Microsoft Intune is a cloud-based service that supports the management of desktop and mobile devices. At HKUST, our implementation focuses on Windows devices owned by the university. These desktops and notebooks are managed using enforcement policies for device compliance and security baselines.
With Microsoft Intune services, devices are configured to join the Microsoft Cloud-based Azure AD and onboard to Microsoft Defender for Endpoint (MDE). The Benefits include:
- Support Windows logon using ITSO accounts (even when off-campus), with the benefits of single sign-on to most Microsoft services, as well as on-premise domain resources.
- Enablement of passwordless authentication via device PIN or biometric authentication (if equipped).
- Windows Security settings enforcement via Microsoft Defender for Endpoint and Windows Update will be centrally configured to reduce the risk of being tampered.
- The software version of Windows system and Office 365 are centrally managed, avoiding the risk of exposing security vulnerability after reaching end-of-life.
- Microsoft Defender for Endpoint leverages modern cybersecurity technologies (e.g., AI based behavior detection, cloud-based sandbox verification) that are not available in traditional signature-based Anti-virus tools like F-secure.
- Microsoft Intune allows locating and wiping device when it is lost or stolen.
All university-owned Windows 10/11 devices used for administrative purpose are expected to be managed under Microsoft Intune and protected by Microsoft Defender for Endpoint in order to meet the Minimum Security Standard as defined in our Cybersecurity policy.
Free
7x24
Enrollment
Enrollment is currently available for new or re-installed university-owned PCs / Notebooks. We also provide a procedure for existing non-domain joined devices to enroll.
For on-premise domain-joined devices, ITSO recommends continuing to use them until the next replacement or re-installation.
Departments must assign either their CSC (or another colleague) to take on the role of desktop support coordinator. He / She will work with ITSO Intune administrative team for the following tasks:
- Assist their department users to remediate insecure configuration if discovered. (e.g., Windows update has paused)
- Work with ITSO for major upgrade. (e.g., Windows 10/11 version reaching end-of-life)
- Handle security alerts. (e.g., machine infected by malware)
Roles of users, departments and ITSO
-
Users, department CSC and ITSO work jointly to protect the devices.
-
Users, who are usually granted local administrator privilege on the device, will manage installation of applications.
-
They should also follow security practices provided on and off by ITSO (via their CSC) e.g., responding to security update prompts, upgrading the operating system and software to the latest versions, and not installing unsafe software.
-
ITSO will define and mandate most security configurations on their devices by referencing enterprise-level security best practices suggested by Microsoft.
-
By leveraging Intune and Microsoft Defender for Endpoint, ITSO will promptly detect security incidents and inform affected users for quick remediation.
Minimum Requirements
- The device to be enrolled must be running Windows 10 version 1703 or later.
Privacy
When you enroll a device, you give your organization permission to view certain pieces of information on your device, such as device model and hardware configuration. Your organization uses this information to help protect the corporate data on the device. Please refer to the HKUST Data Privacy Policy Statement for more information.
Generally speaking,
- ITSO will not examine the data stored on the PC.
- The system configurations of the PC and the installed software will be recorded for the purpose of providing endpoint management services.
- If a security incident occurs (such as malware infection, installation of unsafe software, or users clicking a malicious URL), ITSO will be alerted and may conduct an investigation by examining the security log files.
Setup Guides
- Set up newly acquired desktop and onboard Microsoft Intune
- Set up newly acquired notebook and onboard Microsoft Intune
- Re-install Windows 10/11 devices and onboard Microsoft Intune
- Onboard existing device to Microsoft Intune
- Onboard device to Microsoft Intune via third party
- Computer Setup for Faculty and Staff - Effective starting 4 Mar, 2024