Device management by Microsoft Endpoint manager (Intune)

Microsoft Intune is a cloud-based service supporting management of desktop and mobile devices. In HKUST, our implementation will first focus on window10 devices. Desktop will be managed centrally, with emphasize on security enhancement.


Under Intune, devices are configured to join the Microsoft Cloud base Azure AD for central management.  Benefits include

  • Support Window logon using ITSC accounts, with the benefits of single sign-on to most Microsoft services
  • Window security configurations (e.g. Firewall setting, Anti-virus) and Window security update are managed centrally, reducing the risk of being tampered
  • Software version of Window10 OS and O365 are managed centrally, avoiding the risk of having security vulnerability after reaching End-of-Life 

These devices will be co-managed by ITSC and users. While ITSC will ensure that critical security setting are properly configured, users, usually with local administrative privilege, will manage the application installation.

In addition, devices will be configured to be protected by the powerful Microsoft Advanced Threat Protection (ATP).

ATP leverages modern cybersecurity technologies (e.g. AI based behaviour detection, cloud-based sandbox verification) which are not available in traditional signature based Anti-virus tools like F-secure.


  • significant improvement in malware detection
  • better protection against attack via malware embedded in document files
  • SmartScreen for Microsoft Edge browser to protect access to malicious web sites
  • ransomware protection for user document folders
  • alert any insecure software installed by users
  • alert to administrator for malware infection so that problems can be contained quickly

All university owned Window10 devices used for administrative purpose are expected to be managed under Intune and protected by ATP  in order to meet the Minimum Security standard for desktop

Intune service is provided to users on departmental basis.

Please contact the Cybersecurity Coordinator of your department for enrollment.

Available To
Staff (enrolled on departmental basis via CSC)
Service Fee


Service Hours



Enroll on departmental basis. Please contact your department Cyber Security Coordinator (CSC).

Participating departments must assign either their CSC (or other colleague) to take up the role of desktop support coordinator. He/She will work with ITSC Intune administrative team for the followings:

  • Produce inventory for their department PC and work with ITSC for the enrollment
  • assist their department users to remediate insecure configuration if discovered (e.g. window update has paused)
  • work with ITSC for major upgrade (e.g. Window10 version reaching EOL)
  • handle security alerts (e.g. machine infected by malware)

Mininum Requirements

  • The device to be enrolled must be running win10 version 1703 or later.
  • If you device is not AD domain joined, please contact us to arrange a different enrollment procedure.

Reveiwing security status of your software

Tips on Enabling Automatic Updates for popular Applications

More Tips on securing Windows 10

Technical Details of Azure AD join

  • available soon


Your organization cannot see your personal information when you enroll a device with Microsoft Intune. When you enroll a device, you give your organization permission to view certain pieces of information on your device, such as device model and hardware configuration. Your organization uses this information to help protect the corporate data on the device.  Please refer to the HKUST data privacy policy statement.