Onboarding Engineer Deployment Runbook

The engineer’s end-to-end sequence to take a signed customer from kickoff to verified-deployed. This is Stage 3 of the order→go-live lifecycle. Target: live in 14 days (the public promise).

Before you start — prerequisites

• ✅ Signed order (deal Closed Won) + Client ID CS-#### minted.
• ✅ Completed Deployment Questionnaire (lifecycle Stage 2): tenant details, Global Admin access path, endpoint inventory, user/mailbox list, domains + DNS access, platform (M365 / Workspace).
• ✅ Tier (Syncro MSP Plan).
• ✅ Huntress keys for this org (HUNT_A-KEY, HUNT_O-KEY).

Deployment sequence — all tiers

Order matters: identity + endpoint first, then data, then email.

1. Syncro org + RMM agent

• Complete the Syncro new-customer setup (org, custom fields incl. CS Client ID, email-to-ticket, recurring deliverable tickets).
• Deploy the Syncro RMM agent to all endpoints from the inventory.
• Apply the per-tier policy set (patch/monitoring/automation) — ⬜ pending offerings review; until then apply the interim baseline.

2. Managed EDR — Huntress (C-08; 24/7 SOC)

• Deploy the Huntress agent across endpoints using HUNT_A-KEY / HUNT_O-KEY (push via the Syncro RMM script, or installer for unmanaged devices).
• Confirm every endpoint reports into the Huntress org; 24/7 SOC monitoring active. (Defense+: MDR / threat hunting on.)

3. MFA enforcement — identity (C-04)

• M365: Conditional Access enforcing MFA tenant-wide, phishing-resistant for admins, no exceptions. (Workspace: enforce 2SV.)
• Coordinate staff enrollment comms (customer dependency — set a cutover date).
• ➜ verify per V-1.

4. Immutable cloud backup (C-12)

• Configure immutable backup for M365 (mailboxes, SharePoint, OneDrive) or the Workspace equivalent.
• Confirm the first backup succeeds.
• ➜ verify incl. a restore test per V-3.

5. Email threat protection + DNS (C-06)

• Enable email threat protection (anti-phishing / BEC).
• Set/confirm SPF, DKIM, DMARC — provide the records; apply only on customer approval (no production DNS changes without per-record approval).
• ➜ verify per V-2.

Tier additions

Defense (everything above, plus)

• Security awareness training (Proofpoint SAT) — enroll users; monthly modules + simulated phishing.
• Email encryption, DLP, archiving configured.
• 1-hour Customer Notification SLA active (contractual; confirm escalation path).

Sentinel (Defense, plus — M365 required)

• Managed SIEM — connect log sources (endpoint, identity, email, cloud) to 24/7 correlation.
• SaaS Security Posture Management (Microsoft Defender for Cloud Apps).

Verification → go-live handoff (Stage 4 → 5)

1. Run Control-Verification SOPs V-1..V-3 and capture the evidence artifact for each control (sets the posture chips + seeds the compliance evidence appendix).
2. Produce the deployment summary; walk the customer through it (Stage 4 sign-off).
3. Schedule the recurring deliverable tickets (cadence & triggers).
4. Record the go-live date in Syncro + HubSpot; hand off to the AM + ongoing managed service (Stage 5).

Timeline (14-day target)

Front-load identity + endpoint (week 1). The DNS changes (gated on customer approval) and staff MFA enrollment are the usual long poles — kick those off on day 1.

To confirm (operator)

• RMM policy-set templates (offerings review).
• Exact Huntress deployment method (Syncro script vs. manual installer).
• Backup vendor + Sentinel SIEM connectors.