Microsoft Intune and Workstation Security KB

Introduction

Microsoft Intune keeps managed devices secure and up to date while securing ISU’S’s data. Data protection includes event monitoring of sensitive ISU data on and securing workstations and devices from attackers and other compromised systems. 

Security Details

Intune supports managed devices that run Android, iOS/iPad, MacOS, and Windows 10/11. 

Device and Data Protection

Intune manages device configuration policies, user profiles, settings and features that devices use in ISU’S organization. It also configures devices for Microsoft Defender for Endpoint and controls software and operating system updates. 

Following are a few of the security settings and tasks Intune manages through device policy: 

  • Device encryption – Manage BitLocker on Windows 10 devices, and FileVault on macOS. 
  • Authentication methods – Configure how ISU’S devices authenticate to ISU’S resources, email, and applications. 
  • Software updates – Manage how and when devices get software updates. 
  • Security Baselines – Deploy security baselines to establish a core security posture on ISU’S Windows 10/11 devices. Security baselines are pre-configured groups of ‘best practice’ Windows settings.  

DLP protection policies are rules that ensure an organization's data remains safe or contained in a managed app. ISU policies are configured to monitor and alert for the following data events in email and print: 

  • Social Security Numbers 
  • Credit Card Numbers 
  • Student ID Information (FERPA data) 

Managed by Intune: 

  • BitLocker key rotation (Windows only) 
  • Disable Activation Lock (iOS only) 
  • Windows Defender Full or Quick scan (Windows 10/11 only) 
  • Remote lock (of stolen or lost devices) 
  • Retire (which removes ISU’S data from the device while leaving personal data intact) 
  • Use endpoint security policies, like Antivirus, Endpoint detection and response, and Firewall rules. 
  • Apply security baselines. 
  • Manage Windows Updates. 

Microsoft Defender for Endpoint 

Security tasks – With security tasks, Intune will use Microsoft Defender for Endpoint's threat and vulnerability management capabilities. How it works: 

  • ISU’S Defender for Endpoint team identifies at-risk-devices and creates the security tasks for Intune in the Defender for Endpoint security center. 
  • Those tasks show up in Intune with mitigation advice that Intune admins can use to mitigate the risk. 
  • When a task is resolved in Intune, that status passes back to the Defender for Endpoint security center where the results of the mitigation can be evaluated. 
  • Endpoint security policies – The following Intune endpoint security policies integrate with Microsoft Defender for Endpoint.  
    • Antivirus policy - Manage the settings for Microsoft Defender Antivirus and the Windows Security experience on supported devices, like Windows 10 and macOS. 
    • Endpoint detection and response policy – Endpoint detection and response (EDR) for monitoring, alerting, and response of workstation virus and security related events. 

Conditional Access

Conditional Access is an Azure Active Directory (Azure AD) capability that works with Intune to help protect devices.

These policies integrate for the following: 

  • Device compliance policies can require a device be marked as compliant before that device can be used to access ISU’S resources. The Conditional Access policies specify apps services you want to protect, conditions under which the apps or services can be accessed, and the users the policy applies to. 
  • App protection policies can add a security layer that ensures only client apps that support Intune app protection policies can access ISU’S online resources, like Exchange or other Microsoft 365 services. 

Additional Information

For issues related to the Intune and/or Defender products, please submit a Software - Report an Issue ticket.

If you have a security event, such as a malware infection or a compromised username and password, please submit a Security - Report an Incident ticket.