Ex-corporate laptops, ThinkPads, EliteBooks, and Latitudes, offer serious value on the used market. The catch: a business machine that was never properly decommissioned can be completely locked to you, no matter how little you paid for it.
This guide explains the four types of management locks that show up on used laptops, why they exist, how to spot them before you pay, and what buying through a verified marketplace does (and doesn’t) protect you from.
Quick Answer
The locks to know: BIOS/supervisor password, MDM enrollment, Computrace/Absolute persistence, and (on Macs) Activation Lock or EFI lock. All of them can make a laptop useless to anyone other than the original corporate IT department. The safest move is buying from a seller who has proof the device is fully deregistered and decommissioned.
The Locks That Can Brick a Used Laptop
There are four distinct lock types that appear on ex-corporate hardware. They are independent: a laptop can have one, several, or all of them active at the same time.
BIOS/Supervisor Password
The BIOS (Basic Input/Output System, or UEFI on modern machines) is the firmware that runs before the operating system loads. A supervisor password or BIOS password set by an IT department can prevent you from changing boot order, reinstalling the OS, or even accessing boot settings at all.
Unlike a Windows login password, a BIOS password cannot be reset by reinstalling the operating system. On most consumer laptops, it can be cleared by removing the CMOS battery or shorting certain board contacts. On business-class machines, particularly ThinkPads, EliteBooks, and certain Dell Latitudes, the password is stored in a separate security chip. Resetting it typically requires a manufacturer service call, a specialized unlocking tool, or a fee paid to certain repair shops with OEM access.
If a used laptop boots and immediately drops into a password-protected BIOS before loading any OS, you are dealing with a BIOS lock.
MDM Enrollment (Mobile Device Management)
MDM enrollment is how corporate IT manages large fleets of laptops remotely: pushing software, enforcing policies, wiping devices, and monitoring activity. Windows uses platforms like Microsoft Intune, Jamf (more common on Mac), or VMware Workspace ONE. Apple has its own MDM framework baked into macOS.
When a corporate laptop is decommissioned, IT is supposed to unenroll it from the MDM platform before transferring or selling it. When that step is skipped, the MDM enrollment persists. The new owner may be able to use the laptop initially, but the device can receive a remote wipe command at any time, and some MDM profiles block the user from installing software, changing settings, or even connecting to certain networks.
MDM enrollment is not always immediately visible. A laptop can appear fully functional for days or weeks before the MDM agent reaches out to its management server and enforces restrictions.
Computrace / Absolute Persistence
Computrace, now called Absolute (or Absolute Device Security), is a firmware-embedded tracking and remote-management agent that HP, Lenovo, Dell, and several other manufacturers pre-install at the BIOS level on business-class machines.
Unlike regular software, Absolute’s agent is embedded in the UEFI firmware itself. Reinstalling Windows or wiping the drive does not remove it. If a corporate IT department activated Absolute on the device and never deactivated it on the company’s account, the agent will re-establish contact with Absolute’s servers the first time the laptop connects to the internet. At that point, the registered owner can issue a remote lock or wipe.
Check the BIOS settings on any ex-business HP, Lenovo, or Dell: look for a setting labeled “Computrace,” “Absolute Persistence,” or “Device Theft Protection.” If it shows as “Activated,” the agent is live. “Disabled” means it was never activated. “Deactivated” means it was activated and then permanently turned off by the authorized account holder, which is the clean state you want.
EFI Lock (Mac, older Intel)
On Intel Macs, a firmware password (sometimes called an EFI lock) prevents booting from any device other than the designated startup disk and blocks access to recovery mode. It is separate from macOS Activation Lock.
Like the BIOS supervisor password on Windows machines, an Intel Mac firmware password cannot be removed without Apple intervention. It requires the Mac’s original proof of purchase and a visit to an Apple Store or Authorized Service Provider. This is uncommon on consumer machines, but it does appear on ex-corporate Intel MacBooks.
Used Laptops: The Complete Guide to Buying and Selling (2026)
Why Ex-Corporate Laptops Carry These Locks
Business laptops get locked down by design. IT departments are responsible for hundreds or thousands of devices, and management software is the only practical way to enforce security policies, deploy updates, and remotely wipe machines if they are lost or stolen.
The problem for used buyers is what happens at end-of-life. When a company refreshes its hardware, it sells or donates old machines in bulk, often through asset disposal brokers or liquidation auctions. The decommissioning process, removing MDM enrollment, disabling Absolute, clearing BIOS passwords, varies in quality. Some IT departments are thorough. Others are not, and the machines go out the door still fully enrolled.
The machines most likely to carry these locks are the same ones used buyers most want: Lenovo ThinkPad T and X series, HP EliteBook and ProBook, and Dell Latitude and Precision. These are durable, well-built, and priced well on the used market precisely because they were originally sold to enterprise buyers.
Used ThinkPad Buyer’s Guide: T, X, E & P Series Explained
Decoding HP Laptops: Pavilion vs. Envy vs. EliteBook vs. ProBook vs. Spectre vs. Omen
How to Check a Laptop Is Deregistered Before Buying
These are the checks to run, or ask about, before completing any used laptop purchase from a private seller or unverified source.
1. Boot into the BIOS/UEFI settings.
On most laptops, press F2, F10, Del, or Esc during startup (the exact key varies by manufacturer). If the BIOS is password-protected and you do not have that password, stop. Do not buy the device unless the seller can provide and remove it before the transaction.
2. Check Computrace/Absolute status.
While in the BIOS, navigate to the Security section and look for a “Computrace,” “Absolute,” or “Persistence” setting. “Deactivated” is good. “Activated” is a red flag. “Disabled” simply means it was never turned on. If you see “Activated” without confirmation from the seller that the company account has been closed, the risk is real.
3. Boot the OS and check for MDM enrollment.
On Windows: go to Settings > Accounts > Access Work or School. If the device shows a connected work or school account it does not belong to you, or if there is a “Connected to [company name] MDM” entry, the device is enrolled. On Windows 11, also check Settings > System > About and look for “Managed by.”
On macOS: go to System Settings > General > Device Management (or System Preferences > Profiles on older versions). Any profile listed there that you did not install is an MDM profile. A clean device should show no profiles, or only profiles you added yourself.
4. Ask the seller for documentation.
A legitimate decommission will often come with paperwork: an asset disposal certificate, a screenshot of the MDM console showing the device has been unenrolled, or confirmation that the Absolute account has been deactivated. If a seller cannot provide anything and the price is unusually low, that is the tradeoff you are accepting.
5. Check if the device was enrolled in a domain.
On Windows, look for “Work or School” account connections under Settings > Accounts, or check whether the device joined an Active Directory domain. On a clean consumer reinstall, neither will be present.
| Check | Where to find it | Red flag |
|---|---|---|
| BIOS password | BIOS startup (F2/Del/Esc) | Prompted for password you don’t have |
| Computrace/Absolute | BIOS > Security section | “Activated” status |
| MDM enrollment (Windows) | Settings > Accounts > Work or School | Any enrollment you didn’t set up |
| MDM enrollment (macOS) | System Settings > General > Device Management | Any non-personal profile present |
| EFI/firmware password (Mac) | Recovery mode (Cmd+R at boot) | Prompted for password at recovery |
Mac-Specific: Activation Lock and EFI Lock
Apple’s Activation Lock for Mac requires either Apple Silicon (M1 and later) or the Apple T2 Security Chip, which means it covers T2-equipped Intel Macs from roughly 2018 onward as well as every Apple Silicon model. It mirrors the feature that has existed on iPhones for years. If the seller did not sign out of their Apple Account before selling, the Mac is locked to their account. A new owner cannot activate it.
There is no longer a public Apple web tool that reports Activation Lock status from a serial number (Apple retired it, and checkcoverage.apple.com only shows warranty and AppleCare coverage, not lock status). The reliable check is during first-time setup: a machine with an active Activation Lock will stop at the Apple ID sign-in step and will not complete activation. Buy only after the seller has fully signed out of their Apple ID and turned off Find My, or after you have confirmed the Mac activates cleanly.
For Intel Macs, the EFI firmware password described above is a separate concern from Activation Lock. On a T2-equipped Intel Mac, Activation Lock cannot be bypassed by reinstalling macOS: the activation prompt returns after the reinstall, and only the original owner (or Apple, with proof of purchase) can clear it. Older Intel Macs without the T2 chip do not support Activation Lock at all. A firmware password blocking Recovery Mode is yet another, separate problem that requires Apple service.
Used MacBook Buyer’s Guide: Air vs. Pro, M1–M5 (2026)
The Swappa listing process for MacBooks requires sellers to confirm the device is out of Activation Lock before listing. If you buy a Mac on Swappa and it is locked in a way that wasn’t disclosed, you are entitled to a refund.
Chromebook Enterprise Enrollment
Chromebooks used in schools and businesses are often managed through Google Admin via enterprise or education enrollment. An enrolled Chromebook shows a managed banner on the sign-in screen and restricts what the user can do, including preventing sign-in with a personal Google account.
Checking is simple: power on the Chromebook. If you see a message reading “This device is managed by [organization]” or a banner at the bottom of the login screen, it is enterprise-enrolled.
Removing enterprise enrollment requires access to the original Google Admin console. It cannot be bypassed by a Powerwash (factory reset). If a seller cannot confirm the enrollment has been removed, do not buy the device.
Used Chromebook Buyer’s Guide: What to Know Before You Buy
Buying Verified Used Laptops Safely
The most reliable way to avoid these problems entirely is buying from a source that has already done the verification work.
Swappa’s used laptop listings go through a staff review process before going live. Listings must represent devices that are ready to activate, free from activation locks, and as described. Sellers are required to ensure devices are fully signed out and deregistered before listing.
If a device you buy through Swappa is not as described, including any undisclosed management lock, you are entitled to a refund. The 24/7 human support team (around 20-minute response time) handles disputes directly.
That said, Swappa is not the place to sell a laptop that is still enrolled in MDM or locked to a corporate Absolute account. Those devices need to go back to whoever can decommission them properly. If you are a seller preparing a laptop for sale, remove every management layer before listing.
How to Sell a Used Laptop for the Most Money
Fees on Swappa are a flat 3% buyer fee plus a 3% seller fee. Listing is free. Payment processing (PayPal or Stripe for select sellers) and state sales tax are added at checkout. Overall, that is lower than what auction-site fees typically run.
Frequently Asked Questions
Can a BIOS password be removed without the original password?
On consumer laptops, yes, often by clearing the CMOS battery. On business-class machines (ThinkPad, EliteBook, Latitude), the password is stored in a dedicated security chip and typically requires manufacturer tools or a certified repair shop with OEM access. There is no universal workaround, and some machines will require proof of purchase.
What happens if I connect an MDM-enrolled laptop to the internet?
The MDM agent on the device will check in with its management server. Depending on how the corporate IT policy is configured, it may enforce restrictions, push new settings, or issue a remote wipe. This can happen minutes after the first internet connection, or it may take longer if the server reaches out on a scheduled cycle.
Is Computrace/Absolute dangerous to buy?
Not inherently, but it is a risk. “Disabled” (never activated) is safe. “Deactivated” (activated and then permanently turned off by the account holder) is safe. “Activated” means the agent is live and the registered corporate owner could theoretically lock or wipe the device. If you see “Activated” and cannot confirm the account has been formally closed, pass on the device.
How do I check for Activation Lock on a used Mac?
There is no public Apple tool that reports Activation Lock status from a serial number. The reliable check is the setup process itself: an Activation-Locked Mac will stop at the Apple Account sign-in step and display a message that it is linked to another account. Confirm the seller has signed out of their Apple Account or watch the Mac activate cleanly before you pay.
Are all ex-corporate laptops risky?
No. Many are properly decommissioned and are excellent value buys. The risk is concentrated in machines sold through bulk liquidators or informal channels where the decommissioning step may have been skipped. Buying from a verified marketplace or a seller who can show documentation of deregistration significantly reduces the risk.
What is the difference between MDM enrollment and a domain join?
They are related but different. A domain join connects a Windows machine to a corporate Active Directory network for authentication. MDM enrollment connects the device to a management platform for remote policy enforcement. A machine can have one, both, or neither. Leaving a corporate domain typically requires a simple setting change; leaving MDM enrollment requires action from the IT administrator or MDM platform.
The Short Version
Ex-corporate laptops are some of the best value on the used market, but only when they have been properly decommissioned. A BIOS lock, active MDM enrollment, live Computrace agent, or uncleared Activation Lock can make a laptop permanently unusable without manufacturer intervention.
Before buying any used business laptop, boot into the BIOS, check the OS for MDM profiles, and look up the serial number if it is a Mac. If a seller cannot answer basic questions about the device’s management status, that is useful information about the transaction.
Shop verified used laptops on Swappa, where listings are staff-reviewed and every device must be ready to activate before going live.
