Quick answer, we are only locking down the apps that access company data and not the phone itself.

Per Microsoft's documentation, by enrolling in Intune, we will ONLY be able to collect hardware inventory information (device name, model, OS, manufacturer, etc) and then put in security measures for the apps that contain company data.

Intune or any admin WILL NOT have access to calling logs, text messages, photos, personal email, contacts, passwords to personal accounts, or web browsing history.

Many employees and employers prefer to use their own mobile devices to access personal or work information rather than carrying around multiple devices for each purpose. The use of personal devices for work, while common, increases the risk that business information could end up in the wrong hands. The security solutions we would implement would toe the line for both efficiency (and privacy) for the individual but data protection for the company.

For Phase 2 (assuming Phase 1 is already completed), YES, all users will need to upgrade to Business Premium in order to enroll Intune and Defender for Business which are included. By doing additional add-ons it will actually cost more than purchasing the Business Premium as it bundles all of these licenses together and gives a price discount through the bundle.

Windows 10/11 Pro or Enterprise or you can upgrade a Home edition by purchasing a Pro license. Other considerations may require older computers that are no longer functioning as they should and may need to be replaced or retired prior to implementing these security controls.

Absolutely! Part of Security Phase 3 is to circle back to the policies created in Phase 1 and 2 to see how they need to adapt / expand to cover more scenarios. The security solutions are built in a way that they can remain relevant into the future through continual monitoring and consultation.

Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.

1. A PIN is tied to a device. One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it is set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign into your account from anywhere. If you want to sign in on multiple devices, you have to set up Hello on each device.
2. A PIN is local to the device. An online password is transmitted to the server for authentication. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server.
3. A PIN is backed by hardware. The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.

Windows Autopilot is used to set up and pre-configure new devices. It simplifies the device lifecycle process for both the IT team but also the end users as it can apply universal company settings and approved applications for install on any device part of the network.

When a threat is detected, alerts are created in the system for a member of our team to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an Incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

Defender for Business allows our support team to run deep antivirus scans, isolate devices, stop and quarantine a file, and add indicators to block or allow a file.