Microsoft Intune is a cloud-based service supporting management of desktop and mobile devices. In HKUST, our implementation will first focus on Windows devices. Desktop or notebooks will be managed with emphasize on security enhancement.
Under Intune, devices are configured to join the Microsoft Cloud base Azure AD. Benefits include
- Support Windows logon using ITSC accounts (even when off-campus), with the benefits of single sign-on to most Microsoft services
- Window Security configurations (e.g. Firewall setting, Anti-virus) and Window Update are configured centrally, reducing the risk of being tampered
- Software version of Windows 10/11 and Office 365 are managed centrally, avoiding the risk of having security vulnerability after reaching end-of-life
In addition, devices will be protected by the powerful Microsoft Endpoint Advanced Threat Protection (ATP).
- ATP leverages modern cybersecurity technologies (e.g. AI based behaviour detection, cloud-based sandbox verification) which are not available in traditional signature based Anti-virus tools like F-secure. Our pilot rollout in some departments has proven that ATP prevents a lot of attacks which cannot be detected by F-secure.
All university owned Windows 10/11 devices used for administrative purpose are expected to be managed under Intune and protected by ATP in order to meet the Minimum Security standard defined in our Cybersecurity policy.
- Intune service is provided to users on departmental basis.
- Please contact the Cybersecurity Coordinator (CSC) of your department for enrollment.
Enroll on departmental basis. Please contact your department Cyber Security Coordinator (CSC).
Participating departments must assign either their CSC (or other colleague) to take up the role of desktop support coordinator. He/She will work with ITSC Intune administrative team for the followings:
- Produce inventory for their department PC and work with ITSC for the enrollment
- assist their department users to remediate insecure configuration if discovered (e.g. window update has paused)
- work with ITSC for major upgrade (e.g. Windows 10/11 version reaching end-of-life)
- handle security alerts (e.g. machine infected by malware)
Roles of users and ITSC
Users, department CSC and ITSC work jointly to protect the devices
Users, usually granted with local administrator privilege of the device, will manage installation of applications
They should also follow security practise provided on and off by ITSC (via their CSC) e.g. responding to security update prompt, upgrade OS and software to the latest versions, do not install unsafe software
ITSC will define and mandate most security configurations on their devices, by referencing Enterprise level security best practice suggested by Microsoft
By leveraging Intune and ATP, ITSC will detect security incident promptly and inform affected users for quick remediation
- The device to be enrolled must be running Windows 10 version 1703 or later and are domain joined.
- If you device is not AD domain joined, or you have a new device, please refer to the procedure for joining Cloud Azure AD only below
- ITSC would not examine the data stored in the PC
- The system configurations of the PC and the software installed are recorded for the purpose of providing the Intune services
- If security incident happens (e.g. malware infection, unsafe software being installed, users clicking a malicious URL), ITSC will be alerted and may perform investigation by examining the security log files.
- For devices joining Cloud Azure AD only
- More tips on securing Window 10/11
- Reviewing Security Status of Your software
- Tips on Enabling Automatic Updates for popular application
Procedure for devices joining cloud Azure AD only (not hybrid join)
- Guide for setting up new device to join Azure AD (AAD) with Intune management
More tips on securing Windows 10/11
- Avoid using default administrator privilege accounts
- Securing campus desktop computers which has Remote Desktop (RDP) turned on