How to securely set up a new remote employee’s laptop

Hiring a remote employee is exciting until you realize the laptop is shipping to their apartment in another state on Monday, and you are responsible for making sure it shows up configured, secure, and ready to work. There is no IT closet to walk over to, no quick desk visit to help them log in, and no chance to notice they never enabled disk encryption.

A remote employee’s laptop is a company asset sitting outside your network, on a residential connection you do not control, used by someone you have probably never met in person. The setup process has to account for all of that. This guide walks through a complete onboarding checklist for remote hardware – the steps, the tools, and the order they should happen in.

The goal of a remote laptop setup

Before getting into the steps, it helps to be clear on what you are actually trying to achieve. A secure remote setup has four outcomes:

• The device is encrypted, patched, and has an endpoint security agent running before it is used.
• The employee can access only the applications and data they need, and their identity is protected by MFA.
• The device is enrolled in a management system so you can push updates, enforce policies, and wipe it remotely if something goes wrong.
• There is a paper trail showing the employee received the device, acknowledged the acceptable use policy, and knows who to contact for support.

Every step below serves one of those outcomes. If a step does not, skip it.

Before the laptop ships

The most secure setup starts before the device leaves your hands or your vendor’s warehouse. Do as much configuration as possible while you still have physical access, or use a zero-touch provisioning tool so the device configures itself the first time it connects to the internet.

Decide on the hardware and operating system

Standardize on a short list of approved hardware. Two or three Windows laptop models and optionally one MacBook model is enough for most small businesses. Standardization makes patching, driver management, and support dramatically easier than letting every employee pick their own device.

Windows 11 Pro (not Home) is the practical minimum for business use – Home edition does not support domain join, BitLocker management via Intune, or group policy. For Mac, the latest two major macOS versions are generally safe.

Build or verify the base image

If you are imaging devices in-house, have a standard image that includes:

• The approved operating system with all current updates applied
• Browser of choice, productivity apps, and any required line-of-business software
• Endpoint security agent (Defender for Business, a third-party EDR, or whatever your MSP uses)
• Removal of bloatware and trial software that shipped from the OEM

If you order laptops from a reseller, most can pre-install a standard image for you. This is worth the small upfront fee because it means the device arrives at the employee’s door already close to ready.

Use Windows Autopilot or Apple Business Manager for zero-touch setup

For Windows devices, Microsoft Intune combined with Windows Autopilot lets you ship a brand-new laptop directly from the reseller to the employee, and the first time they sign in with their work account, the device automatically enrolls in Intune, applies all your policies, installs required apps, and sets itself up as a managed device. The employee never sees the Windows out-of-box experience for personal accounts.

For Macs, Apple Business Manager combined with Intune (or Jamf) does the same thing. You purchase the Mac through an authorized Apple reseller that supports Apple Business Manager, the serial number is added to your tenant automatically, and the device enrolls on first boot.

Zero-touch provisioning is the single biggest improvement you can make to remote onboarding. It removes the two highest-risk parts of manual setup: the employee configuring things themselves, and the gap between “device arrives” and “device is managed.”

Provision the Microsoft 365 account first

Before the laptop arrives, the employee needs a work identity. Create the Microsoft 365 account, assign the appropriate license, and configure the basics.

Create the account and assign a license

In the Microsoft 365 admin center, create the user with their work email address. For most remote workers, Business Premium is the right license because it includes Intune, Defender for Business, conditional access, and Azure AD Premium P1 – all of which matter for a secure remote setup.

Do not copy permissions and group memberships from another employee’s account without reviewing what those memberships grant. Every time someone copies a long-tenured employee’s permissions, the new hire ends up with access to data they should not have.

Enroll in MFA before the employee’s first sign-in

MFA enrollment must happen as part of the first sign-in, not as a “we will set this up later” task. If you leave it optional, some people will skip it, and MFA is the single most important control you have against credential theft.

Configure a Conditional Access policy that requires MFA for all users, and require the Microsoft Authenticator app (or a FIDO2 security key) rather than SMS codes. SMS-based MFA is better than nothing, but it is vulnerable to SIM-swap attacks.

Configure conditional access for the new account

Conditional access policies are how you enforce “only from compliant devices” and “only from approved locations.” At minimum, new remote employees should be covered by policies that:

• Require MFA for all cloud apps
• Block sign-ins from countries where your business does not operate
• Block legacy authentication protocols (POP, IMAP, basic auth)
• Require a compliant, Intune-managed device for accessing sensitive apps after the device is enrolled

The configuration checklist for the device itself

Whether you are imaging the device yourself or relying on zero-touch provisioning, these are the controls that must be in place before the employee starts working.

Disk encryption

BitLocker on Windows, FileVault on Mac. Non-negotiable. If a remote employee’s laptop is lost or stolen and it is not encrypted, the data on that drive is accessible to whoever finds it, and you are looking at a potential data breach notification.

In Intune, create a disk encryption policy that requires BitLocker with the recovery key escrowed to Azure AD. Escrowing the key is critical – if the employee ever gets locked out or the device has a hardware issue, you need to be able to recover the drive without relying on them having written the key down.

Verify encryption is actually active after enrollment. It is surprisingly common for a compliance policy to say “BitLocker required” while the device itself reports encryption is not enabled because of a hardware prerequisite issue or a silent policy conflict.

Endpoint security agent

Every remote device needs an EDR or next-generation antivirus agent running. Defender for Business (included in Business Premium) is a reasonable default for most small businesses. If you work with a managed IT provider, they will usually deploy their own EDR stack with 24/7 monitoring.

The agent should be installed by policy, not by the employee. If you rely on the employee to install it, at least some devices will miss it – they will click past the prompt, reboot before it finishes, or assume “IT will handle it later.”

Screen lock and password policy

Configure an Intune compliance policy that enforces:

• A password or PIN to log in
• Minimum password length (8+ characters, 14+ is better)
• Automatic screen lock after 10-15 minutes of inactivity
• No shared accounts – each employee has their own login on their own device

Remote workers are more likely than office workers to leave a device unattended in a home that other people have access to. The screen lock matters.

Operating system patches

Configure Windows Update for Business (via Intune) or macOS update policies to apply patches automatically. For remote devices, “automatic with a user-deferrable reboot” is the right setting – you want the patches to install, but forcing a reboot during a client call will cost you goodwill.

Set a maximum deferral period so users cannot indefinitely postpone updates. Seven days is a reasonable ceiling.

Firewall and basic hardening

The device firewall should be on. Disable SMBv1, disable LLMNR and NetBIOS over TCP/IP if not needed, and turn off unnecessary Windows features (XPS viewer, Windows Media Player, legacy components you will never use). Most of these are off by default in Windows 11, but verify in your base image.

Network access: VPN or zero trust

Remote workers need access to internal resources – file shares, line-of-business applications, internal tools. How they get that access defines a significant part of your security posture.

Traditional VPN

A VPN gives the remote device a tunnel into your office network, and once connected, the device behaves as if it were on the LAN. This is the traditional approach and still fine for simple environments. The downsides: the device has broad network access once connected (so a compromised device has broad network access too), the VPN server is a single point of failure, and VPN performance suffers as the team grows.

If you use a VPN, deploy the client via Intune so the configuration is consistent across devices, and require MFA for VPN sign-in – not just username and password.

Zero trust network access

Zero trust access takes a different approach. Instead of granting network-level access, the employee connects to specific applications through an identity-based proxy that verifies the user’s identity, the device’s compliance status, and the context of the request for every connection. A compromised device does not get broad network access – it gets access only to the specific apps the employee is authorized to use, only when the device is in a compliant state.

For most SMBs standing up remote work programs today, zero trust is the better direction. It is more aligned with how cloud-first businesses actually operate, and it removes the “device on the VPN is trusted” assumption that has led to a lot of breaches. For a deeper comparison of the two models, see our VPN vs zero trust network access guide.

Split tunneling

Whether you use VPN or ZTNA, configure split tunneling correctly. Only traffic destined for internal resources should go through the tunnel – Microsoft 365, Zoom, web browsing, and other cloud services should go directly over the employee’s internet connection. Forcing all traffic through a central tunnel hurts performance and provides no real security benefit for cloud services.

Intune enrollment and device management

Enrolling the device in Intune is what turns it from “a company laptop someone bought” into “a managed asset you can actually control.” Without enrollment, everything above is best-effort – you cannot verify the device is actually compliant, cannot push new policies, and cannot wipe the device remotely if something happens.

If you are using Autopilot or Apple Business Manager, enrollment is automatic on first sign-in. If you are doing manual setup, the employee (or an IT admin with remote access) needs to enroll the device before they start using it.

After enrollment, verify in the Intune admin center that the device appears as managed, shows as compliant against your policies, and is receiving updates. Build this verification step into your checklist – an unverified “probably compliant” device is how fleet drift starts.

Acceptable use policy and documentation

The paperwork side of onboarding matters more than most people assume, especially for remote employees. If something goes wrong later – a lost device, a policy violation, a termination – the documentation is what protects the business.

The acceptable use policy

Before the employee starts using the device, they should acknowledge your acceptable use and remote work IT policy. At minimum, this document should cover:

• The device is company property (if it is) and must be returned on termination
• Only approved software may be installed
• No personal data that the employee would not want the company to see should be stored on the device
• The company reserves the right to monitor, audit, and remotely wipe the device
• Physical security expectations (do not leave the device unattended in public, lock the screen, use a privacy screen in shared spaces)
• Reporting obligations if the device is lost, stolen, or compromised

The policy should be signed electronically and stored in the employee’s HR file. Reference the policy in the offer letter as well.

The device assignment record

Record the device serial number, hostname, model, and assignment date against the employee’s name. This sounds obvious, but plenty of small businesses cannot tell you which laptop is with which employee six months in, and that gap creates real problems during remote offboarding.

A welcome guide

Give the employee a short document (one or two pages) covering the essentials: how to sign in, how MFA works, who to contact for help, and what to do if they think something is wrong with the device. A good welcome guide reduces helpdesk tickets in the first two weeks and sets expectations about what IT support looks like in a remote environment.

Common remote setup mistakes

A few patterns come up repeatedly when remote onboarding goes wrong:

• Setting up the device once and never checking it again. Devices drift. Policies change. An employee turns off something they should not have turned off. Without ongoing endpoint management, a device that was compliant on day one may not be compliant on day ninety. Intune compliance reporting, checked weekly, catches this.
• Giving the employee local administrator rights by default. Remote employees should not be local admins on their company laptop. When they need to install something, an approved self-service mechanism (Company Portal in Intune) handles most cases, and the exceptions can go through IT.
• Skipping MFA enrollment because “we will set it up on their first day.” The first day is exactly when credential theft is most likely to succeed, because the employee is in setup mode and will click through prompts without scrutiny. MFA must be in place before the first sign-in.
• Not setting up remote wipe in advance. If you wait until the device is lost to figure out how to wipe it, you have already lost. Test the remote wipe function on a test device during setup so you know it works.
• Shipping the laptop without tracking it. Require signature on delivery and record the tracking number. A laptop going missing in transit is a real thing that happens.

How Sequentur handles remote laptop onboarding

For clients on a managed IT plan with remote workers, we handle the end-to-end onboarding process: laptop procurement through our reseller relationships, zero-touch provisioning via Autopilot or Apple Business Manager, Intune enrollment and policy application, Microsoft 365 account creation with conditional access policies, MFA enrollment, and shipping coordination so the device arrives at the employee’s door configured and ready.

What an SMB gets from working with a managed provider on remote onboarding is consistency – every new hire goes through the same process, every device arrives in the same configured state, and every policy change is applied across the fleet without anyone having to remember to do it. For a business hiring remotely a few times a year, the process is manageable in-house. For a business hiring continuously or scaling up a distributed team, the gap between ad-hoc onboarding and a defined program usually becomes apparent around the tenth or fifteenth hire.

If you are standing up a remote work program and want to make sure the foundation is right, our managed IT support for remote and hybrid teams covers this end-to-end. Schedule a call and we will walk through your specific setup.