Secure managed and unmanaged devices

An important part of your security strategy is protecting the devices your employees use to access company data. Such devices include computers, tablets, and phones. Your organization's IT or security team, together with device users, can take steps to protect data and managed or unmanaged devices.

• Managed devices are typically company-owned devices that are usually set up and configured by your company's IT or security team.
• Unmanaged devices, also referred to as bring-your-own devices, or BYOD, tend to be personally owned devices that employees set up and use. Unmanaged devices can be onboarded and protected just like managed devices. Or, if you prefer, users can take steps to protect their BYOD devices themselves.

Managed devices

To protect managed devices, your organization's IT or security team can:

• Use Windows Autopilot to get a user's Windows device ready for first use. With Autopilot you can install business critical apps, apply policies, and enable features like BitLocker before the device is given to a user. You can also use Autopilot to reset, repurpose, and recover Windows devices. To learn more, see Windows Autopilot.
• Upgrade Windows devices from previous versions of Windows to Windows 10 Pro or Windows 11 Pro. Before onboarding, Windows client devices should be running Windows 10 Pro or Enterprise, or Windows 11 Pro or Enterprise. If your organization has Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to upgrade those devices at no additional cost. To learn more, see Upgrade Windows devices to Windows 10 or 11 Pro.
• Onboard devices and protect them with mobile threat defense capabilities. Microsoft Defender for Business is included with Microsoft 365 Business Premium. It includes advanced protection from ransomware, malware, phishing, and other threats. If you prefer to use Microsoft Intune instead, you can use Intune to enroll and manage devices. To learn more, see Onboard devices to Microsoft Defender for Business.
• View and monitor device health in the Microsoft Defender portal (https://security.microsoft.com). You can view details, such as health state and exposure level for all onboarded devices. You can also take actions, such as running an antivirus scan or starting an automated investigation on a device that has detected threats or vulnerabilities. To learn more, see Monitor onboarded devices and Review detected threats.

For their part in protecting managed devices, users can:

• Use the Microsoft Authenticator app to sign in. The Microsoft Authenticator app works with all accounts that use multi-factor authentication (MFA). To learn more, see Download and install the Microsoft Authenticator app.
• Join their devices to your organization's network. Users can follow a process to register their device, set up MFA, and complete the sign-in process using their account. To learn more, see Join your work device to your work or school network.
• Make sure antivirus/antimalware software is installed and up to date on all devices. Once devices are onboarded, antivirus, antimalware, and other threat protection capabilities are configured for those devices. Users are prompted to install updates as they come in. To learn more, see See Keep your PC up to date.

To learn more about protecting managed devices, see Set up and secure managed devices.

Unmanaged devices

To protect unmanaged devices, such as BYOD devices, your organization's IT or security team can:

• Encourage users to keep their antivirus protection turned on and up to date. Devices should have the latest technology and features needed to protect against new malware and attack techniques. Microsoft regularly releases security intelligence updates and product updates. To learn more, see Microsoft Defender Antivirus security intelligence and product updates.
• Consider onboarding unmanaged devices and protecting them with mobile threat defense capabilities. Or, if you prefer to use Microsoft Intune, you can use Intune to enroll and manage devices. To learn more, see Onboard devices to Microsoft Defender for Business.
• View and monitor device health in the Microsoft Defender portal (https://security.microsoft.com). After devices are onboarded to Defender for Business (or Intune), you can view details, such as health state and exposure level for onboarded devices. You can also take actions, such as running an antivirus scan or starting an automated investigation on a device that has detected threats or vulnerabilities. To learn more, see Monitor onboarded devices and Review detected threats.

For their part in protecting unmanaged devices, users can:

• Turn on encryption and firewall protection. Disk encryption protects data when devices are lost or stolen. Firewall protection helps protect devices from unwanted contact initiated by other computers when you're connected to the Internet or a network. To learn more, see Protect unmanaged Windows PCs and Macs in Microsoft 365 Business Premium.
• Make sure antivirus/antimalware software is installed and up to date on all devices. To learn more, see Stay protected with Windows Security.
• Keep their devices up to date with operating system and application updates. To learn more, see Keep your PC up to date.
• Consider allowing their devices to be managed by your security team. Microsoft 365 Business Premium includes advanced protection from ransomware, malware, phishing, and other threats. To learn more, select the Managed devices tab (in this article).

To learn more about protecting unmanaged devices, see Set up unmanaged (BYOD) devices.

Next steps

• Set up information protection capabilities
• Set up BYOD devices or Set up and secure managed devices
• Use email securely
• Collaborate and share securely