Benefit

• Intune ensures your device meets HKUST's security standard by implementing the security policy such as patch management.
• By enforcing the installing Microsoft Defender for Endpoint (MDE), which utilizes AI based behavioural threat detection, your device is well-protected and continuously monitored for potential breach.
• Intune protects your sensitive information. If you lose your device, your data remains safe and secure due to the ability to perform a remote wipe.
• With the enablement of Windows Hello for Business (WHfB) and registration of passwordless authentication, you will experience a seamless single sign-on login on your Windows desktop and across supported web applications.

Enrollment

Enrollment is currently available for new Windows desktops or notebooks purchased through bulk PC tender, which will be enrolled in Intune before being passed to the users. This also applies to re-installed university-owned Desktops and Notebooks. We provide a procedure for existing non-domain joined devices to enroll. 

For on-premise domain-joined devices, ITSO will approach you individually by email regarding the enrollment steps.

Departments must assign either their CSC (or another colleague) to take on the role of desktop support coordinator. This person will work with ITSO Intune administrative team on the following tasks:

• Assist department users in remediating insecure configuration if discovered. (e.g., if Windows Update has been paused)
• Collaborate with ITSO for major upgrade. (e.g., Windows 10/11 version reaching end-of-life)
• Handle security alerts. (e.g., if a machine is infected by malware)

Roles of users, departments and ITSO

• Users, department CSC and ITSO work jointly to protect the devices.

• Users, who are usually granted local administrator privilege on the device, will manage installation of applications.

• They should also follow security practices provided on and off by ITSO (via their CSC) e.g., responding to security update prompts, upgrading the operating system and software to the latest versions, and not installing unsafe software.

• ITSO will define and mandate most security configurations on their devices by referencing enterprise-level security best practices suggested by Microsoft.

• By leveraging Intune and Microsoft Defender for Endpoint, ITSO will promptly detect security incidents and inform affected users for quick remediation.

Minimum Requirements

• The device to be enrolled must be running Windows 10 version 1703 or later.

Privacy

When you enroll a device, you give your organization permission to view certain pieces of information on your device, such as device model and hardware configuration. Your organization uses this information to help protect the corporate data on the device. Please refer to the HKUST Data Privacy Policy Statement for more information.

Generally speaking, 

• ITSO will not examine the data stored on the PC.
• The system configurations of the PC and the installed software will be recorded for the purpose of providing endpoint management services.
• If a security incident occurs (such as malware infection, installation of unsafe software, or users clicking a malicious URL), ITSO will be alerted and may conduct an investigation by examining the security log files.