Device Compliance - Windows

Summary

In order for your work computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access some of the resources and systems starting in Q4 of 2023.

Body

Device compliance is one of the current security requirements for conditional access at the University of Windsor. 

For your computer running Windows OS to be deemed as compliant, it must meet all these requirements: 

  • Windows 11 must be at version 24H2, 23H2 or 22H2 with latest security patches installed (more details).

OR

  • Windows 10 must be at version 22H2 with latest security patches installed (more details).

PLUS

  • Secure boot and code integrity check enabled (more details).
  • TPM 2.0 present (more details).
  • Windows Security real-time protection must be enabled (more details).
  • Microsoft Defender anti-malware must be enabled and up-to-date (more details).
  • Microsoft Defender anti-spyware must be enabled (more details).
  • Windows Firewall must be enabled (more details).
  • Device must used at least once every 30 days (more details).
  • Device must be protected by a password that meets complexity requirements which are the same as those for UWin Account password.

To check if your device is compliant or update its compliance status, launch the Company Portal app installed on your university device or go to https://portal.manage.microsoft.com on any device and:

  • Click on the menu (three lines) next to "University of Windsor" to open the navigation bar (web version of Company Portal only)


     
  • Click Devices on the navigation bar on the left
  • Click on the device of interest
  • Click Check Access

This will force a check-in with the Intune cloud service and refresh its device compliance policies and status.

 

Windows Version and Updates

For the device to be deemed as compliant:

  • Monthly Windows quality updates (security patches) generally have to be installed within four weeks from the day they were released by Microsoft.
  • Semi-annual feature updates have to be installed within two months from the day they were released by Microsoft.

To check version/build of Windows 10/11 on your computer:

  1. Click the Start menu and type winver then Enter
  2. Make a note of the second line that should look like this:
    • On Windows 11: Version 24H2 (OS Build 26100.2033​​​​) or Version 23H2 (OS Build 22631.4317​​​​) or Version 22H2 (OS Build 22621.4317) - this includes Oct 8 security update
      NOTE: It's OK if your last number is higher than 4317
    • On Windows 10: Version 22H2 (OS Build 19045.5011) - these includes Oct 8 security update
      NOTE: It's OK if your last number is higher than 5011

To update your Windows to the latest supported version, go to Windows settings:

  1. Click Start menu (Windows logo)
  2. Click the gear icon (Windows Settings)
  3. Click Update & Security
  4. Click Check for Updates
  5. Install missing updates
  6. Reboot your computer

If Windows Update feature tells you that there are no updates available for your computer even though your version/build is not at the level listed required, you can update to the latest version/build of Windows 10/11 following these steps:

  1. Launch a web browser and navigate to this site:
  2. Click Update Now
  3. Your browser will attempt to download Windows Update Assistant app. Open/run this file, or save it in your Downloads folder and then open it once it is downloaded.
  4. When asked Do you want to allow this app to make changes to your device? Click Yes.
  5. Follow the instructions on the screen.

Secure Boot / Code Integrity

Code Integrity is a feature that validates the integrity of drivers and system files each time they are loaded into memory. In Intune Compliance policy, you can require code integrity to detect unsigned drivers or system files being loaded into the kernel. Note that Code Integrity requires secure boot to be turned on the device. With code integrity enabled, Windows detects if an unsigned driver or system file is being loaded into the kernel. It also detects if a system file is changed by malicious software or run by a user account with administrator privileges.

With secure boot enabled, the system is forced to boot to a factory trusted state. The core components that are used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies the signature before it lets the machine start. If any files are tampered with, which breaks their signature, the system doesn't boot.

TPM 2.0

A TPM (Trusted Platform Module) is used to improve the security of your PC.  It's used by services like BitLocker drive encryption, Windows Hello, and others, to securely create and store cryptographic keys, and to confirm that the operating system and firmware on your device are what they're supposed to be, and haven't been tampered with. TPM has been around for over 20 years, and version 2.0 became standard in new PCs. You will not be able to install Windows 11 unless your computer has TPM 2.0. Intune checks the TPM chip version for compliance. Note that this condition is not enforced on computers running Windows 10.

Virus and Threat Protection

Windows 10 includes Windows Security module, which provides virus, malware and spyware protection settings.

University (Corporate) Devices

Cortex XDR must be installed on every university device. When installed, it takes over the real-time protection function from Microsoft Defender Antivirus.

Uploaded Image (Thumbnail)

Personal Devices

On personal devices, Microsoft Defender Antivirus provides adequate threat protection on your personal computer. Your device will be actively protected from the moment you start Windows 10/11, as long as the Windows Security features listed below are enabled and functioning properly. Windows Security continually scans for malware, viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protected.Starting with Windows 10 version 2004, Windows Defender Antivirus (which is one of the components of Windows Security) has been renamed to Microsoft Defender Antivirus.

Real-Time Protection

In Windows 10/11, you can turn off Microsoft Defender Antivirus real-time protection, but it will only be temporary unless disabled. Windows will automatically turn real-time protection back on. Always-on protection consists of real-time protection, behaviour monitoring, and heuristics to identify malware based on known suspicious and malicious activities. These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure. To check your real-time protection settings:

  1. Click Start menu, then Settings (gear icon)
  2. Click Update & Security
  3. Click Windows Security
  4. Click Virus & threat protection

 

NOTE: When you install a third party antivirus software, which is optional and at your discretion, it will take over the real-time protection function from Microsoft Defender Antivirus. This will not affect device compliance as long as the third party antivirus will be updated on a regular basis.

 

Microsoft Defender Anti-malware and Anti-spyware

The Anti-malware Service Executable process is Microsoft Defender’s background service, which always runs in the background. It’s responsible for checking files for malware when you access them, performing background system scans to check for dangerous software, installing antivirus definition updates, and anything else a security application like Microsoft Defender needs to do.

Windows Firewall

On your work computer, Microsoft Defender Firewall must be on to protect your computer from unauthorized access. To check if your computer's Microsoft Defender Firewall is on or off:

  1. Click Start menu then Settings (gear icon)
  2. Click Update & Security
  3. Click Windows Security
  4. Click Firewall & network protection. You should see Firewall is on message next to Domain network, Private network, and Public network.


     
  5. If any of the three networks display a message that the Firewall is off, click Turn on to turn it back on or click Restore settings to restore firewall settings to the recommended values.

For more information, please see Turn Microsoft Defender Firewall on or off

Device must be used at least once every 30 days

All devices administered must be used and signed into at least once every 30 days to stay compliant.

Devices that did not check in with Intune for more than 180 days, are automatically removed from Intune and then will be wiped and need to be re-enrolled. To prevent data loss, please always store all your files on your OneDrive or inside one of your teams. 

Details

Details

Article ID: 118303
Created
Wed 10/14/20 11:02 AM
Modified
Thu 10/24/24 4:41 PM

Related Articles

Related Articles (10)

This article explains which browsers should be used for the optimal experience with systems and apps used at the University of Windows, such as Microsoft 365, Brightspace, UWinsite, etc.
Any devices used by university employees and related that do not meet the minimum requirements, as defined in the device's assigned compliance policy, will not be granted full access to University apps, systems and data. This includes devices, both university-owned and personal, that are not enrolled in Intune
At the University of Windsor, Microsoft Intune combined with Entra ID provides device and application administration, corporate data protection, identity management and directory services.
In order for your Apple macOS computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access most of University systems and data.
Every Windows computer has a name to help identify it on a network. Here are several methods for finding it out.
Instructions for extracting model and serial number on a Windows computer using command prompt.
When accessing OneDrive or other Microsoft 365 Apps in a browser you may see a message displayed on the top of the browser window that says "Your organization doesn't allow you to download, print, or sync using this device (...) This can happen for three different reasons
If you see a message "Your company hasn't made any apps available to you on this device" or "You don't have any apps yet" it means that your computer does not meet minimum requirements as defined in the device compliance policy (i.e. your device is not compliant).
Microsoft Windows Update is a Microsoft service for the Windows operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. This article discusses two different types of Windows updates and provides a listing of the most recent updates required for device compliance.
Microsoft Company Portal is an app that faculty and staff at the University of Windsor use to manage their workstations.