A missing laptop is rarely just a hardware problem. For a Microsoft 365 admin, it is an identity, data, and timing problem that should be treated as a critical component of your broader incident response plan.
If you wait for the user to look one more time, cached tokens, synced files, and saved browser sessions may still be live. A solid lost laptop response plan contains the account first, the device second, and the paperwork right alongside both.
The runbook below gives IT admins and security teams a practical response for Microsoft 365, Intune, Entra ID, OneDrive, SharePoint, and Exchange Online.
Your first job is to stop guessing, as performing an accurate risk assessment is critical to your response. “Lost” can mean left in a meeting room, sitting in a taxi, stolen from a boot, or powered off after a bag snatch. Each scenario dictates a different path forward.
Start with five facts from the user: last known location, last known time, whether the bag was taken by someone else, whether the laptop was locked, and whether the device is company-managed. Then, pull the device record in Intune and Entra ID. This is where your endpoint management strategy comes into play; check the device name, serial, join type, compliance state, last check-in time, and primary user.
This is also the moment to ask whether the laptop held regulated data, offline copies of client files, or local admin rights. A finance laptop with broad SharePoint sync has a different blast radius than a kiosk device.
A quick classification table keeps everyone aligned:
| Situation | What it usually means | Default first move |
|---|---|---|
| Misplaced and likely nearby | User may recover it soon, exposure still possible | Revoke sessions, review sign-ins, consider locate |
| Likely stolen | Human intent is unknown, exposure window is wider | Block sign-in, disable device, queue wipe |
| Offline and uncontactable | You can’t act on the endpoint yet | Contain the identity, queue device actions |
| Recovered after time away | Possible tampering or copied data | Keep controls in place until validation or rebuild |
Most teams move faster when they treat this as an incident, not a helpdesk ticket. For the physical and operational side, filing a police report is a standard requirement for insurance purposes and chain of custody documentation. A lost or stolen laptop response playbook is a useful cross-check for report numbers, chain of custody, and travel details.
Once you know which branch you are in, move to identity containment right away.
The account usually matters more than the laptop. A thief may never break BitLocker, yet a live browser session can still expose email, Teams, and SharePoint if you do nothing.
First, force sign-out from active web sessions. Next, revoke refresh tokens and active sessions in Entra ID so Outlook, Teams, OneDrive, and browser-based Microsoft 365 apps must re-authenticate. In older Office365 language, this is the log out everywhere part of the response.
Then decide whether a password reset is enough, or whether you need to block the account. If the device was likely stolen, the user traveled with the laptop, or Entra shows suspicious sign-ins, perform a full password reset immediately and require the user to sign in again with multi-factor authentication. If you suspect the attacker may have the user’s password or session cookies, don’t stop there. Temporarily block sign-in until you finish the first pass of the investigation.
Review risky sign-ins and recent sign-in logs in Entra to prevent unauthorized access to your tenant resources. Look for new countries, unfamiliar ISPs, browser sessions after the reported loss time, or access attempts that bypass normal device compliance. If risk signals appear, treat the event as an identity incident as much as a device incident. Microsoft’s incident response overview is a good refresher on that mindset.
Exchange Online deserves extra attention because mailbox access often reveals the next compromise step. Check for new inbox rules, auto-forwarding, delegate changes, and suspicious OAuth app consent if your tenant allows it. A stolen session in email can outlast the user’s memory of what was open.
A queued wipe doesn’t protect an active session. Session revocation does.
If the user works with sensitive data, legal matters, or health records, tell them not to re-use old passwords on any other device. Meanwhile, keep the temporary containment in place until the device status is clear.
When the account is contained, move to the endpoint. Open the device record in Microsoft Intune and confirm whether the laptop is still checking in. Then, decide between using location tracking, retiring the device, or initiating a remote wipe.

For current Microsoft guidance, keep the Intune device actions page handy. If policy and local law allow it, you can also locate a device in Intune. On supported Windows devices, Intune can show the last known location, and that location remains visible for 24 hours after the request. However, location tracking depends on the device being managed and able to report back.
In Entra ID, disable the device to block its device identity from authenticating. If your team still says Azure AD join, update the wording in the runbook to Entra ID join, but keep the action the same. Device disablement is a strong move for lost or stolen corporate laptops because it cuts off a trusted device path, even before the remote wipe command reaches the machine. Because BitLocker is the standard for Windows disk security, disabling the device identity adds an essential layer of protection for encrypted data.
Now choose the Intune action:
A remote lock is available on some platforms through Intune to help secure the session. Still, Windows admins shouldn’t wait for a lock-style action if the real need is to disable the device and perform a remote wipe. Intune’s Lost Mode documentation applies mainly to supervised Apple devices, not the usual Windows laptop case.
The device state changes what you can do:
| Device state | What you can do | Main caveat |
|---|---|---|
| Entra joined and Intune-managed | Disable, locate, retire, remote wipe | Device must come online to receive most actions |
| Hybrid joined and Intune-managed | Same core actions, plus review on-prem controls | Coordinate with AD, VPN, and certificate owners |
| Unmanaged or lightly managed | Revoke sessions, reset password, block sign-in, selective wipe | No full remote wipe if Intune never managed the device |
If the laptop is offline, queue the remote wipe anyway. Intune will deliver the action when the device reconnects. Meanwhile, keep identity controls in place and monitor for new sign-ins.
Don’t delete the device object too early. You may remove your best path to initiate a remote wipe, track its location, or prove what happened.
After a device is confirmed stolen and unrecoverable, finish the cleanup in order. Perform a remote wipe first, then remove the Windows Autopilot object if it exists, then delete the device from Entra ID and Intune when the record is no longer needed for action or evidence.
A lost laptop often means one thing in practice: local copies of sensitive data may exist outside your control for a while. That risk sits mostly in OneDrive sync, SharePoint libraries, Teams files, Outlook cache, and browser sessions.
Start with recent activity. Review the user’s OneDrive and SharePoint file activity around the loss time. Look for unusual downloads, mass sync, new sharing links, or access from a new device profile. If the laptop had broad library sync, treat that as a bigger exposure even when the tenant itself looks clean.
Session revocation helps here because it forces Office clients and browsers to re-authenticate. Still, it doesn’t erase files already synced to disk. That is why wipe or selective wipe matters when the device is managed.
Exchange Online is the other priority. Mailbox compromise can expose clients, invoices, MFA prompts, password reset links, and confidential conversations. Review forwarding rules, inbox rules, delegate permissions, and recent sign-in history. Remove anything the user did not create.
For unmanaged devices or those containing PHI, app protection policies become the safety net. If the user accessed Microsoft 365 apps on a personal laptop or phone, use selective wipe to remove company data from managed app containers where supported. These proactive measures are critical for maintaining HIPAA compliance and meeting GDPR requirements for data protection. Without MAM or MDM, your control over this information drops fast.
This is where mature defaults pay off. Conditional Access, sensitivity labels, and limited offline sync do not stop every incident, but they reduce the amount of data sitting on a missing device. Many admins still think of this as Office 365 administration, yet the work spans identity, endpoint, and data controls across Microsoft 365.
Containment is only half the job. You also need enough evidence to decide whether this was a simple loss, a theft, or a broader compromise.
Start with Entra sign-in logs. Look at timestamps after the user reported the laptop missing. Check the application used, client type, IP address, country, Conditional Access result, and device details. If you see sign-ins that don’t match the user’s normal pattern, escalate the incident even if the laptop later turns up.
Then review Intune action status. Note when you sent disable, retire, or wipe commands, and whether the device acknowledged them. A queued action tells you the endpoint is still out of reach. A completed wipe gives you a stronger recovery position.
If you have Microsoft Defender for Endpoint or Microsoft XDR, correlate the device timeline with the identity logs. Last-seen time, local account activity, USB usage, malware alerts, and sensor health can all help. On a hybrid device, check whether the on-prem computer account, VPN certificate, or cached line-of-business credentials add extra risk.
Create a formal incident report while the details are fresh. Your record should include the user, asset tag, device name, serial number, join type, management state, loss timeline, actions taken, approvals, and any law enforcement reference. Share these findings with your cybersecurity incident response team to assess the impact. You should also note if regulated data was present, as these logs help determine if the situation warrants a data breach notification to stakeholders or regulators. If the laptop belongs to an executive, clinician, or project team with sensitive files, note that as well.
Don’t wipe away evidence you may need later. If you suspect insider activity, criminal theft with targeted intent, or legal exposure, coordinate with security leadership before using the most destructive action. Sometimes the right answer is to block access now, preserve logs, and then re-image or wipe once the evidence is captured.
Clear notes also help when the device comes back. Without them, recovery turns into guesswork.
The same runbook should branch cleanly by situation. That keeps your team from overreacting to a forgotten laptop, or underreacting to a theft.
If the user probably left it in the office, at home, or in a trusted site, keep the pace high but measured. Revoke sessions, review sign-ins, and use locate if your policy allows it. You may hold off on a full wipe for a short window if recovery is likely and the sign-in pattern stays normal.
Move faster when a bag was stolen, a car was broken into, or the user lost the device in public transit. In that case, block sign-in if risk is high, disable the Entra device, and queue a remote wipe to ensure data is protected before the device is potentially compromised. Always preserve the audit record until the wipe action completes. If the laptop stored sensitive customer or patient data, follow your incident-notification path early.
Offline does not mean safe. It only means Intune cannot reach the device yet. Queue the wipe, keep the user account contained, and watch for any sign that the device or the user sessions come back online. Locate may show only the last known position rather than the current one.
Do not hand the device back after a quick boot test. Validate who had it, where it was found, and whether the device was out of company control for long enough to matter. If the laptop was stolen, treat recovery as a potential tampering event. You must verify the integrity of the full-disk encryption to ensure no unauthorized access occurred before the device is re-issued to the user. A rebuild or Autopilot reset is often the safer path than trusting a device that disappeared for hours or days.
A recovered device should also trigger cleanup on the account side. Rotate the password if you have not already, confirm MFA status, review sign-ins since recovery, and check whether the earlier wipe or retire action changed the device state.
The best lost laptop response plan starts long before the laptop goes missing. If your team has to decide roles, permissions, and wipe criteria in the middle of the incident, you are already late. A well-rehearsed incident response plan is vital for business continuity, ensuring that security teams can act quickly and impacted users can return to their work with minimal disruption.
Start with baseline controls. Every corporate Windows laptop should auto-enrol in Intune, join Entra ID or hybrid join where needed, and escrow BitLocker recovery keys. Leveraging robust mobile device management is the best way to ensure your foundation is secure. Microsoft’s device enrollment guidance for Microsoft 365 remains the right place to check your current configuration.
Then keep the runbook short enough for a tired admin to use at 11 pm. When drafting your procedures, following the NIST cybersecurity framework can help you structure your response categories effectively:
Older runbooks often still say Azure or Office 365 in ways that hide where the control really lives. Clean that up now. The current path crosses Microsoft Entra ID, Intune, SharePoint, OneDrive, and Exchange Online, even if your users still call the whole stack Office 365.
It also helps to compare your internal process against an outside checklist, such as this small business lost laptop action plan. The language is broad, but the timing discipline is useful for any team.
Not necessarily. If the device is simply misplaced in the office, you may prefer to revoke sessions and monitor sign-in logs first. However, if theft is likely or the device contains highly regulated data, a remote wipe should be queued immediately to prevent unauthorized access.
A device wipe can take time to process if the laptop is offline, whereas revoking refresh tokens and active sessions in Entra ID immediately forces all Microsoft 365 applications to re-authenticate. This prevents an attacker from using a live, open browser session to access email or cloud documents regardless of the device’s physical status.
You should still initiate the desired Intune action, such as a remote wipe, and leave it as a queued command. The action will be delivered to the device the moment it establishes an internet connection, ensuring your security policy is enforced as soon as possible.
No, you should avoid deleting the device object too early. Keeping the record allows you to verify that the wipe command was successfully received, maintains a paper trail for incident reporting, and ensures you retain access to the device’s last known location and audit history.
A missing laptop becomes a significant problem when an identity remains active long after the hardware is gone. That is why a robust lost laptop response plan is essential for Microsoft 365 admins. By focusing on sessions, tokens, and sign-in controls before moving to Intune and device cleanup, you effectively close the window for unauthorized access.
When your team can classify the incident quickly, revoke access within minutes, queue the appropriate device action, and verify the activity logs, you drastically reduce the risk of a breach. These measures ensure that sensitive data remains protected, even when the physical hardware is out of your reach.
Review your security runbook before the next travel day, not after the next laptop disappears.