IT Asset Management Checklist

Export the current device list from the RMM (NinjaOne, Datto RMM, ConnectWise Automate) and the MDM (Intune, JAMF). Reconcile both — devices in MDM but not RMM are typically Macs missing the agent; devices in RMM but not MDM usually mean unenrolled endpoints that bypass conditional access.

Compare RMM agent counts against the CMDB or asset register (ServiceNow, Snipe-IT, IT Glue, Hudu). Note any device on the network without an agent — the most common gap is a long-lived test VM, a kiosk, or a contractor laptop someone forgot to enroll.

Untagged hardware shows up at every refresh and every audit. Print barcode labels with the asset register's ID, attach to chassis, and update the register with serial number, MAC, and assigned user.

Cost-center mapping drives chargebacks and depreciation allocation. Pull the latest org chart from HRIS so transferred employees aren't still tagged to their old department.

Spot-check serial numbers in Dell ProSupport, HPE Support, Lenovo Premier, or Apple Care portals. Out-of-warranty production hardware feeds the refresh list in section 3.

Use Lansweeper, ManageEngine AssetExplorer, or Snow Software to enumerate installed packages across the fleet. Capture publisher, version, and install count for downstream entitlement matching.

Match installs against purchase records and the Microsoft VLSC, Adobe Admin Console, or Autodesk Account portal. Over-deployment is the source of six-figure true-up bills during a Microsoft SAM engagement or Oracle audit.

Pull last-active dates from the M365 admin center and Adobe Admin Console. Reclaim seats inactive for 60+ days; downgrade E5 users who only use mail and Teams to E3 or Business Premium.

Flag installs not in the approved software catalog — typically remote-access tools (TeamViewer personal, AnyDesk), VPN clients, or AI assistants installed before policy caught up. Microsoft Defender for Cloud Apps and Netskope can corroborate the discovery scan.

File a P3 ticket per finding to the security or service-desk queue with the device, user, and detected package. For high-risk installs (RMM tools the user installed personally, crypto miners), escalate to P2 and isolate the endpoint via EDR.

Pull the renewal calendar from the asset register and create PSA tickets at 90/60/30-day intervals. Backup software and endpoint security lapses cause the loudest outages — prioritize those over productivity SaaS.

Filter the asset register for devices with purchase dates older than the refresh policy (typically 4 years for laptops, 5 for desktops, 6 for servers). Cross-reference with out-of-warranty status and any TPM 2.0 / Windows 11 eligibility blockers.

Submit POs to the standard hardware vendors (CDW, Insight, Connection, SHI) referencing the approved standard SKU. Lead times for business laptops are 2–6 weeks; order before the user's old device fails, not after.

Register hardware hashes in Intune Autopilot or Apple ADE/JAMF before shipping to the user. Zero-touch enrollment avoids the imaging-bench bottleneck and ensures BitLocker/FileVault keys escrow correctly on first boot.

Run a Purge-level wipe (cryptographic erase for SED, ATA Secure Erase for NVMe, or physical destruction for damaged media). Generic format-and-reinstall is Clear-level and not sufficient for devices that held PHI, PCI, or CUI.

Attach the certificate of destruction from the ITAD vendor (e.g., SEAM, ERI, Iron Mountain) to the asset record and mark status as Disposed. Without the certificate, finance can't write off the asset and auditors flag the gap on SOC 2.

Run the Intune encryption report and the JAMF FileVault smart group. Any device showing Not Started or recovery key not escrowed is an audit finding — and a real risk if the device is lost before the next quarterly review.

Reconcile the EDR console (CrowdStrike Falcon, SentinelOne, Defender for Endpoint) against the device list from section 1. Devices missing the agent are usually offline-too-long machines or recently reimaged endpoints where the GPO didn't redeploy.

List every service account in AD/Entra and tag each with owner, purpose, last password rotation, and privilege level. Domain Admin service accounts older than the rotation policy are the textbook pass-the-hash blast radius — vault them in CyberArk or Delinea before next quarter.

Pull the patch compliance dashboard from Intune, WSUS, or Automox. Anything below the SLA threshold (commonly 95% within 14 days for critical CVEs) gets a remediation ticket; document any approved exceptions with a CVSS justification.

Export screenshots and CSVs for the access review, change management log, and backup success report. Drop them into the GRC platform (Vanta, Drata, Secureframe) tagged to the relevant CC controls. The auditor's first request next cycle will be exactly these artifacts dated this quarter.

For each failing control, create a tracked remediation ticket with owner, target date, and the specific evidence required to close it. Failing controls left open across two quarterly cycles become qualified opinions in the SOC 2 report.

Push retired and newly acquired assets to NetSuite, QuickBooks, or Sage. Hardware is typically 3-year MACRS; software CapEx follows the contract term. Reconcile the asset register's net book value against the GL.

Roll up purchase price, support contract, software licensing, helpdesk hours, and average lifespan to a per-device TCO. The number that matters at the QBR is dollars per user per year, not capital outlay.

Variance over 10% needs a written explanation. Most overruns trace to unbudgeted hires, emergency hardware replacements, or SaaS auto-renewals that escaped the renewal queue in section 2.

Look for overlapping SaaS (two project tools, three diagram tools), unused M365 add-ons, and on-prem services that could move to a per-user cloud model. Pair each finding with an estimated annual savings figure for the QBR deck.

The vCIO or IT director walks finance and the executive team through inventory accuracy, license posture, refresh forecast, compliance status, and TCO trend. End with the procurement and budget asks for the next quarter so funding decisions happen in the room.