4 min read
A domiciliary care agency with over 200 care workers delivering home care across 12 regions in England. Staff used tablets and laptops to access electronic care records, scheduling systems, and communication tools while visiting clients in their own homes. The agency relied on traditional on-premises Active Directory for device management, which had never been fit for a mobile workforce.
Service: Managed IT Sector: Domiciliary care
The agency's device management was built around on-premises Active Directory. That meant group policies only applied when devices were connected to the office network - which domiciliary care workers rarely were. The vast majority of the workforce operated entirely in the community, visiting clients in their homes, meaning their devices had limited IT visibility and no security enforcement once they left the office.
Every new device required manual setup by IT before it could be issued. Deploying a tablet to a new care worker in a remote region meant shipping pre-configured devices or arranging manual setup visits that could delay someone's start by days. For an agency already struggling with recruitment timelines in a competitive care market, this was a bottleneck that directly impacted care delivery.
There was no way to enforce security policies on devices handling sensitive care data - medication records, visit notes, safeguarding concerns - while those devices were in clients' homes. Local admin accounts were managed inconsistently, with shared passwords that hadn't been changed in years. If a device was lost or stolen during a home visit, there was no remote wipe capability and no way to know what data was at risk.
Microsoft 365 Business Premium licensing included Intune, but it had never been configured. The organisation was paying for device management capabilities it wasn't using.
We designed and executed a migration from on-premises Active Directory to Microsoft Intune with Windows Autopilot for zero-touch provisioning.
The first step was building the configuration profiles. We created a complete set of Intune policies covering antivirus, BitLocker encryption, attack surface reduction rules, firewall configuration, and security baselines - all essential for devices that spend their working life outside the office, accessing care records in clients' homes.
Windows Autopilot was configured so new devices ship directly from the supplier to care workers in any region. On first boot, the device connects to the internet, authenticates against Entra ID, and enrols in Intune with all security policies applied automatically. A care worker in Cornwall receives exactly the same secured, configured device as one in Newcastle - without IT touching it. For an agency that onboards new care workers regularly, this removed days of delay from the process.
We deployed Microsoft LAPS for unique, automatically rotated local admin passwords on every device. The shared passwords that had represented a significant risk - particularly on devices carried into clients' homes - were retired completely.
Dynamic security groups in Entra ID assign policies based on job role and region, so care coordinators receive different application sets than frontline care workers. The rollout was managed region by region, with clear step-by-step documentation written for non-technical care coordinators who would be supporting their teams through the change.
Every device across all 12 regions is now managed through Intune with consistent security policies, whether staff are in clients' homes, the office, or travelling between visits. IT has full visibility of the fleet from a single dashboard - something the agency had never had before.
New device provisioning went from a manual, multi-step process requiring an engineer to a fully automated experience that takes minutes. A care worker in any region receives a device that configures itself on first boot, with all care applications, security policies, and network settings applied automatically.
Local admin security has been transformed, with unique, rotating passwords replacing shared credentials. Sensitive care data is protected by consistent encryption and security policies on every device, regardless of location. If a device is lost or stolen during a home visit, it can be remotely wiped within minutes.
The entire migration was achieved using existing Business Premium licensing with no additional software cost. The organisation went from having no visibility of its mobile fleet to complete, centralised management of every device.
Every device managed across 12 regions · Windows Autopilot for zero-touch provisioning · LAPS for automated local admin passwords · Full security baseline: BitLocker, ASR rules, Defender, firewall · No additional licensing cost (existing Business Premium licences)
Related service: Managed IT