Secure managed and unmanaged devices

An important part of your security strategy is protecting the devices your employees use to access company data. Such devices include computers, tablets, and phones. Your organization's IT or security team, along with device users, can take steps to protect data and managed or unmanaged devices.

  • Managed devices are typically company-owned devices that are usually set up and configured by your company's IT or security team.
  • Unmanaged devices, also referred to as bring-your-own devices, or BYOD, tend to be personally owned devices that employees set up and use. Unmanaged devices can be onboarded and protected just like managed devices. Or, if you prefer, users can take steps to protect their BYOD devices themselves.

To protect managed devices, your organization's IT or security team can:

  • Use Windows Autopilot to get a user's Windows device ready for first use. With Autopilot you can install business critical apps, apply policies, and enable features like BitLocker before the device is given to a user. You can also use Autopilot to reset reset, repurpose, and recover Windows devices. To learn more, see Windows Autopilot.
  • Upgrade Windows devices from previous versions of Windows to Windows 10 Pro or Windows 11 Pro. Before onboarding, Windows client devices should be running Windows 10 Pro or Enterprise, or Windows 11 Pro or Enterprise. If your organization has Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to upgrade those devices at no additional cost. To learn more, see Upgrade Windows devices to Windows 10 or 11 Pro.
  • Onboard devices and protect them with mobile threat defense capabilities. Microsoft Defender for Business is included with Microsoft 365 Business Premium. It includes advanced protection from ransomware, malware, phishing, and other threats. If you prefer to use Microsoft Intune instead, you can use Intune to enroll and manage devices. To learn more, see Onboard devices to Microsoft Defender for Business.
  • View and monitor device health in the Microsoft 365 Defender portal ( You can view details, such as health state and exposure level for all onboarded devices. You can also take actions, such as running an antivirus scan or starting an automated investigation on a device that has detected threats or vulnerabilities. To learn more, see Monitor onboarded devices and Review detected threats.

For their part in protecting managed devices, users can:

  • Use the Microsoft Authenticator app to sign in. The Microsoft Authenticator app works with all accounts that use multi-factor authentication (MFA). To learn more, see Download and install the Microsoft Authenticator app.
  • Join their devices to your organization's network. Users can follow a process to register their device, set up MFA, and complete the sign-in process using their account. To learn more, see Join your work device to your work or school network.
  • Make sure antivirus/antimalware software is installed and up to date on all devices. Once devices are onboarded, antivirus, antimalware, and other threat protection capabilities are configured for those devices. Users are prompted to install updates as they come in. To learn more, see See Keep your PC up to date.

To learn more about protecting managed devices, see Set up and secure managed devices.

Next steps