Solution Atlas
EverydayUser storyConsultative playbook

Hybrid working has made contractor laptops a security and cost headache

After the move to hybrid working, IT supports a messy mix of company laptops, personal devices, and contractor machines. Sign-in policies are inconsistent, configurations drift over time, and there's a known risk that leavers walk out with data they shouldn't have.

Trigger
Hybrid working sprawl; Internal Audit has flagged the leaver risk.
Good outcome
Contractors get a cloud PC instead of a physical laptop they keep. Company laptops are managed centrally with consistent policies, and when someone leaves their access goes off the same day.
Discovery — signals and questions

Signals validating this story

  • ·Endpoint estate is a mix of corporate, BYOD, and contractor laptops
  • ·Image drift visible in helpdesk tickets
  • ·Conditional Access enabled but not enforced for unmanaged devices
  • ·Offboarding leakage flagged by Internal Audit
  • ·Helpdesk ticket trend rising despite stable headcount

Discovery questions

  1. 1.What does your endpoint estate look like by class — corporate, BYOD, contractor?

    WhySizes the problem. Often the contractor pool is the biggest single risk slice.

  2. 2.What is your Intune coverage today — full, partial, none?

    WhyEstablishes the management baseline. Most customers have partial.

    Listen for: “corp only” · “mixed” · “pilot stage”

  3. 3.How long does contractor onboarding take, and how is offboarding handled?

    WhySurfaces the cost of the sprawl in real terms.

  4. 4.What is your Conditional Access posture for unmanaged devices?

    WhyTests whether identity is enforcing device compliance or just MFA.

  5. 5.Have you considered Windows 365 / AVD for contractors or non-engineering staff?

    WhyCloud PC is the right answer for many contractor scenarios; surfaces appetite.

  6. 6.What is the helpdesk ticket trend for endpoint-related issues?

    WhyQuantifies the cost of the status quo.

Baseline architectureTarget architecture
Baseline architecture

Mixed endpoint estate with inconsistent management. Intune partial coverage. Conditional Access enabled but not enforced tenant-wide. Contractor onboarding manual and slow. No standardised contractor desktop pattern. Defender for Endpoint partial.

Typical concerns

  • ·Unmanaged devices accessing corporate data
  • ·Slow contractor onboarding hurting productivity
  • ·Offboarding leakage — devices not returned, accounts not disabled
  • ·Image drift causing helpdesk load
  • ·No defensible answer to "what is on our endpoint estate?"

Capability gaps

  • ·Intune tenant-wide for managed devices
  • ·Windows 365 for contractors and BYOD
  • ·Conditional Access with device-compliance enforcement
  • ·Joiner-mover-leaver integration
  • ·Defender for Endpoint posture tenant-wide
Target architecture

Intune manages all corporate-owned devices with policy enforcement. Windows 365 Cloud PC provisioned per contractor or BYOD user with auto-deprovision on offboarding. Conditional Access enforces device compliance for tenant access. Joiner-mover-leaver process integrated with Entra ID so onboarding takes minutes and offboarding is automatic. Defender for Endpoint posture tenant-wide.

Key capabilities

  • Centrally-managed corporate endpoints
  • Cloud PC for contractors and BYOD
  • Device-compliance enforced Conditional Access
  • Automated joiner-mover-leaver
  • Tenant-wide endpoint security posture
Architecture decisions
  1. 1.Contractor pattern — Windows 365 Cloud PC vs traditional contractor laptops

    Windows 365 Cloud PC

    Fits whenHigh contractor turnover; no need for offline work; consistent application stack.

    Trade-offsPer-user monthly cost; requires reliable connectivity.

    Traditional laptops

    Fits whenOffline work mandatory; latency-sensitive workflows; existing logistics in place.

    Trade-offsImage drift; provisioning logistics; offboarding leakage.

    Default recommendationWindows 365 for contractors with >3-month engagements; traditional laptops only where offline work is mandatory.

  2. 2.Intune scope — corporate-owned only vs all devices including BYOD

    Corporate-owned only

    Fits whenStrong BYOD privacy stance; willing to gate BYOD via Conditional Access only.

    Trade-offsUnmanaged devices remain a risk surface.

    All devices (including BYOD via Intune MAM)

    Fits whenStronger BYOD posture; app-level control without device enrolment.

    Trade-offsUser-experience friction; privacy concerns to manage.

    Default recommendationCorporate-owned for full enrolment; BYOD via Intune App Protection Policies (MAM) — gates corporate apps without enrolling personal devices.

  3. 3.Conditional Access stance — block unmanaged vs degraded access

    Block unmanaged

    Fits whenHigh-sensitivity data; auditor requires it.

    Trade-offsUser experience friction; emergency-access path needed.

    Degraded access (read-only or sensitive-data-restricted)

    Fits whenBalance productivity and security; phased rollout.

    Trade-offsPolicy complexity rises.

    Default recommendationDegraded access for the first 6 months; tighten to block based on risk findings.

Low-risk trial — proof of value

30-day Windows 365 pilot for 25 contractors + Intune tightening

~4 weeks

Windows 365 Cloud PC provisioned for 25 contractors. Intune policies tightened for the corporate estate. Conditional Access enforces device compliance for one business-priority application set. Joiner-mover-leaver workflow validated end-to-end against the pilot cohort.

Success criteria

  • 25 contractors onboarded to Cloud PC within 5 working days
  • Average onboarding time below 4 hours per contractor
  • Offboarding tested: account + Cloud PC + access removed within 1 hour
  • Conditional Access enforcement live for the pilot application set

InvestmentWindows 365 ~€32/user/month at the trial tier. Intune covered by M365 E3 already in estate. Contractor headcount for the trial unchanged.

Proof metrics

  • ·Contractor onboarding time reduced by 80%+
  • ·Offboarding leakage eliminated (account + device removed within SLA)
  • ·Helpdesk endpoint tickets trending down
  • ·Conditional Access compliance score above 90%

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Back to Workplace infrastructure