Known Folder Move (data backup)	—	PR.IP-4	A1.2
AutoPilot + MDM auto-enrollment (managed device baseline)	—	PR.AC-3, ID.AM-1	CC6.1
Forced complex passwords (local)	1.1	PR.AC-1	CC6.1
Edge managed-browser sign-in	—	PR.AC-1, PR.AC-7	CC6.1
Windows LAPS — local admin password rotation + Entra escrow	5.2 (privileged credential rotation)	PR.AC-1, PR.AC-4	CC6.1, CC6.3
Defender Attack Surface Reduction (14 rules in audit)	8.x	DE.CM-4, PR.PT-1, PR.IP-1	CC7.1, CC7.2
Microsoft Defender Firewall (3 profiles, default-deny inbound)	9.x	PR.AC-5, PR.PT-4	CC6.6, CC6.7

18. Out of Scope (What's Not Deployed)

The following items are intentionally not included in Baselines. Organizations requiring these controls should layer them in separately or engage The Galway Group's vCTO partner program for tailored configuration.

Non-Windows platforms. macOS, iOS / iPadOS, Android, and Linux device profiles are not deployed. The compliance policy is Windows-only.
Microsoft Defender for Endpoint (MDE) onboarding. The Defender Antivirus configuration assumes the built-in Defender stack. Customers with Defender for Endpoint Plan 1/2 should run their own Endpoint security › Endpoint detection and response (EDR) onboarding.
Custom application packaging. Only Microsoft 365 Apps for Enterprise is deployed. Win32 LOB apps, third-party apps, and Microsoft Store apps are not.
Sign-in risk / user risk Conditional Access policies. The included CA policy is a single Require MFA control. Risk-based CA requires Entra ID Premium P2 and is not configured.
Hybrid Azure AD join. The deployment assumes cloud-only / Entra-joined devices. Hybrid Azure AD join scenarios are not configured.
Compliance attestation reporting. Intune-side compliance state is configured; integration with external GRC platforms (e.g., Vanta, Drata) is not.
Network segmentation / VPN / Always On VPN. Network configuration profiles are not included.
BitLocker recovery key rotation. Initial key escrow is configured; ongoing rotation policy must be configured separately if required.

19. Verification Procedures

An auditor or change-control reviewer can confirm each artifact is in place using the steps below. Each verification should be performed signed in to the customer's tenant as a Global Administrator or with the appropriate read-only role.

Artifact	How to verify
App registration (IOC Importer)	Entra ID › App registrations › All applications. Filter by "Intune One-Click Importer." Confirm one client secret with description "Default" exists. Under API permissions, confirm two Application permissions are granted with admin consent.
AutoPilot importer script	Intune › Devices › Scripts and remediations › Platform scripts. Open "IOC - AutoPilot Importer." Confirm runs as system, no signature check.
AutoPilot deployment profile	Intune › Devices › Windows › Windows enrollment › Deployment profiles. Open "IOC Standard AutoPilot." Confirm deployment mode, name template, and OOBE settings match Section 7.
Configuration policies (×7)	Intune › Devices › Configuration. Filter by name "IOC -". Confirm seven policies are listed with platform Windows 10/11.
Compliance policy	Intune › Devices › Compliance. Open "IOC - Windows Compliance." Verify settings match Section 9. Verify Actions for noncompliance: 0-hour Block, 1080-hour Retire.
Update rings	Intune › Devices › Windows › Update rings. Open "IOC - Standard Update Rings." Verify deferral and deadline values match Section 10.
M365 Apps	Intune › Apps › Windows. Open "IOC - Microsoft 365 Apps." Confirm Office Suite type, channel, architecture.
Conditional Access policy	Entra ID › Protection › Conditional Access › Policies. Open "IOC - Require MFA." Confirm grant control = Require MFA, state = enabled, user assignment per tenant choice.
Dynamic group (auto-assign only)	Entra ID › Groups. Filter by "IOC - Windows Devices (Dynamic)." Confirm membership type = Dynamic Device, processing state = On, rule = (device.deviceOSType -eq "Windows").
MDM auto-enrollment scope (auto-assign only)	Entra ID › Mobility (MDM and MAM) › Microsoft Intune. Confirm MDM user scope = All.

20. Operational Notes & Recovery

BitLocker recovery

BitLocker recovery keys are escrowed to Entra ID. Recovery key access for a specific device is at Entra ID › Devices › All devices › [device] › BitLocker keys. Customers can also use the aka.ms/bitlocker end-user self-service portal where the relevant Entra ID role is assigned.

Removing the deployment

Each artifact in this document is an independent Intune / Entra object and can be deleted via the admin center or Microsoft Graph. The deployment does not maintain any cross-references. Specifically: deleting the IOC Importer app registration revokes the AutoPilot importer script's authentication; deleting the configuration policies stops their associated settings being enforced on next device check-in.

Retry safety

The deployment is idempotent. Re-running it for a tenant that already has IOC profiles will: (a) recreate the IOC Importer app registration with a new client secret; (b) leave existing IOC-named profiles in place untouched; (c) re-apply assignments only when the auto-assign opt-in is selected.

Order redemption

The Stripe purchase order is only marked redeemed in The Galway Group's billing system after a fully-successful deployment. A deployment that fails mid-rollout leaves the order replayable until success.

21. Glossary

AutoPilot: Microsoft service for zero-touch Windows provisioning. Devices ship to end users from the OEM and self-configure on first boot.
Conditional Access (CA): Entra ID policy framework that evaluates sign-in attempts against conditions and requires controls (MFA, compliance, etc.) before granting access to cloud resources.
Device hash: The Windows AutoPilot hardware identifier — a Microsoft-defined string built from chassis serial, network MAC, and TPM data. Used to register a specific device with the AutoPilot service.
Dynamic group: An Entra ID group whose membership is automatically maintained based on a rule expression. Requires Entra ID Premium P1 for processing.
MDM auto-enrollment: Entra ID feature that automatically enrolls a Windows device into a configured MDM service (in this case, Intune) when a user joins their work account on the device.
Settings Catalog: Modern Intune configuration model where individual policy settings are selected from a Microsoft-maintained catalog. Replaces legacy device configuration profiles for many scenarios.

Baselines — Deployment Reference