New Device Setup Checklist

A new laptop out of the box is not a secure laptop. Manufacturers ship devices with defaults that prioritize convenience over security — guest accounts enabled, no encryption, outdated firmware, and no endpoint protection. This checklist walks you through every step to harden a Windows PC before an employee ever logs in.

1. Before You Power On

• Record the serial number and asset tag the device in your inventory Keep a spreadsheet or use your RMM/PSA — you'll need this for warranty and offboarding.
• Confirm you have the Windows product key if needed (usually tied to the device BIOS) Check the bottom label or use a key-retrieval tool during setup.

2. Windows Setup & Updates

• Complete initial Windows setup — use a local account, not a personal Microsoft account Business devices should join Azure AD (Entra ID) or domain, not a personal MS account.
• Run Windows Update fully — reboot until no updates remain New devices can have 6–12 months of queued patches. This step takes the most time.
• Update device firmware/BIOS if manufacturer updates are available Dell, HP, and Lenovo all have companion apps that handle this automatically.

3. Accounts & Access

• Join the device to Azure AD (Entra ID) or your on-prem domain Settings → Accounts → Access work or school → Connect.
• Disable or rename the local Administrator account Attackers target the default "Administrator" account name. Rename or disable it.
• Confirm the employee account does NOT have local admin rights Standard user accounts can't install software — that's a good thing.

4. Encryption & Security

• Enable BitLocker on the C: drive — save the recovery key to Azure AD or a secure location If this laptop is lost or stolen, BitLocker is the only thing protecting your data.
• Confirm Windows Defender (or your third-party AV) is active and current Check Security Center — all four shields should be green.
• Enable Windows Firewall for all three profiles (Domain, Private, Public) It should be on by default — verify it wasn't disabled during setup.

5. Final & Hand-Off

• Install required business software (Microsoft 365 Apps, browser, line-of-business tools) Sign in to office.com and download Microsoft 365 Apps, or push via Intune.