Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Resources

Managed IT

Intune Device Management & Why Every Laptop Needs to Be Encrypted

Updated 22 April 2026

A laptop disappears. It could be a train, a coffee shop, a car boot, a burglary. It happens to somebody every week. The question the ICO will ask, and the question your own insurers, auditors, and clients will ask, is the same: was the data on it encrypted?

If the answer is yes, it's a nuisance. You report it internally, wipe it remotely, issue a replacement, and move on. If the answer is no, you're in breach-notification territory, and everything gets a lot harder.

This article covers the two sides of the coin that make that answer easy: Microsoft Intune for managing the fleet, and disk encryption on every device.

What Intune actually is

Intune is Microsoft's device management platform. It's the tool that says: "this laptop belongs to this business, these are the rules it must follow, and here's what we do if something goes wrong."

Practically, it lets you:

  • Enrol devices, Windows laptops, Macs, iPhones, iPads, Android phones
  • Push configuration, Wi-Fi profiles, VPN settings, security policies, certificates
  • Deploy apps, Office, Teams, line-of-business apps, over the air
  • Enforce compliance, device must be encrypted, must have a PIN, must be running a supported OS, must have AV active. Non-compliant devices get blocked from M365.
  • Remote wipe, when a device is lost or when someone leaves, wipe it cleanly
  • Report, who's running what, is it patched, is it encrypted, is the BitLocker key backed up

Without Intune, you're running devices the way people ran them in 2005, trusting staff to do the right thing, finding out what they didn't do three months after a breach. With it, policy is enforced by the device, visibility is immediate, and new starters are productive on day one with the right apps and settings pushed automatically.

Licensing, what you need

Intune is included in:

  • Microsoft 365 Business Premium (the sweet spot for most SMEs)
  • Microsoft 365 E3 / E5
  • Enterprise Mobility + Security E3 / E5
  • Microsoft Intune Plan 1 / Plan 2 (standalone)

It is not included in Business Basic or Business Standard. If you're on one of those, Intune is either an add-on or a reason to move up to Business Premium, which also bundles Defender for Business and Entra ID P1, both of which work hand-in-hand with Intune.

Core capabilities worth switching on from day one

1. Automatic enrolment

When a new laptop comes out of the box, it joins your tenant automatically through Windows Autopilot (or Apple Business Manager for Macs and iPhones). User signs in with their M365 account, the device configures itself, apps install, policies apply. Zero hands-on time for your IT team.

2. Compliance policies

Define what "healthy" looks like:

  • Disk encryption enabled
  • Supported OS version
  • Screen lock required
  • Antivirus active and up to date
  • Device not jailbroken / rooted

Pair compliance with Conditional Access in Entra ID and only compliant devices can sign into Microsoft 365. If a laptop falls out of compliance, it loses access until it's fixed.

3. Configuration profiles

One profile per platform, pushed to every matching device:

  • Wi-Fi with your office SSID pre-configured
  • VPN certificates
  • OneDrive known-folder-move (Desktop/Documents/Pictures auto-synced)
  • Edge/Chrome policies
  • Disable USB mass storage, force screen-lock timeouts

Set once, applied everywhere, instantly updated when you change them.

4. App deployment

Office, Teams, Defender, your line-of-business apps, packaged once and pushed out. Users never see an installer. Apps get updated centrally. When someone leaves, apps and data are wiped cleanly without touching personal files on a BYOD device.

5. Remote wipe and retire

Two flavours:

  • Wipe, factory reset, full erase, for lost / stolen devices
  • Retire, remove corporate data and apps but leave the user's personal profile intact (good for BYOD)

Both run with one click, and target the device the moment it next connects.

Why encryption on every device isn't optional

Intune enforces it; you still need to understand why it matters.

The legal bit

Under UK GDPR, if personal data is lost or exposed, you have 72 hours to decide whether to notify the ICO. The test for notifiability is whether the breach is likely to cause risk to individuals.

A stolen, unencrypted laptop containing personal data is almost always notifiable. A stolen encrypted laptop with a strong PIN generally isn't, because the data is effectively inaccessible. Encryption is the single most important factor that moves a lost device from a reportable breach to an internal incident.

The ICO has been clear for years: loss of an unencrypted device containing personal data is considered a security failure in its own right. Multiple fines have been issued specifically for unencrypted laptops and USB drives.

The Cyber Essentials bit

Secure configuration is one of the five CE controls. It requires devices to have disk encryption enabled by default. No encryption = fail the audit. See our Cyber Essentials guide for the full picture.

The practical bit

  • A password won't stop a motivated thief. Take the disk out of the laptop, plug it into another computer, read everything.
  • Full-disk encryption (FDE) makes the disk unreadable without the key.
  • On Windows, that's BitLocker. On Mac, it's FileVault. On iOS and modern Android, it's on by default.
  • Both BitLocker and FileVault keys can be escrowed to Intune / Entra ID, so your IT team has a recovery key if a user forgets their PIN. No key escrow = you'll one day need to re-image a perfectly good laptop because nobody can unlock it.

BYOD, the specific gotcha

Staff using personal laptops for work email is a common shortcut. A personal laptop without encryption holding synced work email is a legal problem. Either:

  • Encrypt the device (require FileVault / BitLocker via Intune compliance rules before allowing sign-in), or
  • Block access to email on unmanaged devices altogether (via Conditional Access)

Enrolling personal devices in Intune doesn't mean the business owns them, "Mobile Application Management" (MAM) policies let you protect corporate data inside apps without taking over the device. That's usually the right balance.

What good looks like

A properly-set-up Intune deployment for a 20-person firm typically means:

  • Every Windows laptop auto-enrols via Autopilot, BitLocker on, keys escrowed
  • Every Mac runs FileVault, keys escrowed
  • Every iPhone/iPad has a PIN, encryption on, can be remotely wiped
  • Conditional Access blocks any device that isn't compliant
  • Apps and policies push centrally; no IT person ever touches a new laptop after it ships
  • A clear joiner/mover/leaver flow, add a user → devices get apps → remove the user → devices wipe

From the staff side, they notice nothing except that new laptops "just work" and their apps are always up-to-date. From the business side, you can answer the "was the data encrypted?" question in one click, with proof.

How we deploy it

For clients we manage, this is one of the first things we set up. Typical runbook:

  1. Licence audit, confirm Business Premium (or equivalent) is in place
  2. Enrol existing devices (Autopilot / Apple Business Manager or manual for older kit)
  3. Push BitLocker / FileVault compliance with key escrow
  4. Configure compliance + Conditional Access for M365 sign-in
  5. Package and deploy standard apps
  6. Build the joiner/mover/leaver flow into our operational process

Rollout on a 20-person firm is typically a week of work, then it runs itself with monthly health checks.

Want a review of your current device estate, or help setting up Intune properly? Get in touch.