Automating Device Management with Intune

A statewide nonprofit with a small IT team and a large footprint

Easterseals New Jersey provides a wide range of services to people with disabilities across the state — therapy, employment, early intervention, residential programs, and more. They operate out of 45 locations, support roughly 775 endpoints, and handle protected health information across multiple clinical systems. Their IT team is small relative to the footprint they cover, which makes every hour spent on manual provisioning an hour not spent on something more valuable.

Their environment at the start of the engagement was built on on-premises Active Directory, with no modern device management pipeline. Windows workstations were domain-joined by hand, configured by hand, and deployed by hand. There was no LAPS — every local admin account used the same credentials. Security baselines were applied inconsistently, if at all. Everyone was a local administrator on their own machine.

For a healthcare organization working toward HITRUST certification and handling HIPAA-regulated data, the gap between their current posture and where they needed to be was significant.

Scale, complexity, and a live environment

This was not a greenfield deployment. Easterseals NJ was operating a full clinical and administrative environment — line-of-business applications serving every department, remote access for dozens of locations, and multiple EHR systems. The work had to happen around the organization’s operations, not instead of them.

The scale added its own complexity. Forty-five locations meant 60-plus distinct Wi-Fi networks, each with their own SSID and credentials, all of which needed to be pushed to endpoints automatically. Application requirements spanned a wide range — from standard productivity tools to specialty clinical software used at the point of care. Each one was a custom package to build, test, deploy, and maintain.

And the device estate itself was split: new machines going forward could be enrolled automatically, but roughly 275 existing domain-joined PCs also needed a path into the new system without requiring someone to physically touch each one.

Iterative, in partnership with the internal team

The engagement was structured as a series of weekly working sessions with Easterseals NJ’s IT team — not a one-time deployment, but a collaborative development process. Policies were built, tested on a small group of devices, refined, and expanded incrementally. Each week added capability; each cycle caught issues before they reached the broader fleet.

That cadence mattered. A policy conflict in BitLocker configuration, a hostname rename script that ran faster than a remote support tool could sync its device name, a screensaver setting that needed a registry workaround — these are the kinds of issues that only surface in a real environment with real machines. Working iteratively meant they were resolved with a handful of test devices, not with the full fleet.

The internal IT team was a genuine partner throughout. They knew the environment, the applications, the edge cases. The work was built with them, not handed off to them.

What was built

The Autopilot pipeline runs in two directions. New Windows devices purchased through CDW are automatically registered in Autopilot at the time of purchase — zero-touch enrollment, out of the box. For existing machines, a PowerShell script ingests the hardware hash and registers the device in Autopilot, so it can be factory reset and re-enrolled through the same automated flow. The IT team can now wipe and redeploy a workstation without manually configuring anything.

A full security baseline was deployed across the fleet: LAPS for automated local admin password rotation, BitLocker encryption with recovery keys escrowed in Intune, strong MFA enforced via Microsoft Authenticator, Microsoft Defender replacing the legacy endpoint protection, URL blocking configured in Defender for restricted domains, and a full transition of local administrator rights away from end users.

An application pipeline delivers dozens of packages to every enrolled device — productivity software, clinical tools, remote support, browsers, and printer configurations — all deployed and maintained through Intune without manual installation.

Configuration policies complete the picture: Wi-Fi credentials pushed to all 60-plus SSID locations using dynamic group targeting, power and sleep settings standardized across the fleet, screensaver and lock screen enforced with Easterseals NJ branding, interactive logon message deployed with policy acknowledgment language, and every device renamed automatically to its serial number on enrollment.

A staged Windows 11 upgrade pipeline was coordinated alongside the Autopilot work — upgrade rings rolled out incrementally, with user communications and IT team training to minimize disruption.