Guide for setting up new device to join AAD with Intune management

This procedure is for setting up newly acquired device which would opt for the device management scheme, see Device management by Microsoft Endpoint manager (Intune).

  • For existing device in-use and already AD joined, please contact CSC of your department for enrollment.
  • For existing device in-use and not AD joined, please refer to the "To join an already configured Windows 10/11 device" section here.
Getting Started

A. Register the new device for Node Registration

Note: The purpose of Node Registration is to enable Internet connection (via Ethernet) which is a prerequisite during the configuration process. For laptop or desktop which can connect to Wi-Fi for Internet, Node Registration is not required, and one can skip to part B.

  1. Contact the CSC of your department to perform Node Registration for the new device

B. Install Windows 11 Professional on the device

Note: If the device already comes with Windows 11 Professional or Enterprise, skip to part C

  1. Contact the CSC of your department to install Windows 11 Professional on the device

C. Enroll the device using ITSC account of the device user

Following the set up instructions of Windows 11 Enterprise or Professional

  1. Follow the set up instructions
  2. Under "How would you like to set up this device", select "Set up for work or school", then enter your ITSC credentials (i.e., and complete the MFA challenge using DUO mobile (or other registered authentication methods)

  3. Wait the installation to be completed and follow the set up instructions
    • To speed up the installation, the device user may select "Continue anyway" when it is prompted

The device is now successfully enrolled to the Microsoft Endpoint Manager, or MEM (previously known as Intune). This could be verified by checking the presence of "Managed by HKUST - Info" under "Connected to HKUST's Azure AD" of the "Access work or school" Settings application page.



  1. The enrolled user would have administrator privilege of the device
  2. If the device is not connected to campus network, you will need to activate the Window license manually after the installation
    • From "Activation settings" in Settings, please enter the generic key "NPPR9-FWDCX-D2C8J-H872K-2YT43" under "Change product key". 

D. Assign the device category under the department of the device user

  1. Open Microsoft Edge
  2. Go to
  3. Select the device in-use
  4. Select "Category is unknown. Tap to select now.", then confirm the device category (i.e., the department abbreviation of the device user. For instance, ITSC).   Choose "Others" if your department is not listed.
  1. Wait for the prompt (about 10 minutes after the previous step is done) "You're about to be signed out" (the device user could use the device meanwhile)
  2. Restart the device
  3. Logon the device using ITSC credentials (i.e.,

The device is now successfully enrolled to the Microsoft Defender for Endpoint, or MDE (previously known as Advanced Threat Protection, or ATP). This could be verified by checking the presence of "ITSC Support" under the "Windows Security" application page.