Setting up a new laptop properly from day one

A new laptop out of the box is not ready for business use. It needs setup, hardening and enrolling into your management and security systems before the user logs in for real work. Skipping steps here creates support debt that lasts for years.

Here's the checklist I use when setting up a device for a client.

Before the user touches it

1. Create or sign in with the correct business account

Don't let the user set it up with a personal Microsoft or Apple ID. Use a managed business account from day one. On Windows, this means joining Azure AD or Entra ID. On Mac, use Apple Business Manager and a managed Apple ID.

2. Enrol into mobile device management (MDM)

Microsoft Intune, Jamf or Mosyle, depending on your stack. MDM enforces policies automatically: encryption, screen lock, password rules, software updates, and remote wipe if the device is lost or stolen. Enrol before the user installs anything.

3. Enable full-disk encryption

BitLocker on Windows, FileVault on Mac. This should be policy-enforced through MDM, not a manual checkbox. Store the recovery key in your management platform, not in a spreadsheet.

4. Remove bloatware and unnecessary software

Consumer laptops ship with trialware, games and manufacturer utilities most businesses don't need. Remove them before handover to keep the machine clean and reduce the attack surface.

5. Install the essentials

• A modern browser (Edge or Chrome, kept up to date).
• The password manager.
• Endpoint protection if you use it beyond built-in Windows Defender or macOS protections.
• VPN client if remote working is part of the role.
• Video conferencing tools (Teams, Zoom, Google Meet).
• Office suite or workspace platform (Microsoft 365 or Google Workspace).

6. Configure backup

OneDrive or Google Drive should sync the key folders (Documents, Desktop, Pictures) automatically. For anything local that doesn't sync, ensure it's covered by your backup policy.

On first handover

7. Set up the docking station, monitor and peripherals

A laptop on its own is not a workstation. Give the user a proper desk setup: external monitor, keyboard, mouse, headset and a laptop stand or riser. Demonstrate how to dock and undock cleanly.

8. Walk through MFA enrolment

Set up the authenticator app on their phone, register the device as trusted, and test a login. Make sure they have a recovery method configured.

9. Show them the password manager

Create their vault, show them how to save and autofill passwords, and how to share credentials securely with colleagues. This ten-minute session saves dozens of support requests later.

10. Document the device

Serial number, asset tag, user, date issued, warranty end date, MDM enrolment status. Update your asset register. The first time someone leaves, or a device needs warranty repair, you'll be glad you did.

If you'd like me to handle device setup and enrolment for your team, get in touch.