While the user may choose the device to fit their personal requirements, they may purchase and even own it, but they may not expect to have to maintain the configuration and security management requirements. Some users may want or need local admin rights to customize the device to their requirements, while others may expect their IT support to be able to remotely manage and configure the device on their behalf. Understanding and agreeing to who is responsible for the management of the device is key to ensuring that the appropriate level of security is applied.

These considerations then define the appropriate level of trust for each device. For example, if the user has local administrative rights to the device, then they have the ability to modify the configuration, install software, and generally increase the risk profile. A user logging into this device would therefore have a lower level of trust than a device that is enrolled and managed by company policies, and has the user's local admin rights removed.

You can either install a company image of Windows 10 Enterprise on the BYOD device or it can be upgraded without reinstalling. In order to support an upgrade to Windows 10 Enterprise, the device must have Windows 10 Professional installed. If the OS is not domain joined and activated via Active Directory (AD), the user can upgrade their own machine to Enterprise edition by entering the relevant licensing key (MAK key). The recommended option however is to use enrollment in an MDM solution, which will initiate the upgrade for them or they can run a provisioning package you have created and sent to them on a USB key.