What every work laptop should have, and why each control matters.
Every device that connects to your business data represents a potential entry point for attackers. A laptop with outdated software, no encryption, and local admin rights is not just a minor risk. It is an open door. The controls in this checklist define what “good” looks like for work laptops and PCs, covering the essentials that every device should meet and the recommended additions that significantly strengthen your security posture.
This is not about achieving perfection. It is about establishing a clear, consistent baseline that reduces your exposure to the most common threats. Most breaches do not involve sophisticated zero-day exploits. They exploit basic gaps: unpatched software, missing encryption, excessive user privileges. Getting these fundamentals right eliminates the majority of risk before you spend a penny on advanced tooling.
Use this standard as a practical reference. Walk through each item against your current fleet. Where you find gaps, prioritise them based on the risk each one carries. Some items, like enabling disk encryption, can be rolled out in an afternoon. Others, like removing local admin rights, may require more planning. All of them are achievable for businesses of any size.
Essential requirements
These eight controls form the non-negotiable baseline for any device that accesses business data. They address the most common attack vectors and the most frequent causes of data loss. If a device in your fleet fails any of these checks, it should be treated as a priority remediation item. None of these controls require expensive software or specialist skills to implement.
Supported operating system
Every device in your fleet should run a currently supported operating system. That means Windows 10 or 11, or a recent version of macOS that still receives security patches. Anything older, Windows 7, Windows 8, or end-of-life macOS versions, is a liability. Unsupported systems no longer receive security updates, which means known vulnerabilities remain permanently open. Attackers know this and actively scan for these devices.
Automatic updates enabled
Operating system updates should install automatically without relying on users to approve or schedule them. On Windows, this means Windows Update is configured to download and install updates automatically. On Mac, Software Update should be set to check for and apply patches as they become available. Manual patching creates gaps because it relies on human action that is easily forgotten or deferred.
Disk encryption enabled
Full disk encryption ensures that if a device is lost or stolen, the data on it remains inaccessible without the correct credentials. On Windows, this means BitLocker is turned on. On Mac, FileVault should be enabled. Without encryption, anyone who physically possesses the device can extract files, emails, cached credentials, and browser data simply by removing the hard drive. This is a baseline control, not an advanced one.
Anti-malware active
Every device needs active anti-malware protection with real-time scanning enabled. On Windows, Microsoft Defender provides capable built-in protection when properly configured. Whatever solution you choose, it must be running, updated, and scanning files as they are accessed, not just on a weekly schedule. Disabled or outdated anti-malware offers the same protection as no anti-malware at all.
Firewall enabled
The built-in operating system firewall should be turned on for all network profiles: domain, private, and public. This applies to both Windows Firewall and the macOS application firewall. A device-level firewall provides a layer of defence that operates independently of your network perimeter. When a laptop leaves the office and connects to a hotel or coffee shop network, the host firewall is often the only protection between the device and the internet.
Screen lock configured
Devices should lock automatically after no more than five minutes of inactivity, requiring a password, PIN, or biometric to unlock. This prevents opportunistic access when a device is left unattended at a desk, in a meeting room, or in a public space. Five minutes is the maximum. Shorter is better. Users should also be trained to lock their screen manually with Windows+L or Cmd+Ctrl+Q whenever they step away.
Local admin rights removed
Standard users should not have local administrator access for their daily work. Admin rights allow users to install software, change system settings, and disable security controls. They also mean that any malware that runs in the user's context inherits those elevated privileges. Removing admin rights is one of the single most effective controls you can implement, and it costs nothing. Use a separate admin account for the rare occasions when elevated access is genuinely needed.
Cloud backup configured
Key user folders, including Documents, Desktop, and Pictures, should be backed up to a cloud service such as OneDrive for Business. This protects against data loss from hardware failure, theft, accidental deletion, and ransomware. The backup should run continuously in the background without requiring user intervention. If a laptop is destroyed tomorrow, every important file on it should be recoverable within minutes from the cloud.
“Most breaches start at the endpoint. A single unpatched laptop with local admin rights can give an attacker everything they need to compromise your entire network. The controls on this checklist exist because they work.”
of successful breaches involve an endpoint device as the initial entry point
Maximum screen lock timeout recommended for unattended business devices
of malware is delivered via email and executed on an endpoint with excess privileges
Recommended additions
Once the essentials are in place, these additional controls take your device security from adequate to robust. They provide centralised visibility, advanced threat detection, and tighter control over what can run on your devices. For businesses handling sensitive data, operating in regulated industries, or preparing for Cyber Essentials Plus certification, these are not optional extras. They are the next logical step.
Enrolled in device management (Intune)
Centrally managed devices through Microsoft Intune or an equivalent MDM platform give you visibility and control at scale. You can enforce security policies, push configuration changes, deploy software, and verify compliance across every device in the fleet from a single console. Without device management, you are relying on each device being individually configured correctly and staying that way over time. That approach does not scale and it does not hold up under audit.
EDR solution deployed
Endpoint Detection and Response goes beyond traditional antivirus by monitoring device behaviour, detecting suspicious activity, and providing investigation and response capabilities. Microsoft Defender for Business or an equivalent EDR platform gives you the ability to detect threats that signature-based antivirus misses entirely, including fileless attacks, living-off-the-land techniques, and lateral movement. It also provides the forensic data you need after an incident.
USB storage restricted
Policies should be in place to control or prevent the use of USB storage devices. Unrestricted USB access creates two risks: data exfiltration, where sensitive files can be copied to a personal drive and walked out of the building, and malware introduction, where an infected USB device can compromise a machine the moment it is plugged in. Device control policies through Intune or Group Policy allow you to block, audit, or restrict USB access based on your risk appetite.
Application control configured
Application control restricts which software can execute on a device. Rather than trying to identify and block every piece of malware, application control takes the opposite approach: only approved software is allowed to run. Everything else is blocked by default. This dramatically reduces the attack surface and prevents users from inadvertently running malicious executables, even if they download them. Windows AppLocker or Defender Application Control provide this capability.
“Removing local admin rights from standard users is the single most impactful security change most businesses can make. It costs nothing, takes a day to implement, and eliminates an entire category of attack.”
Implementing the standard across your fleet
The best approach is to start with an audit of your current devices against this checklist. You need to know your starting point before you can plan remediation. For businesses with more than a handful of devices, doing this manually is impractical. A device management platform like Microsoft Intune can assess compliance automatically and report which devices meet the standard and which do not.
Prioritise the highest-impact items first. Disk encryption and removing local admin rights typically deliver the most significant risk reduction for the least effort. Automatic updates and anti-malware configuration can often be enforced through Group Policy or Intune compliance policies in a single afternoon. Cloud backup through OneDrive Known Folder Move is another quick win that protects against hardware failure and ransomware simultaneously.
For the recommended additions, consider your regulatory obligations and the sensitivity of the data your devices access. Businesses working towards Cyber Essentials Plus will need most of these controls in place. Those in regulated sectors such as financial services, legal, or healthcare should treat them as essential rather than optional. Whatever your starting point, getting every device to this standard is achievable, and the security improvement is measurable.
Need help standardising device security?
We implement these controls across business device fleets every week. Whether you need a full audit of your current estate, help deploying Intune and compliance policies, or a managed service that keeps every device aligned to this standard on an ongoing basis, we can help.
If you are not sure where your devices stand today, a short call is the fastest way to find out. We will walk through your current setup, identify the gaps, and give you a clear plan for getting every device to the standard with minimal disruption to your team.