Setting up a new Windows laptop for a business employee involves joining it to your company's identity system, installing required software, configuring security settings, and verifying everything works before handing it over. Following a consistent process every time ensures that every device in your office meets the same security and configuration baseline, which is important for both protection and compliance.
This guide walks through the full setup process step by step. If you are setting up more than a few machines, see the section at the end on automating this with Microsoft Autopilot.
What You Will Need Before Starting
Gather the following before you begin:
- The laptop, powered on and connected to the internet. A wired Ethernet connection is preferred for faster downloads during setup, but Wi-Fi works fine.
- The employee's Microsoft 365 credentials (email address and temporary password). If the account has not been created yet, set it up in the Microsoft 365 admin center first.
- A list of business applications the employee needs for their role (line-of-business software, CRM, accounting tools, etc.).
- Admin credentials for the device or your management platform.
- Your company's Wi-Fi network name and password.
Step 1: Complete Windows Out-of-Box Setup (OOBE)
When you power on a brand-new laptop for the first time, Windows walks you through the Out-of-Box Experience. Select your region, keyboard layout, and connect to the internet.
If your company uses Entra ID (formerly Azure AD): When Windows asks how you want to set up the device, select "Set up for work or school." Enter the employee's work email address and password. This joins the laptop to your company's Entra ID tenant, which connects it to your organization's identity system, security policies, and management tools. This is the recommended path for any business using Microsoft 365 Business Premium.
If you are not using Entra ID: Select "Set up for personal use" and create a local administrator account with a strong temporary password. After setup is complete, create a separate standard (non-admin) user account for the employee's daily use. Employees should not use an administrator account for everyday work. Administrator accounts can install software and change system settings, which means malware running under an admin account has full access to the machine. A standard account limits the damage that malware or accidental changes can cause.
Step 2: Run All Windows Updates
Immediately after the initial setup, go to Settings > Windows Update and click Check for updates. Install all available updates. When prompted to restart, do so, then go back to Windows Update and check again. Some updates are sequential, meaning the second batch only appears after the first batch is installed and the machine has restarted.
Continue this cycle until the Windows Update screen shows "You're up to date" with no pending restarts. On a brand-new laptop, this process can take 30 to 60 minutes. Factor this time into your setup schedule. It is tempting to skip this step and hand the laptop over, but an unpatched machine is vulnerable from the moment it connects to the network.
Step 3: Configure Security Settings
With the laptop updated, configure the core security settings.
Verify Windows Security (Defender) is active. Go to Settings > Privacy & security > Windows Security and click Open Windows Security. Check that Virus & threat protection shows a green checkmark and that definitions are up to date. Microsoft Defender for Business, included with Microsoft 365 Business Premium, provides stronger protection than the basic consumer version of Defender, including attack surface reduction rules, web filtering, and centralized alerting.
Athencia layers Huntress Managed EDR on top of Defender for Business for all client devices. Huntress provides 24/7 monitoring by a human security operations center (SOC) that investigates suspicious activity, confirms real threats, and initiates response actions. If your company uses Huntress, install the Huntress agent now. Your IT provider will supply the installer and the organization key needed during installation.
Enable BitLocker drive encryption. Go to Settings > Privacy & security > Device encryption and turn it on. If the full BitLocker settings are available (on Pro or Enterprise editions), open Control Panel > System and Security > BitLocker Drive Encryption and click Turn on BitLocker. Select XTS-AES 256-bit encryption.
When prompted to back up the recovery key, save it to Entra ID if the device is joined to your tenant. This stores the recovery key centrally where administrators can access it. If the device is not joined to Entra ID, save the recovery key to a USB drive and store it in a secure location separate from the laptop.
Verify Windows Firewall is on. Go to Windows Security > Firewall & network protection. All three network profiles (Domain, Private, and Public) should show the firewall as on. This is enabled by default, but it is worth confirming.
Step 4: Install Microsoft 365 Apps
Open a web browser and navigate to office.com. Sign in with the employee's Microsoft 365 credentials. Click Install Office (or Install apps in the top right corner) to download the Microsoft 365 desktop application installer. Run the installer. This installs Word, Excel, PowerPoint, Outlook, Teams, and OneNote.
After installation completes, open Outlook and sign in with the employee's work email. Outlook will automatically configure the email account. Verify that email sends and receives by sending a test message.
Open Teams and sign in. Verify the employee can see their team channels and contacts.
Open OneDrive from the system tray (bottom-right corner of the taskbar, look for the cloud icon) and sign in with the employee's work credentials. OneDrive will begin syncing any shared folders or libraries that are configured for the employee. If your company stores files in SharePoint document libraries, set up the sync for those libraries as well by navigating to the SharePoint site in a browser, clicking Sync, and confirming in the OneDrive app.
Step 5: Install Business Applications
Install the company-specific applications the employee needs for their role. This varies by business but typically includes:
- Line-of-business applications: CRM, practice management, accounting software (QuickBooks, Sage), EHR systems, or industry-specific tools.
- 1Password: If your company uses 1Password as its password manager, install it now. Download it from 1password.com, install the desktop app and the browser extension, and have the employee sign in to the company vault. Setting up the password manager early in the onboarding process means the employee has secure access to all their account credentials from day one.
- VPN client: If the employee needs remote access to on-premises resources, install the VPN client and configure the connection.
- Printers: Connect to networked printers. Go to Settings > Bluetooth & devices > Printers & scanners > Add device and add the office printers by name or IP address.
If your devices are managed with Microsoft Intune, many of these applications can be deployed automatically. Intune supports pushing Microsoft 365 apps, line-of-business applications, and Win32 apps to enrolled devices without manual installation. Check your Intune app deployment policies to see which applications are already configured for automatic deployment.
Step 6: Apply Company Policies
If the device is enrolled in Microsoft Intune, company policies apply automatically after enrollment. Intune pushes configuration profiles that control security settings, update policies, compliance requirements, and more. You can verify that policies are applying by going to Settings > Accounts > Access work or school, clicking on the connected account, and selecting Info. This shows the sync status and any policies applied to the device.
If you are managing devices manually without Intune, configure the following settings by hand:
- Screen lock timeout: Go to Settings > System > Power > Screen and sleep. Set the screen to turn off after 5 to 10 minutes of inactivity. Also require a password on wake by going to Settings > Accounts > Sign-in options and setting "Require sign-in" to "When PC wakes from sleep."
- Disable USB autorun: Search for "AutoPlay" in Settings and turn off "Use AutoPlay for all media and devices." This prevents malware from executing automatically when a USB drive is inserted.
- Configure Windows Update: Go to Settings > Windows Update > Advanced options and set active hours to match business hours so restarts only happen outside of work time.
- Set the default browser if your company has a standard (Edge is the default on Windows 11 and integrates well with Microsoft 365).
- Configure power settings appropriate for the employee's role. For desk workers, set the laptop to "Best performance." For employees who travel frequently, "Balanced" preserves battery life.
Step 7: Verify and Hand Off
Before handing the laptop to the employee, do a final verification pass.
Restart the laptop one more time. After it boots, sign in with the employee's account and confirm the following:
- Email: Open Outlook, send a test email, and verify it is received.
- Teams: Start a test call. Verify the microphone picks up audio and the camera shows video.
- Files: Open OneDrive and verify shared files and folders are visible and syncing.
- Printers: Print a test page to each printer the employee needs.
- Applications: Open each business application and confirm it launches and connects to any required servers or databases.
- Security: Open Windows Security and confirm Defender and any additional endpoint protection (Huntress) show green/active status. Verify BitLocker is on.
Walk the employee through the basics: how to lock the screen (Windows + L), where to find their key applications, how to connect to Wi-Fi at home or on the road, and who to contact for IT help.
Automating Setup with Microsoft Autopilot
If your office is setting up more than a few laptops, doing this process manually for each one is time-consuming. Microsoft Autopilot, included with Microsoft 365 Business Premium, eliminates most of the manual work.
With Autopilot, you register the new laptop's hardware ID with your Microsoft 365 tenant before the employee ever touches it. When the employee powers on the laptop for the first time and signs in with their work email, Autopilot takes over. It joins the device to Entra ID, enrolls it in Intune, applies all company policies, installs assigned applications, and configures security settings, all automatically. The employee ends up with a fully configured, compliant device without anyone from IT needing to touch the machine.
This means new laptops can be shipped directly from the vendor or retailer to the employee's home or desk. The employee opens the box, powers it on, signs in, and everything configures itself. Athencia sets up Autopilot as part of its managed IT stack so that every new device deployment is consistent and secure.
Setup Checklist Summary
- Windows OOBE complete and joined to Entra ID (or local account created)
- All Windows updates installed
- BitLocker enabled and recovery key backed up to Entra ID
- Endpoint protection installed and active (Defender for Business + Huntress)
- Microsoft 365 apps installed and configured (Outlook, Teams, OneDrive)
- Business applications installed
- 1Password installed and signed in
- Printers connected
- Company policies applied (via Intune or manually)
- All functionality verified
- Employee walked through basics
Need Help?
Setting up laptops consistently is one of the most important things you can do for your business's security posture. If you want to streamline the process with Autopilot, or if you need help configuring Intune policies for your devices, contact Athencia. We will make sure every device that enters your organization is set up right from the start.
