Endpoint Hardening Checklist (2026)

1Tell us where to send it
Your name and work email — nothing more.
2Check your inbox
Your checklist arrives in seconds, not days.
3Use it with your team
Editable and ready to share — make it your own.

A peek inside

See exactly what you're getting

Free PDF

Spotsaas · 2026

Endpoint Hardening Checklist

✓ Disk Encryption & Data Protection

✓ Identity & Local Admin

✓ Network & Firewall

✓ EDR & Attack-Surface Reduction

Get the checklist →

What it is

An Endpoint Hardening Checklist is a secure-baseline configuration list you push through your UEM or MDM to lock down every managed device against the most common attack paths. This checklist spans Windows, macOS, and mobile, grouping controls into the areas that actually move the needle: encryption and device protection, local admin and identity, network and firewall, malware defense and attack-surface reduction, and compliance enforcement with remote actions. Each line is a concrete, enforceable setting, not a vague aspiration, so you can work down the list and confirm every device in the fleet is configured to the same defensible standard.

The checklist is grounded in real hardening controls. On encryption it calls for full-disk encryption enforced by policy, BitLocker on Windows and FileVault on macOS, with recovery keys escrowed to the MDM and confirmed retrievable. On identity it removes persistent local admin rights, replacing them with just-in-time or LAPS-style elevation, and ties device sign-in to MFA and conditional access. On malware defense it expects EDR or antivirus deployed, healthy, and reporting into device compliance, alongside attack-surface-reduction rules that block Office macros and untrusted scripts. The throughline is that a control only counts when it is enforced and monitored, not merely recommended.

Its most important principle, stated plainly in the source material, is that a hardening baseline is only as good as its enforcement. Every control should auto-remediate on drift and tie compliance to conditional access, because a setting a user can quietly turn off is not a control. This checklist is therefore as much about how you enforce as what you enforce, and it pairs naturally with a baseline configuration profile you can score and an asset inventory you can audit against.

What it's used for

Teams use an endpoint hardening checklist to turn a sprawling, easy-to-forget set of security settings into a systematic baseline they can deploy and verify across the whole fleet. The checklist supports several concrete jobs:

✓ Enforcing full-disk encryption fleet-wide, BitLocker and FileVault, with recovery keys escrowed to the MDM and confirmed retrievable, plus removable-media and USB controls per your data-protection rules.
✓ Eliminating standing local admin rights, granting elevation just-in-time or through a LAPS-style rotated-password workflow, and disabling or renaming built-in and guest accounts.
✓ Locking down the network posture: host firewall on with default-deny inbound, certificate-delivered Wi-Fi, secure or filtered DNS, and file and printer sharing disabled on untrusted networks.
✓ Standing up malware defense that holds: EDR healthy and reporting into compliance, attack-surface-reduction and exploit protection enabled, and application control or allowlisting limiting execution to approved software.
✓ Enforcing screen lock with a short idle timeout and password-on-wake, strong passcode complexity, and lockout after failed attempts so a walk-up or stolen device is not an open door.
✓ Wiring compliance to access, so policies evaluate encryption, OS version, jailbreak or root state, EDR health, and password posture, and non-compliant devices automatically lose access to corporate apps and data.
✓ Validating the response path: telemetry forwarded to SIEM, and lost or stolen device actions, remote lock, lost mode, and selective or full wipe, tested rather than assumed to work.

Who uses it

Hardening is a shared responsibility between the people who define the baseline, the people who push it, and the people who answer for it. The checklist gives each group a clear set of controls to own:

Security Engineers / SecOpsThey define which controls belong in the baseline, set the attack-surface-reduction rules, and confirm EDR health feeds device compliance state correctly.

Endpoint / MDM AdministratorsThey translate the checklist into Intune, Jamf, Kandji, or Workspace ONE configuration profiles and ensure each control actually deploys and auto-remediates on drift.

IT Managers / CISOThey sign off the baseline as the organization's standard and rely on conditional access to make non-compliance automatically block corporate access.

Compliance / Audit teamsThey map the checklist to frameworks like CIS Benchmarks and use the enforced, monitored controls as evidence the baseline is operating, not just written down.

Help DeskThey handle escalations from elevation requests and recovery-key retrievals, so a documented just-in-time admin workflow and escrowed keys keep support fast and secure.

IT teams onboarding new hardwareThey use the checklist as the configuration acceptance test before a device is handed to a user, so nothing ships out below baseline.

Context & good to know

Endpoint hardening exists because the endpoint is where most breaches actually start. Phishing lands on a laptop, a malicious macro runs in someone's Office document, a stolen device walks out of a coffee shop. The network perimeter has dissolved into thousands of individual devices on home Wi-Fi and cellular, so the device itself has become the perimeter. A hardening baseline is the practical acknowledgment of this: instead of trusting the network, you make each endpoint defensible on its own, with encryption, EDR, least privilege, and a locked-down configuration that holds even when the device is off-network.

The single idea that separates effective hardening from security theater is enforcement with drift remediation. It is easy to publish a configuration profile and assume the fleet is hardened; it is much harder to ensure that profile stays applied as users tinker, software changes settings, and new devices enroll. This is why the checklist insists that controls auto-remediate on drift and that compliance is wired to conditional access. A device whose firewall a user disabled, or whose EDR silently fell unhealthy, should automatically lose access to corporate data until it is back in compliance, not coast along unnoticed until an incident exposes it.

In the wider endpoint-management picture, the hardening checklist is the action list and a scored baseline profile is its measurement counterpart. UEM and MDM platforms, Intune, Jamf, Kandji, ManageEngine, give you the levers; the checklist tells you which levers to pull and the baseline profile tells you how far reality has drifted from where you set them. Together with an asset inventory that proves coverage and an EDR that supplies the live compliance signal, hardening becomes a closed loop: define the baseline, push it, measure drift, auto-remediate, and gate access on the result.

✓ Independent · vendors can't pay to rank

Built on verified data, not vendor spin

Every Spotsaas resource draws on the Spotsaas Score — a blend of verified review ratings, review volume, and feature depth across 13 endpoint management software tools. Refreshed regularly; data as of June 2026.

FAQ

Questions, answered

What is endpoint hardening?

Endpoint hardening is the practice of configuring devices to a secure baseline that removes unnecessary risk, by enforcing encryption, removing standing admin rights, enabling the firewall and EDR, applying attack-surface-reduction rules, and locking down access. The goal is to make each device defensible on its own, so a compromise of one endpoint does not become an easy path into the wider environment.

What should be on an endpoint hardening checklist?

A solid checklist covers five areas: encryption and device protection (BitLocker/FileVault with escrowed keys, screen lock, USB controls), local admin and identity (no standing admin, MFA, conditional access), network and firewall (default-deny inbound, secure DNS, certificate Wi-Fi), malware defense and attack-surface reduction (healthy EDR, blocked macros, application control), and compliance enforcement (policies that evaluate posture and revoke access on non-compliance, plus tested remote-wipe actions).

What is the difference between BitLocker and FileVault?

Both are full-disk encryption technologies built into their respective operating systems, BitLocker on Windows and FileVault on macOS. A hardening baseline enforces whichever is native to the platform via MDM policy, ensures it is actually on rather than merely available, and escrows the recovery key to the management system so an admin can retrieve it if a user is locked out. The choice between them is dictated by the OS, not a preference.

Why escrow encryption recovery keys to the MDM?

If full-disk encryption is enforced but the recovery key is not centrally stored, a forgotten password, a failed OS upgrade, or a hardware change can permanently lock the data and the user out of the device. Escrowing keys to the MDM, and confirming admins can actually retrieve them, means encryption protects against theft without becoming a self-inflicted lockout risk. Untested escrow is a control that fails exactly when you need it.

Should users have local administrator rights?

No, not persistently. Standing local admin rights let malware run with full privileges and let users disable security controls. The hardening baseline removes persistent admin and replaces it with just-in-time elevation or a LAPS-style workflow with rotated passwords, so elevation is granted, logged, and time-bound rather than always on. This single change blunts a large share of common attack techniques.

What is attack-surface reduction?

Attack-surface reduction (ASR) is a set of rules that block common malware delivery and execution techniques before they run, for example blocking Office applications from spawning child processes, blocking macros from the internet, and blocking unsigned or untrusted scripts. Combined with application control or allowlisting, it shrinks the set of actions an attacker can take on a hardened endpoint even if they get initial code execution.

How does hardening relate to conditional access?

Conditional access is what gives a hardening baseline teeth. Compliance policies evaluate each device's encryption, OS version, jailbreak or root state, EDR health, and password posture; conditional access then blocks any non-compliant device from reaching corporate apps and data. Without this link, a user who turns off a control simply keeps working insecurely. With it, falling out of baseline automatically cuts access until the device is remediated.

Why does the checklist emphasize auto-remediation on drift?

Because a baseline that is pushed once but not maintained decays. Users change settings, software alters configurations, and new devices enroll in inconsistent states. Auto-remediation re-applies the correct configuration whenever a device drifts, so the fleet stays at baseline continuously rather than slowly degrading until an audit or incident reveals the gaps. A setting a user can quietly turn off and leave off is not really a control.

How do I test lost or stolen device response?

Run the actions before you need them: trigger a remote lock on a test device, enable lost mode, and perform a selective wipe (work data only) and a full wipe to confirm both complete and the device falls out of compliance afterward. Many teams assume these actions work until an actual loss reveals a misconfigured policy or an expired certificate. Testing turns the response from a hope into a verified capability.

Does endpoint hardening apply to mobile devices too?

Yes. The checklist spans Windows, macOS, and mobile, because phones and tablets access the same corporate data. For mobile that means enforcing device encryption (default on modern iOS and Android), passcode complexity, jailbreak and root detection, app-level PINs separate from device unlock, and the same conditional-access gate so only compliant mobile devices reach corporate resources.

Keep exploring