Endpoint checklist from an engineer

Microsoft Intune supports centralized BitLocker deployment and can silently enable full-disk encryption for Windows 10/11 devices while escrow­ing recovery keys to Microsoft Entra (Azure AD) via the BitLocker CSP. (learn.microsoft.com) Windows Local Administrator Password Solution (Windows LAPS) now stores and rotates unique local‑admin passwords for Azure AD‑joined devices and is manageable from Microsoft Entra/Intune; Microsoft published the Azure‑AD LAPS preview on April 21, 2023. (learn.microsoft.com) Microsoft Defender’s Attack Surface Reduction (ASR) rules are deployable from Intune’s Endpoint Security ASR policy and are designed to block common ransomware and credential‑theft techniques, but they require Defender to be the primary antivirus on enrolled Windows endpoints. (learn.microsoft.com) Credential Guard runs inside Virtualization‑Based Security (VBS) to isolate NTLM hashes and Kerberos tickets, and CISA lists VBS, Secure Boot and modern Windows builds (for example Windows 11 22H2) as prerequisites that can affect application compatibility. Microsoft Intune’s settings catalog and Device Control policies let administrators block or allow specific USB device classes at scale, and Defender for Endpoint device‑control rules provide an alternate enforcement and auditing path for removable media. (learn.microsoft.com) Apple’s support documentation states Intel‑based Macs can have a firmware password to prevent booting from external media, while Apple introduced Recovery Lock / recovery‑partition protections for Apple Silicon after Big Sur 11.5 and vendor MDMs (such as Jamf) added APIs to set recovery locks. (support.apple.com) Windows Autopilot supports self‑deploying and zero‑touch provisioning that lets districts import hardware hashes, auto‑enroll devices into Intune, and apply BitLocker, ASR and LAPS policies during OOBE to minimize per‑device hands‑on work. (learn.microsoft.com)