Use Microsoft Teams securely on shared computers

When possible, it is recommended Enterprises make use of a Zero Trust approach to client devices making use of device management capabilities, device health checks and policy enforcement, device-level encryption, and other security features.

Zero trust picture showing verify explicitly, least privilege, and assume breach -- the core zero trust principles -- in blue circles.

Administrators can create very secure conditions by insisting on verification, least privilege, and by assuming compromise -- standards that lead to actions that minimize risk to both users and data.

Tip

For a deeper examination of Zero Trust principles, see these videos.

Tips for using Microsoft Teams securely from a shared computer

Recognizing that this may not be possible or practical in all scenarios, it is still important for security administrators to follow guidance for using Teams from a shared computer or unmanaged device as best they can.

Plans should be developed to adhere to guidelines as promptly as is possible.

  1. Make use of Operating System platform security capabilities.
    1. Ensure that the operating system is configured to install automatic updates from the Operating System provider (for Microsoft systems, this can be accomplished via Windows Update).
    2. Ensure that any device encryption capabilities such as bitlocker are enabled, and the key used to access the device is secured. Note that most modern Windows 10 devices support bitlocker.
    3. Use anti-virus capabilities such as those offered by Windows Defender on your devices.
    4. Use of separate user accounts for each user of the system is highly recommended.
    5. Do not grant, or use, administrator privileges for non-administrative functions (such as browsing the web, running Teams, et cetera).

If the above guidance cannot be met, we recommend making use of additional browser security best practices:

  1. Leverage browser security capabilities.

    1. Use private browsing sessions to minimize data and history that persists to disk. For example, use inPrivate browsing in Microsoft Edge, Incognito browsing in Google Chrome, or the capabilities your specific browser for browsing privately.
    2. Changing the system behavior to engage private browsing by default is recommended.
  2. Browse to and use the Teams web app (sometimes called the web client) not the downloadable Teams client.

  3. When you are done using the shared system, you must:

    1. Sign out of Teams.
    2. Close all browser tabs and windows.
    3. Sign out of the device.

The items above are not a comprehensive list of best practices or security controls covering all cases, and there may be extra actions that can be taken in your environment, (for instance, security administrators may choose to use Safe Links and Safe Attachments for Teams if you have Office 365 ATP Plan 1 or 2). However, these steps are a starting point for building guidance for using Teams from shared devices.

More Information

Bitlocker in Configuration Manager

Bitlocker for Windows 10 in Intune

Endpoint security in Intune

Enable Microsoft Defender Antivirus in your Windows Security and run scans

Microsoft Defender security center article

Teams web client/teams web app

Security and Microsoft Teams