Secure, compliant devices - by default.

Keep endpoints configured to defined baselines, with proactive checks that catch drift, failures and misconfigurations early.

Book an Intune & Autopilot service review

Microsoft Intune & Autopilot Managed Service

Modern device management only works when it’s maintained. Microsoft Endpoint Manager (Intune) gives you control of devices, users, configuration, conditional access and apps – but it needs consistent checks and upkeep to stay reliable and secure.

Wanstor’s Microsoft Intune & Autopilot Managed Service establishes clear, repeatable procedures for how we manage and troubleshoot your Intune and Autopilot estate on a scheduled cadence, backed by the right tools, reporting, expertise, and engineering resource.

Outcome: a healthier endpoint estate, fewer deployment issues, stronger compliance, and device security that stays aligned with best practice over time.

Service overview

If your organisation relies on Intune and Autopilot to provision, configure and secure devices, this service helps you keep day-to-day operations stable and reduce risk caused by drift, failed deployments, or outdated baselines.

What’s included

Application maintenance

We keep Autopilot and Company Portal apps current by reviewing and updating versions, confirming “Evergreen” updates work, manually refreshing anything Evergreen can’t cover, removing obsolete apps from future installs (without uninstalling existing ones), and resolving Intune deployment errors where possible.

 

Configuration deployment errors

Configuration failures often come from policy conflicts or settings not reaching targeted devices/users. We review configuration deployments to detect and remediate deployment errors so your intended policies remain enforced.

 

Enrolment failure monitoring & remediation

Where devices fail to enrol (e.g., via Group Policy or Autopilot) or don’t register correctly with Azure AD/MDM, we review both Autopilot and Intune enrolment to identify failures and remediate.

 

Device compliance policy review

Compliance policies need maintaining as Microsoft best practices evolve. We ensure policies include supported operating systems, and review non‑compliant devices to recommend steps to restore compliance within the review window.

 

Security baselines management

Security baselines contain recommended Windows settings and are updated by Microsoft typically every 6–12 months. We review new baseline releases, assess impact, propose de-risking steps where needed, raise appropriate change control, and then update and track application across devices in scope.

Conditional Access compliance (device health signal)

If you use device health as a signal for Azure AD Conditional Access, we review device compliance against those policies, take proactive steps to bring non-compliant devices back into compliance, and review best-practice/report-only policies with recommendations to enforce improvements.

 

Configuration deployment errors

We update baseline policy recommendations for Intune and Autopilot, produce a report highlighting configuration differences from your deployed baseline, and raise change control where needed to apply new recommendations.

 

Security group review (dynamic & assigned)

We review the dynamic and static groups used as policy boundaries for Intune and Autopilot, and recommend changes to keep them aligned to company requirements.

 

Deployment scripts review

Deployment scripts can become “set and forget”. We review scripts every month to ensure they’re still relevant, identify any updates needed, and retire scripts made obsolete by product releases – helping keep your deployment process current.

 

Endpoint Analytics insights & recommendations

Endpoint analytics highlights policy or hardware issues that slow devices, enabling proactive fixes before they become service desk tickets. We report regularly with recommendations to maintain device health – such as battery indicators, reboot schedules for devices online over 7 days, and abnormal boot/login times.

Onboarding & prerequisites

To enable an effective managed service, the following prerequisites must be met
  • Existing solutions are reviewed and critical/high recommendations are resolved before onboarding or scheduled during onboarding
  • Full documentation of the existing solution is available (customer documentation used as a reference to support the solution)
  • All maintenance tasks in the service description are initially completed during onboarding
  • A full review of identity roles and privileges (including security administrators, compliance administrators and Intune administrators)
  • If Wanstor implemented the solution, these prerequisites should already be met

Outcomes & benefits

What’s excluded:

Updating application packages in Autopilot builds or Company Portal does not update apps on devices where those apps are already installed. To keep already-installed apps up to date, a separate patching service is required (which Wanstor can provide separately).

Assumptions & dependencies

Assumption: You have and maintain appropriate Microsoft 365 licensing that entitles users and devices registered in Intune to use the product.

Dependency (Endpoint Analytics): Requires Microsoft 365 E3 or E5 (or equivalent device licence) and devices must be Azure AD joined or hybrid Azure AD joined.

How we work

  • Baseline & onboarding: confirm prerequisites, complete initial maintenance tasks, and validate roles/privileges and documentation.
  • Monthly service review: complete the set of operational checks across apps, enrolment, policy compliance, baselines, Conditional Access, groups, scripts, and Endpoint Analytics insights.
  • Change control & improvements: where updates (e.g., new baselines/recommendations) require changes, we raise appropriate change control and track rollout across devices in scope.

    FAQs

    Does this keep my existing devices patched?

    Not by itself. App package updates for Autopilot/Company Portal do not update apps already installed on devices; a separate patching service is required for that.


    How often are security baselines updated?
    Microsoft updates baselines on a regular cadence (typically every 6–12 months). Wanstor reviews and manages baseline updates as they’re released, including impact review and change control.


    Do we need Endpoint Analytics?
    Endpoint Analytics checks require M365 E3/E5 (or equivalent device licence) and Azure AD joined or hybrid Azure AD joined devices.

    Want to reduce endpoint risk and keep device compliance on track?

    Book an Intune & Autopilot service review and we’ll outline what’s needed to stabilise and maintain your endpoint estate.