What Was Happening
A national charity was working towards Cyber Essentials Plus — the UK government-backed security certification that involves a hands-on assessment by an external auditor, not just a self-assessment questionnaire. To pass, an organisation has to show that its devices are genuinely secured: disk encryption switched on, operating systems and key software kept up to date, and consistent configuration across the fleet. The charity brought us in, alongside its wider IT partners, to get its laptop estate into shape and to produce the evidence the assessor would require — and to a tight deadline.
The fleet ran to more than a hundred laptops, used by staff working in different locations rather than all under one roof. That kind of distributed estate is exactly where security gaps appear without anyone noticing: a device here that was never encrypted, a laptop there that has not been online to collect updates in weeks.
Our Diagnosis
The work began with establishing the true state of the fleet rather than assuming it. Using the charity’s Microsoft Intune device management, we reviewed which laptops were properly enrolled and managed, which had BitLocker disk encryption actually enabled — as opposed to merely supported by the hardware — and which were behind on operating-system and software updates. Cyber Essentials Plus is specific about these points, and unencrypted devices and missing security patches are two of the most common reasons organisations fail an assessment.
That review surfaced the gaps. A number of devices were either not encrypted or were not correctly reporting their encryption status back to Intune, and patch levels were inconsistent across the estate. We planned the remediation around two constraints: the audit deadline, and the fact that the laptops were in active daily use by staff who could not be pulled off their work while we made changes.
How We Fixed It
We used Microsoft Intune to enforce BitLocker disk encryption across the laptop fleet, so that data on a lost or stolen device is protected, and configured the policies so each device reported its encryption state back for evidence. For updates, we brought the operating system and software current and kept them that way through our remote monitoring and management (RMM) platform and Intune update policies, so the fleet stays patched rather than drifting again the moment the audit is over.
Because everything was driven centrally, the rollout reached the whole distributed fleet without us needing to physically collect every laptop. We were careful with the update and reboot policies, too — aggressive deadlines can interrupt someone in the middle of a meeting, and security that frustrates people quickly gets worked around, so the timing had to be sensible.
Throughout, we gathered the evidence the assessment needed — encryption status across devices, patch and update compliance, and configuration records — and packaged it so the charity could hand it straight to the auditors.
The Result
The charity moved from an inconsistent, partly-unencrypted fleet to one where disk encryption and update compliance are enforced centrally and documented. We supplied the assessor with the evidence to show the controls were genuinely in place rather than simply claimed. Just as importantly, the encryption and patching are now maintained on an ongoing basis rather than being a one-off scramble before a deadline — which is the difference between passing an audit once and actually staying secure between audits.
Why This Happens
Distributed laptop fleets drift out of compliance quietly. A device issued two years ago may have BitLocker available but never actually switched on. A laptop that is rarely connected falls behind on patches. A machine reimaged in a hurry never gets enrolled into management properly. None of this is visible day to day — it only surfaces when an auditor, or an attacker, goes looking.
Cyber Essentials Plus exists precisely because self-declared security and real security are so often different things. The two controls that catch most organisations out are, in principle, the simplest: full-disk encryption on every device, and keeping operating systems and software patched. Doing that across a whole fleet — and being able to prove it on demand — needs central device management rather than visiting each laptop by hand.
Getting a Fleet Ready for Cyber Essentials Plus
- Encrypt every device and confirm it is actually reporting as encrypted. “Supported” is not the same as “enabled”.
- Manage patching centrally so the whole fleet stays current, instead of relying on individual users to run updates.
- Enrol every device in your management platform — an unmanaged laptop is an invisible gap in your security.
- Keep evidence as you go, such as encryption and patch-status reports, so an audit is an export rather than a fire drill.
- Tune update and reboot policies so security does not interrupt people mid-meeting; compliance that frustrates staff gets bypassed.
Cybersecurity Help for Businesses and Charities in London
We help businesses and charities across London secure their device fleets — disk encryption, patch management, Microsoft Intune configuration, and the evidence needed for Cyber Essentials and Cyber Essentials Plus. If you have an assessment coming up, or you simply want to know the real state of your laptops rather than assume it, we can audit the fleet and put the controls in place centrally rather than device by device. Call us or use the contact form to talk it through.