Endpoint security is not a count of laptops. It is a count of devices actually in scope

There is a laptop sitting somewhere in your business right now that you do not own, do not see, and do not control. It has your data on it. It has a session cookie that lets it open Outlook without asking for the password again. It has a half-finished CV download in its Downloads folder. And nobody at your IT provider has ever touched it. 

That laptop is the soft underbelly of every endpoint security spend you have ever made. 

The picture is not the fleet 

When owners think about endpoint security, they think about the laptops with the company sticker on them. The ones IT set up. The ones that show up in the asset list. The ones running the Defender policy you pay for, with the screen locks set to two minutes and the disk encryption enabled. 

That picture is fine. It is also not the whole picture. 

The whole picture includes the recruiter who answered three urgent emails from her partner’s MacBook last weekend because her own laptop was at the office. The contractor who logs into your shared inbox from a personal Windows machine he bought in 2019. The finance person who does month-end at the kitchen table on a family laptop because the work one is heavy and slow. The director who travels with a personal iPad because it is lighter. 

None of those devices are in your asset list. None of them are enrolled. None of them are running the Defender policy you pay for. Most of them are signed into your tenant. 

What the configured fleet does not see 

The thing worth holding in your head is the gap between the fleet you have configured and the devices that are quietly authenticated. 

A managed laptop has Defender tuned to a policy. It has attack surface reduction rules switched on. It pushes telemetry into the security stack so somebody can spot the unusual download or the script that ran at 2am. It is enrolled in compliance, so if the disk is not encrypted or the OS is two versions behind, it stops being trusted. It has a clean way to be wiped if it is lost. 

A personal laptop signed into your tenant has none of that. 

Whatever browser is on it. Whatever extensions are installed. Whatever else was happening on that device last Tuesday night. Whoever else in the household has used it. None of that is visible to you, and none of it is being controlled. 

The worry is not that the personal laptop is malicious. It usually is not. The worry is that it is the path of least resistance for somebody who is. 

How it usually goes wrong 

Picture the scenario most owners never quite see. 

The recruiter signs into Outlook on the family laptop on a Sunday evening. Closes the lid. The session sits in the browser cache. Two weeks later somebody else in the household downloads a tool that looked free, and that tool reads the browser session and quietly forwards it on. Nothing dramatic. No password typed. No alarm. 

Now somebody who is not the recruiter has a working session in your tenant. They do not need to know the password. They do not need the multi-factor code. They are already inside. 

What happens next is the part that costs money. They read a few weeks of email. They learn who pays whom and when. They set a quiet inbox rule. They wait for the right thread, then they reply inside it, with the bank account changed. 

You can audit the managed fleet for a year and find none of that, because the soft entry point was never on the managed fleet. 

The fix is not ‘ban personal devices’ 

The instinct is to say no personal devices. That instinct does not survive contact with a recruitment business that runs hot in the evenings, picks up calls on the move, and has remote contractors on three continents. The ‘no personal devices’ policy lasts about a fortnight before somebody needs to send a CV from their phone at half eight on a Thursday, and the rule quietly dies. 

The honest fix is two things. 

The first is enrolment. Any device that signs into your tenant is enrolled in Intune. Personal or company, does not matter. Enrolment does not mean the company owns the device. It means the device has to meet a baseline. Disk encryption on. OS patched. A real PIN. Defender running. If the baseline slips, access stops. If the device is lost, the company data on it can be wiped without touching the family photos. 

The second is Conditional Access. The tenant only lets a session continue if the device is compliant, the location makes sense, and the sign-in pattern looks normal. A personal laptop that has never been enrolled does not get a session, no matter who is typing. A laptop in a country nobody has been to gets challenged. A session being replayed from somewhere new gets cut off. 

Both of those ship with Microsoft 365 Business Premium, which most of the recruitment businesses we audit already pay for. The licence is not the issue. The configuration is. 

A check worth doing this quarter 

Three quiet questions are worth more than any new product. 

How many devices are signed into the tenant right now, and how many of those are enrolled? The number is usually a surprise the first time it is run. 

What is the policy when somebody needs to work from a device that is not theirs? Not the wishful policy on a wiki. The actual one the team uses when it is half nine on a Sunday. 

If the operations manager’s personal laptop got compromised tonight, what would you wipe, and who would do it? If the answer is ‘we would change the password and hope’, the laptop is not under management. 

A line worth holding 

Endpoint security is not a count of laptops. It is a count of devices actually in scope. Anything else is a tool spend looking at the wrong picture. 

Let’s talk

Complete this quick form, and we'll be in touch to schedule a call at a time that suits you.
Our diverse team brings the knowledge and perspectives to provide IT solutions that are reflective of and responsive to the unique needs of your business.

CONTACT US

+44 20 7947 0345 hello@avensystech.com
Office 7
35 – 37 Ludgate Hill
London
EC4M 7JN
© Copyright 2025 Avensystech
Sitemap Privacy Policy Cookie Policy