Every laptop a managed surface.
The endpoint is where almost every attack eventually lands — a phishing click, a malicious download, a USB stick, a compromised browser plugin. The platform-level answer is Intune-managed devices with Defender for Endpoint policy, AppLocker or Defender ASR rules constraining what can run, BitLocker on every disk, and the operating system patched within days of release rather than weeks. Most of this is already inside your M365 Business Premium licence; the gap is usually configuration and operating cadence, not licensing.
Unmanaged personal devices accessing tenant data with no compliance enforcement. Endpoint protection running but not in “tamper-protected” mode — ransomware disables it as a first step. Patches deferred for weeks because reboots interrupt work. Encrypted-at-rest assumed but never verified. Stolen or lost laptops with company data on the disk and no remote-wipe capability.
Intune device enrolment for every device touching tenant data — staff laptops, contractor machines, BYOD where allowed. Defender for Endpoint Plan 2 deployed with EDR, automated investigation, and tamper protection on. AppLocker policies (or Defender ASR rules) constraining what executables can run. BitLocker enforced, with recovery keys escrowed to Entra ID. Patching automated to fixed windows with rollback procedures documented.
Endpoint compliance reports run weekly — any device out of compliance is flagged and remediated. Defender XDR correlates endpoint signals with email and identity events. Lost-device workflow is documented and tested: remote wipe, identity revoke, audit log capture, restore from clean image. Annual endpoint-baseline review against ACSC Essential Eight targets.
Each of the six topics covers a layer of the security stack. They work together — phishing defence assumes good identity, identity assumes endpoint compliance, endpoint compliance assumes the tenant is locked down properly.
30 minutes, your environment, no deck. Warren walks the endpoint lockdown surface with you and tells you what it would take to lock it down properly. No follow-up unless you ask.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director