Endpoint Hygiene Baseline (Quick Checks)
A vendor-neutral checklist to reduce risk and downtime from laptops/desktops and admin access - designed for NZ small businesses.
Security Devices Ops
How to use this
- Run the 30-minute baseline once (or whenever you onboard a new device).
- Repeat the 15-minute monthly rhythm to prevent drift.
- Use the tracking table to keep evidence (not assumptions).
Tip: You don’t need perfect. You need a repeatable baseline and evidence it’s working.
30-minute endpoint baseline (quick checks)
- Patch status: Confirm OS and key apps are updating and not “weeks behind”. Capture evidence (report or screenshot).
- Disk encryption: Ensure company laptops/desktops use full-disk encryption (so loss/theft isn’t a data incident).
- Admin rights: Identify who has local admin and why. Remove by default; keep an exceptions list with expiry dates.
- MFA + sign-in hygiene: Require MFA for business systems and protect admin accounts separately.
- Security tools reporting: Verify protections are active and reporting (installed ≠ working).
- Device inventory: Know what devices exist, who uses them, and what OS/version they run.
Monthly rhythm (15 minutes)
- Review patch compliance % and the “top offenders” (devices behind by 30+ days).
- Review the admin exceptions list: remove or renew with a time limit.
- Confirm encryption coverage remains 100% for company devices.
- Spot recurring endpoint incidents (slow boot, crashes, malware alerts) and treat them as problems to eliminate.
What good looks like (owner-friendly metrics)
| Metric | Target | Notes |
|---|
| Patch compliance | ≥ 95% within 14-30 days | Track OS + key apps; measure exceptions. |
| Encryption coverage | 100% company devices | Critical for lost/stolen laptops. |
| Local admin users | As low as possible | Document and time-limit any exceptions. |
| Time-to-revoke access | Minutes | For stolen devices or staff departures. |
Tracking table (copy/paste)
Use this table to track devices and evidence. Keep it simple.
| Device | User | OS | Patched (Y/N) | Encrypted (Y/N) | Local admin (Y/N) | Notes / exceptions (expiry) |
|---|
| Example-LAP-01 | A. Person | Windows/macOS | | | | |
Common gotchas
- “Auto update is on” but devices are off at night - updates never apply.
- Everyone has admin because a legacy app requires it - fix with exceptions + workarounds, not blanket admin.
- Tools installed but not monitored - no one sees failures until an incident occurs.
Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.
👉 Free 30-minute consultation
No hard sell - just clarity and practical next steps.
hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)
Book now