Microsoft Intune is a cloud-based service supporting management of desktop and mobile devices. In HKUST, our implementation will first focus on window10 devices. Desktop will be managed centrally, with emphasize on security enhancement.
Under Intune, devices are configured to join the Microsoft Cloud base Azure AD for central management. Benefits include
- Support Window logon using ITSC accounts, with the benefits of single sign-on to most Microsoft services
- Window security configurations (e.g. Firewall setting, Anti-virus) and Window security update are managed centrally, reducing the risk of being tampered
- Software version of Window10 OS and O365 are managed centrally, avoiding the risk of having security vulnerability after reaching End-of-Life
These devices will be co-managed by ITSC and users. While ITSC will ensure that critical security setting are properly configured, users, usually with local administrative privilege, will manage the application installation.
In addition, devices will be configured to be protected by the powerful Microsoft Advanced Threat Protection (ATP).
ATP leverages modern cybersecurity technologies (e.g. AI based behaviour detection, cloud-based sandbox verification) which are not available in traditional signature based Anti-virus tools like F-secure.
- significant improvement in malware detection
- better protection against attack via malware embedded in document files
- SmartScreen for Microsoft Edge browser to protect access to malicious web sites
- ransomware protection for user document folders
- alert any insecure software installed by users
- alert to administrator for malware infection so that problems can be contained quickly
All university owned Window10 devices used for administrative purpose are expected to be managed under Intune and protected by ATP in order to meet the Minimum Security standard for desktop
Intune service is provided to users on departmental basis.
Please contact the Cybersecurity Coordinator of your department for enrollment.
Enroll on departmental basis. Please contact your department Cyber Security Coordinator (CSC).
Participating departments must assign either their CSC (or other colleague) to take up the role of desktop support coordinator. He/She will work with ITSC Intune administrative team for the followings:
- Produce inventory for their department PC and work with ITSC for the enrollment
- assist their department users to remediate insecure configuration if discovered (e.g. window update has paused)
- work with ITSC for major upgrade (e.g. Window10 version reaching EOL)
- handle security alerts (e.g. machine infected by malware)
- The device to be enrolled must be running win10 version 1703 or later.
- If you device is not AD domain joined, please contact us to arrange a different enrollment procedure.
Reveiwing security status of your software
Tips on Enabling Automatic Updates for popular Applications
More Tips on securing Windows 10
- Avoid using default administrator privilege accounts
- Securing campus desktop computers which has Remote Desktop (RDP) turned on
Technical Details of Azure AD join