Imperial manages staff's Windows devices with a combination of industry-standard tools. These include Microsoft Configuration Manager (MCM), Group Policy and Microsoft Intune, as well as Microsoft Defender as the anti-virus, anti-malware and security compliance solution.
How your device is managed will depend on its age. Group Policy and MCM are in use on almost all Imperial machines, however mobile device management has been introduced by Imperial to support hybrid working.
All new HP devices purchased via our approved supplier portal are auto-enrolled into Microsoft Intune. Once installed, they are managed by both Intune and MCM in a Microsoft-supported configuration known as ‘co-managed’.
Self-build your Imperial Windows device
Follow the instructions in this step-by-step video to 'self-build' your new Imperial Windows device.
Device management
- What is Microsoft Configuration Manager (MCM)?
- What is Microsoft Intune?
- Can I create a local account?
- Why are we using Microsoft Intune and MCM?
- What are the benefits of Microsoft Intune and MCM?
- What information does Microsoft Intune collect?
- What information does MCM collect?
- What changes do Microsoft Intune and MCM make to my device?
- Will I still have administrator rights?
MCM is an onsite-based endpoint management solution. It enables:
- Secure and scalable deployment of applications, software updates and operating systems.
- Real-time actions on managed devices.
- Cloud-powered analytics and management for on-premises and internet-based devices.
- Compliance settings management.
- Comprehensive management of servers, desktops, and laptops.
Microsoft Intune is a cloud-based endpoint management solution that manages user access and simplifies applications and device management across many devices, including mobile devices, desktop computers, and virtual endpoints.
Local accounts can be created on Imperial-managed devices, however this is not recommended as it is a requirement of a network connection via JANET that the user using the device can be identified.
If you require a local account, it is your responsibility as the device owner to ensure responsible sharing of account credentials. The local password must comply with Imperial's password policy.
Ransomware attacks and virus infections present one of the biggest risks to Imperial. ICT is working on reducing the likelihood that this type of attack against Imperial would succeed.
Managing Imperial endpoints allows us to improve our understanding of the potential risks they present to the organisation. For example, we can understand if security is installed on devices, if anti-virus software is running, if applications and security definitions are up-to-date etc.
Having managed devices and up-to-date security patches is a requirement of the Cyber Essentials certification which Imperial is in the process of obtaining. Not holding this certification may impact Imperial's ability to receive funding.
Reliability: Your device will quickly receive software updates and patches with little to no interaction on your part.
Time Efficiency: You will stay more productive as deployment and updating processes run in the background, freeing up more time for your teaching and research.
Security and Compliance: ICT will manage the security of your device, so you don't have to. They'll ensure that software patches, anti-virus protection, firewalls, and compliance with Imperial’s security standards are well maintained.
Confidentiality: Your data and files will remain confidential; no personal data is scanned, indexed, or transmitted off your device. ICT servers also keep full audit logs of any actions performed by technicians.
MCM collects the following pieces of information:
- Device Identifiers, including:
- Serial Number.
- Hardware Addresses.
- IP addresses.
- Hostnames.
- Hardware Inventory.
- Free diskspace status.
- BitLocker status.
- Monitor details (if supported by monitor and connection method).
- Installed application details.
- Including patch status.
- Operating system details.
- Including installed OS patches.
- Power settings.
- Connected printers.
- Boot times.
- Windows version upgrade readiness.
Intune and MCM apply settings published by ICT in configuration profiles (Intune) and local policies (MCM) which make changes to the settings on your device. These help us ensure that your device is secure.
It can also install software that is either required or advertised via the Software Center (optional).
If you are/were the first user to log onto a newly built device via Micorsoft Intune, you will have administrator rights.
If your device was built before Microsoft Intune was introduced or the device is used in a shared environment (such as a lab or a loan laptop), then administrator rights are not given by default.
You can request administrator rights using a dedicated ASK form.
Microsoft Defender
- What is Microsoft Defender?
- Why are we using Microsoft Defender?
- What are the benefits of Microsoft Defender?
- What data does Microsoft Defender collect?
Microsoft Defender is a unified pre and post-breach enterprise defence suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender enables real-time reporting of security incidents within Imperial devices.
It supports us to check our compliance with security frameworks such as Cyber Essentials and gives us recommendations on improvements we could make to bring us further in line with industry best practice.
Microsoft Defender provides real-time incident monitoring of our estate and helps us contain any issues by isolating devices.
It provides insights into the spreading of malware and helps us aim our resourcing where it will be most effective.
It benchmarks us against similar-sized organisations and gives us guidance on how we can improve our security posture.
- File data (such as file names, sizes and hashes).
- Process data (running processes, hashes).
- Registry data.
- Network connection data (host IPs and ports).
- Device details (Device Identifiers, Names and Operating System Version).
Personal use
Personal use is not restricted on devices, but you must adhere to University policy as per point 11.5 in the Conditions of Use of IT Resources.