Work Device Compliance Pilot

In order to to protect data integrity and safeguard security when accessing University data and systems, it is very important to ensure that the computer you are using is not infected with malware (malicious software) or compromised in any other way. Malware can infect your PC without your knowledge: it might install itself from an email message, when you connect to the Internet, or when you install certain apps using a USB flash drive, CD, DVD, or other removable media. Some malware can also be programmed to run at unexpected times, not only when it's installed.

NOTE: As of June 30, 2021, devices deemed as non-compliant (i.e. not fully protected and free from malware) will not be allowed access to selected University systems that store sensitive data.

In order for your work computer to be deemed as compliant, it must meet all of these requirements:

  • Windows 10 version must be 20H2 with latest security patches installed (more details).
  • Windows Security real-time protection must be enabled (more details).
  • Microsoft Defender anti-malware must be enabled and up-to-date (more details).
  • Microsoft Defender anti-spyware must be enabled (more details).
  • Windows Firewall must be enabled (more details).

Windows Version

For the device to be deemed as compliant:

  • Monthly Windows quality updates have to be installed within four weeks from the day they were released by Microsoft.
  • Semi-annual feature updates have to be installed within two months from the day they were released by Microsoft.

To check version of Windows 10 on your computer:

  1. Click the Start menu button and type winver then press Enter
  2. Make a note of the second line that should look like this: Version 20H2 (OS Build 19042.868) or Version 20H2 (OS Build 19042.870)

IT Services currently supports Windows 10 version 20H2 with February 2021 security patches installed. Older versions are no longer supported. To update your Windows to the latest supported version, go Windows settings:

  1. Click on Start menu (Windows logo)
  2. Click on the gear icon (Windows Settings)
  3. Click Update & Security
  4. Click Check for Updates

Microsoft Defender Antivirus

Windows 10 includes Windows Security module, which provides the latest antivirus protection. You no longer need to install and run any third party antivirus software, such as Sophos, on your work computers running Windows 10. Your device will be actively protected from the moment you start Windows 10, as long as Windows Security features listed below are enabled and functioning properly. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.

Starting with Windows 10 version 2004, Windows Defender Antivirus (which is one of the components of Windows Security) as been renamed to Microsoft Defender Antivirus.

When you install some 3rd party antivirus (AV) programs, they may automatically turn off Microsoft Defender Antivirus. In this case you may not be able to turn on Microsoft Defender Antivirus again until the 3rd party AV program has been disabled (turned off) or completely uninstalled. If you have a 3rd party AV program installed and disable Microsoft Defender Antivirus, this will also disable periodic scanning. 

NOTE: As of March 31, 2021, faculty and staff are no longer licensed to use Sophos Endpoint Security & Control suite of apps. If you still have Sophos software installed on your work computer, you should un-install it as soon as possible.

Real-Time Protection

In Windows 10, you can turn off Microsoft Defender Antivirus real-time protection, but it will only be temporary unless disabled. Windows will automatically turn real-time protection back on if it's off for a while. Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure. To check your real-time protection settings:

  1. Click on the Start menu button then Settings (gear icon)
  2. Click on Update & Security
  3. Click on Windows Security
  4. Click on Virus and threat protection


Microsoft Defender Anti-malware and Anti-spyware

The Antimalware Service Executable process is Microsoft Defender’s background service, and it always remains running in the background. It’s responsible for checking files for malware when you access them, performing background system scans to check for dangerous software, installing antivirus definition updates, and anything else a security application like Microsoft Defender needs to do.

Windows Firewall

On your work computer, Microsoft Defender Firewall must be on to protect your computer from unauthorized access. To check if you Microsoft Defender Firewall is on or off:

  1. Click on the Start menu button then Settings (gear icon)
  2. Click on Update & Security
  3. Click on Windows Security
  4. Click on Firewall and network protection

For more information, please see Turn Microsoft Defender Firewall on or off



Article ID: 118303
Wed 10/14/20 11:02 AM
Mon 4/5/21 2:07 PM

Related Articles (1)