Skip to content

Runbook — Slow Device / Suspected Malware

Scenario

A user reports their device is running slowly and they think they might have a virus. They mention they have been clicking through emails this morning.

Steps

1. Assess the Phishing Risk First

The slow device may be a symptom. The clicking through emails is the priority concern. Ask immediately: - What emails did you click? - Did you open any attachments or follow any links? - Did you enter any credentials on any website after clicking?

If they clicked links or entered credentials, this is a potential security incident — follow the escalation steps below immediately.

2. Isolate the Device

If phishing or malware is suspected, isolate the device to prevent potential spread:

intune.microsoft.comDevicesAll devices → select the device → Isolate

This cuts the device off from the network while keeping the Intune management channel open so you can still manage it remotely.

3. Trigger a Remote Scan

intune.microsoft.comDevicesAll devices → select the device

  • Quick scan — scans common malware locations, faster
  • Full scan — full disk scan, use if a threat is suspected

4. If Credentials Were Entered

If the user entered their password anywhere after clicking a link: - Reset their password immediately - Reset MFA registration - Revoke all active sessions in Entra ID - Escalate to the security team urgently — this is a potential account compromise

If the user is just reporting a slow device with no phishing involvement: - Ask them to restart the device - Check compliance status in Intune - Check Task Manager for any processes consuming excessive CPU or memory - Run a Quick scan via Intune

Escalate If

  • The user clicked a link or entered credentials — escalate to the security team immediately, this is a security incident
  • The Defender scan returns a detected threat — escalate to 2nd line or the security team
  • The device remains slow after a restart and scan — escalate to 2nd line for further investigation

Notes

  • A user saying "I think I have a virus" is often panic — but clicking through emails must always be taken seriously regardless
  • Do not let urgency skip the phishing assessment — a slow laptop is low priority compared to a potential breach
  • Isolate before scanning if phishing is suspected — do not leave a potentially compromised device on the network while investigating
  • Document the emails the user clicked and include them in the escalation