← All Playbooks
Lost/Stolen Device Response Playbook
Step-by-step response guide for lost or stolen company devices (laptops, phones, tablets)
Free
5 Phases
1Phase 1: Detect
Confirm Device Loss
Verify the device is lost or stolen and assess risk
- Verify with employee — confirm device is not simply misplaced
- Determine last known location and time of loss
- Identify device type, model, and asset tag
- Assess data sensitivity — what data and accounts were accessible on the device
Check Device Security Status
Determine existing protections on the device
- Confirm whether full-disk encryption was enabled (BitLocker/FileVault)
- Check MDM enrollment status and last check-in time
- Verify device had a strong lock screen PIN/password
- Review whether sensitive files were stored locally vs. cloud-only
Artifacts
Device inventory record
MDM enrollment status report
2Phase 2: Contain
Remote Lock and Wipe
Use MDM or device management to secure or erase the device remotely
- Initiate MDM remote lock immediately
- Trigger remote wipe if device contained sensitive or regulated data
- Disable device certificates and VPN access profiles
- Revoke OAuth tokens and app-specific passwords associated with the device
Artifacts
MDM remote lock/wipe confirmation
VPN access revocation log
Disable Network Access
Prevent the device from accessing corporate resources
- Remove device from Azure AD / Entra ID registered devices
- Block device MAC address on corporate Wi-Fi
- Revoke any saved VPN credentials for the device
- Disable Conditional Access trust for the device
3Phase 3: Eradicate
Reset User Credentials
Ensure no credentials cached on the device remain valid
- Force password reset for the user across all corporate accounts
- Rotate any API keys or tokens that were stored on the device
- Revoke all cached authentication sessions and refresh tokens
- Review and revoke any saved Wi-Fi and VPN credentials
Audit Account Activity
Check for unauthorized use of credentials from the device
- Review sign-in logs for suspicious activity since the time of loss
- Check for unusual file access or downloads in cloud services
- Verify no mailbox rules or forwarding changes were made
- Review MFA registrations for any unauthorized additions
Artifacts
Sign-in activity report
Cloud access audit log
4Phase 4: Recover
Assess Data Exposure
Determine what data may have been compromised
- Inventory all data that was stored locally on the device
- Check cloud sync logs for unusual activity around time of loss
- Verify backup integrity for any data that was only on the device
- Determine if breach notification obligations apply
Artifacts
Data exposure assessment
Cloud sync activity log
Issue Replacement Device
Provision a new device with hardened configuration
- Issue replacement device from inventory
- Apply hardened security configuration and enforce encryption
- Enroll in MDM with up-to-date compliance policies
- Restore user data from verified clean backups
5Phase 5: Post-Incident
Lessons Learned
Document findings and improve device security policies
- Document complete timeline of events from loss to resolution
- Review MDM policy effectiveness — were remote wipe/lock successful?
- Update device encryption and security requirements if gaps found
- Conduct awareness training on physical device security for staff
Artifacts
Post-incident report
Updated device security policy
Policy Improvements
Strengthen preventative controls
- Review and update acceptable use policy for mobile devices
- Evaluate need for stronger endpoint DLP controls
- Consider enabling automatic lock and wipe after failed login attempts
- Assess whether sensitive data should be restricted from local storage