In order to to protect data integrity and safeguard security when accessing university IT infrastructure, it is very important to ensure that the device you are using is not infected with malware (malicious software) or compromised in any other way. Malware can infect your device without your knowledge: it might install itself from an e-mail message, when you connect to the Internet, or when you install certain apps using a USB flash drive, CD, DVD, or other removable media. Some malware can also be programmed to run at unexpected times, not only when it's installed.
Compliance and Conditional Access Policy
To protect university IT infrastructure from cybersecuriy threats, any device running Windows OS that is used to access university systems, apps and data is subject to a set of minimum requirements and must be administered by Intune so that its compliance with these minimum requirements can be continuously evaluated. Devices deemed as noncompliant (i.e. not meeting these requirements, hence not fully protected and free from malware), will not be allowed access to university systems that store sensitive data once conditional access policy goes in effect in Q4 of 2023.
The same set of minimum requirements is applied to both "corporate" or university-owned devices (i.e. devices purchased with university funds or grants) and personal devices (i.e. devices purchased with personal funds used to access university systems, apps and data), referred to as as BYOD devices (Bring Your Device). However, Intune administers personal devices differently that corporate devices. To protect your privacy, Intune manages only university apps and data on registered personal devices. It has no visibility into your personal apps and data on that device.
In order for your computer running Windows OS to be deemed as compliant, it must meet all of these requirements:
- Must be enrolled in Intune Mobile Device Management (MDM) (more details)
- Windows 10 version must be 21H2 or 22H2 with latest security patches installed (more details).
- Windows 11 version must be 23H2 or 22H2 with latest security patches installed (more details).
- Windows Security real-time protection must be enabled (more details).
- Microsoft Defender anti-malware must be enabled and up-to-date (more details).
- Microsoft Defender anti-spyware must be enabled (more details).
- Windows Firewall must be enabled (more details).
To check if your device is compliant or update its compliance status, launch the Company Portal app installed on your university device or go to https://portal.manage.microsoft.com on any device and:
- Click on the three lines icon next to "University of Windsor" to open the navigation bar (web version of Company Portal only)

- Click on Devices icon on the navigation bar on the left
- Click on the device of interest
- Click on Check Access button
This will force a check-in with the Intune service, and refresh its device compliance policies and status.
Device Enrollment
While both corporate and personal BYOD devices must be managed by Intune, the enrollment process is different for them.
Corporate Devices
In order to get unrestricted access to University of Windsor software, systems and data, your work device has to be joined to Azure Active Directory (AAD) and enrolled in Intune Mobile Device Management (MDM) platform. To enroll you device, follow these instructions:
Personal Devices
In order to get unrestricted access to University of Windsor software, systems and data, your BYOD device has to be registered in Azure Active Directory (AAD) and enrolled in Intune Mobile Device Management (MDM) platform. To register/enroll you device, follow these instructions:
Windows Version and Updates
For the device to be deemed as compliant:
- Monthly Windows quality updates (security patches) generally have to be installed within four weeks from the day they were released by Microsoft.
- Semi-annual feature updates have to be installed within two months from the day they were released by Microsoft.
To check version/build of Windows 10/11 on your computer:
- Click the Start menu button and type winver then press Enter
- Make a note of the second line that should look like this:
- On Windows 10: Version 21H2 (OS Build 19044.3448) or Version 21H2 (OS Build 19045.3448) - these includes Sept 12 security update
NOTE: It's OK if your last number is higher than 3448
- On Windows 11: Version 23H2 (OS Build xxxxx.2283) or Version 22H2 (OS Build 22621.2283) - this includes Sept 12 security update
NOTE: It's OK if your last number is higher than 2134
To update your Windows to the latest supported version, go to Windows settings:
- Click on Start menu (Windows logo)
- Click on the gear icon (Windows Settings)
- Click Update & Security
- Click Check for Updates
- Install missing updates
- Reboot your computer
If Windows Update feature tells you that there are no updates available for your computer even though your version/build is not at the level listed above, you can to update to the latest version/build of Windows 10/11 following these steps:
- Launch a web browser and navigate to this site:
- Click on Update Now
- Your browser will attempt to download Windows Update Assistant app. Open/run this file, or save it in your Downloads folder and then open it once it is downloaded.
- When asked Do you want to allow this app to make changes to your device? click on Yes.
- Follow instructions on the screen.
Virus and Threat Protection
Windows 10 includes Windows Security module, which provides settings for the virus, malware and spyware protection.
Corporate Devices
Cortex XDR must be installed on every university device. When installed, it takes over the real-time protection function form Microsoft Defender Antivirus.

Personal Devices
On personal devices, the adequate threat protection is provided by Microsoft Defender Antivirus on you personal computer and Cortex on your work computers running Windows 10. Your device will be actively protected from the moment you start Windows 10/11, as long as Windows Security features listed below are enabled and functioning properly. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.
Starting with Windows 10 version 2004, Windows Defender Antivirus (which is one of the components of Windows Security) as been renamed to Microsoft Defender Antivirus.
When you install some 3rd party antivirus (AV) programs, they may automatically turn off Microsoft Defender Antivirus. In this case you may not be able to turn on Microsoft Defender Antivirus again until the 3rd party AV program has been disabled (turned off) or completely uninstalled. If you have a 3rd party AV program installed and disable Microsoft Defender Antivirus, this will also disable periodic scanning.
NOTE: As of March 31, 2021, faculty and staff are no longer licensed to use Sophos Endpoint Security & Control suite of apps. If you still have Sophos software installed on your work computer, you should un-install it as soon as possible.
Real-Time Protection
In Windows 10/11, you can turn off Microsoft Defender Antivirus real-time protection, but it will only be temporary unless disabled. Windows will automatically turn real-time protection back on if it's off for a while. Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure. To check your real-time protection settings:
- Click on the Start menu button then Settings (gear icon)
- Click on Update & Security
- Click on Windows Security
- Click on Virus and threat protection

Microsoft Defender Anti-malware and Anti-spyware
The Antimalware Service Executable process is Microsoft Defender’s background service, and it always remains running in the background. It’s responsible for checking files for malware when you access them, performing background system scans to check for dangerous software, installing antivirus definition updates, and anything else a security application like Microsoft Defender needs to do.

Windows Firewall
On your work computer, Microsoft Defender Firewall must be on to protect your computer from unauthorized access. To check if your computer's Microsoft Defender Firewall is on or off:
- Click on the Start menu button then Settings (gear icon)
- Click on Update & Security
- Click on Windows Security
- Click on Firewall and network protection. You should see Firewall is on message next to Domain network, Private Network, and Public network.

- If any of the three networks display a message Firewall is off, click on Turn on button to turn it back on or click on Restore settings button to restore firewall settings back to the recommended values.

For more information, please see Turn Microsoft Defender Firewall on or off