Policy parity across cloud and on-prem, under ISO 27001.

Healthcare endpoint modernization at this scale isn't a volume problem — it's a parity problem. Establishing policy parity between cloud-managed and on-premises-managed devices means every Conditional Access decision, every encryption setting, every compliance check has to behave the same way regardless of which management plane the device is registered against. Across 22,000 endpoints, ten business units, and a regulatory floor of ISO 27001, that work was the engagement.

Group Policy consolidation, then unified Intune

The starting state was group-policy sprawl across multiple Active Directory domains — the kind of accumulation that happens organically in healthcare environments built through acquisition and decade-old IT decisions. Consolidating that GPO landscape into a unified Intune configuration meant remediating 2,000+ legacy policy conflicts and security misconfigurations along the way, mapping each one to its ISO 27001 control reference, and making sure the consolidation didn't break the workflows that had grown around the original policy posture. The audit trail produced by this work is the artifact compliance teams use long after the engagement closes.

Autopilot and Zero Touch provisioning

Windows Autopilot was the adoption strategy across device classes — clinical kiosks, knowledge workers, BYOD scenarios — with hybrid and cloud-first deployment models per profile. Zero Touch provisioning compressed OS deployment time materially against the prior baseline. In healthcare environments, that's not just an efficiency story — it's a clinician-time story. Every hour a workstation is being imaged is an hour that workstation isn't on a clinical floor.

Role-based device management

Encryption, LAPS, and Conditional Access framed the role-based device management posture. Each role — clinical, administrative, BYOD — got the security baseline appropriate to it, rather than applying the most restrictive baseline uniformly. That's how compliance posture stays both achievable for the organization and audit-defensible to the regulator: per-role specificity, documented mapping to ISO 27001 controls, and Conditional Access policies that enforce automatically rather than by exception.

Durable capability transfer

The team that runs the environment after the engagement is the team that was mentored through it. Modern identity practices, the consolidated Intune posture, the Autopilot rollout playbook — all of it transferred to the existing infrastructure team during the migration, not as a post-engagement handoff. That's deliberate. The strongest sign of a successful modernization is that the consultant isn't required to maintain it.