Solution Atlas
EverydayUser storyConsultative playbook

Hybrid working means contractor laptops are a security and cost headache

After the shift to hybrid working, the IT team is supporting an unmanageable mix of corporate laptops, BYOD, and contractor machines. Conditional Access is partial, image drift is rife, and offboarding leakage is a known risk.

Trigger
Hybrid working sprawl; offboarding leakage flagged by Internal Audit.
Good outcome
Windows 365 baseline for contractors, Intune for managed devices, Conditional Access tenant-wide.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Endpoint estate is a mix of corporate, BYOD, and contractor laptops
  • ·Image drift visible in helpdesk tickets
  • ·Conditional Access enabled but not enforced for unmanaged devices
  • ·Offboarding leakage flagged by Internal Audit
  • ·Helpdesk ticket trend rising despite stable headcount

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.What does your endpoint estate look like by class — corporate, BYOD, contractor?

    WhySizes the problem. Often the contractor pool is the biggest single risk slice.

  2. 2.What is your Intune coverage today — full, partial, none?

    WhyEstablishes the management baseline. Most customers have partial.

    Listen for: “corp only” · “mixed” · “pilot stage”

  3. 3.How long does contractor onboarding take, and how is offboarding handled?

    WhySurfaces the cost of the sprawl in real terms.

  4. 4.What is your Conditional Access posture for unmanaged devices?

    WhyTests whether identity is enforcing device compliance or just MFA.

  5. 5.Have you considered Windows 365 / AVD for contractors or non-engineering staff?

    WhyCloud PC is the right answer for many contractor scenarios; surfaces appetite.

  6. 6.What is the helpdesk ticket trend for endpoint-related issues?

    WhyQuantifies the cost of the status quo.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

Mixed endpoint estate with inconsistent management. Intune partial coverage. Conditional Access enabled but not enforced tenant-wide. Contractor onboarding manual and slow. No standardised contractor desktop pattern. Defender for Endpoint partial.

Typical concerns

  • ·Unmanaged devices accessing corporate data
  • ·Slow contractor onboarding hurting productivity
  • ·Offboarding leakage — devices not returned, accounts not disabled
  • ·Image drift causing helpdesk load
  • ·No defensible answer to "what is on our endpoint estate?"

Capability gaps

  • ·Intune tenant-wide for managed devices
  • ·Windows 365 for contractors and BYOD
  • ·Conditional Access with device-compliance enforcement
  • ·Joiner-mover-leaver integration
  • ·Defender for Endpoint posture tenant-wide
Target architecture

Intune manages all corporate-owned devices with policy enforcement. Windows 365 Cloud PC provisioned per contractor or BYOD user with auto-deprovision on offboarding. Conditional Access enforces device compliance for tenant access. Joiner-mover-leaver process integrated with Entra ID so onboarding takes minutes and offboarding is automatic. Defender for Endpoint posture tenant-wide.

Key capabilities

  • Centrally-managed corporate endpoints
  • Cloud PC for contractors and BYOD
  • Device-compliance enforced Conditional Access
  • Automated joiner-mover-leaver
  • Tenant-wide endpoint security posture

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.Contractor pattern — Windows 365 Cloud PC vs traditional contractor laptops

    Windows 365 Cloud PC

    When it fitsHigh contractor turnover; no need for offline work; consistent application stack.

    Trade-offsPer-user monthly cost; requires reliable connectivity.

    Traditional laptops

    When it fitsOffline work mandatory; latency-sensitive workflows; existing logistics in place.

    Trade-offsImage drift; provisioning logistics; offboarding leakage.

    Default recommendationWindows 365 for contractors with >3-month engagements; traditional laptops only where offline work is mandatory.

  2. Decision 2.Intune scope — corporate-owned only vs all devices including BYOD

    Corporate-owned only

    When it fitsStrong BYOD privacy stance; willing to gate BYOD via Conditional Access only.

    Trade-offsUnmanaged devices remain a risk surface.

    All devices (including BYOD via Intune MAM)

    When it fitsStronger BYOD posture; app-level control without device enrolment.

    Trade-offsUser-experience friction; privacy concerns to manage.

    Default recommendationCorporate-owned for full enrolment; BYOD via Intune App Protection Policies (MAM) — gates corporate apps without enrolling personal devices.

  3. Decision 3.Conditional Access stance — block unmanaged vs degraded access

    Block unmanaged

    When it fitsHigh-sensitivity data; auditor requires it.

    Trade-offsUser experience friction; emergency-access path needed.

    Degraded access (read-only or sensitive-data-restricted)

    When it fitsBalance productivity and security; phased rollout.

    Trade-offsPolicy complexity rises.

    Default recommendationDegraded access for the first 6 months; tighten to block based on risk findings.

Low-risk trial — proof of value

30-day Windows 365 pilot for 25 contractors + Intune tightening

4 weeks

Windows 365 Cloud PC provisioned for 25 contractors. Intune policies tightened for the corporate estate. Conditional Access enforces device compliance for one business-priority application set. Joiner-mover-leaver workflow validated end-to-end against the pilot cohort.

Success criteria

  • 25 contractors onboarded to Cloud PC within 5 working days
  • Average onboarding time below 4 hours per contractor
  • Offboarding tested: account + Cloud PC + access removed within 1 hour
  • Conditional Access enforcement live for the pilot application set

InvestmentWindows 365 ~€32/user/month at the trial tier. Intune covered by M365 E3 already in estate. Contractor headcount for the trial unchanged.

Proof metrics

  • ·Contractor onboarding time reduced by 80%+
  • ·Offboarding leakage eliminated (account + device removed within SLA)
  • ·Helpdesk endpoint tickets trending down
  • ·Conditional Access compliance score above 90%

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Conditional Access enforces device compliance — the load-bearing identity guardrail under the workplace estate. Joiner-mover-leaver integration is identity-led.

Why for this story

Includes Intune for endpoint management. The licensing baseline that underwrites the whole workplace estate; Windows 365 sits on top.

Back to Workplace infrastructure