Set up newly acquired notebook and onboard Microsoft Intune

This procedure is for setting up newly acquired notebook with WIFI connection and onboarding Microsoft Intune, see Device Management using Microsoft Intune.

Getting Started

Steps to be performed by device user (who must possess a valid ITSC staff account)

  1. Install Windows 11 Home on device (May take about 15-30 min)
  2. Upgrade to Enterprise edition and Reset Computer (May take about 30 min)
  3. Install Windows 11 Enterprise and onboard the device using ITSC account of the device owner (May take about 15-30 min)
  4. Enable Windows Hello PIN Login and Rename Device
  5. Verify Intune Enrollment
Content

A. Install Windows 11 Home on the device

As most newly purchased mobile devices come with Windows 11 Home edition, you may need to create a personal Microsoft account to proceed installation. Just follow the setup instructions of Windows 11. If your device is already installed with Windows 11 Professional / Enterprise editions, you may go directly to enroll the device using ITSC account.

Here are some points to note when installing:

  1. Network Connection during installation
    For wireless connection, please refer to On-Campus WI-FI connection for campus community
  2. Name your device during installation
    During installation, you'll be given an option to name your device. The computer name that you provided here doesn't matter at this point. Just press "Skip for now" to proceed.

     
  3. Windows 11 Microsoft Account registration during installation
    Windows 11 installation process requires registration using personal Microsoft account before one can access the computer desktop. This personal Microsoft account will be used to register this new device in Microsoft way.



    Here you can have three options:

    • Create a new personal Microsoft account by clicking "Create One!". You may then use this account for your own personal use, like registering your devices at home. ITSC strongly suggest NOT to use your campus network account to create personal Microsoft account as it may cause confusion in future.
    • Sign in with an existing personal Microsoft account that you possess. 
    • Sign in using a shared personal Microsoft account possessed by your departmental support.
    In fact, the personal Microsoft account registered here may be irrelevant in case you reset the machine at later step. However, Windows 11 home edition will sync your Desktop, Documents and Pictures folder. You cannot refuse synchronization at installation stage, but you can stop synchronization after accessing Windows Desktop. See Back up your Documents, Pictures, and Desktop folders with OneDrive.
     
  4. Create PIN, Bioinformatic Authentication, Restore from Device, and Microsoft 365
    • The PIN you created during Windows 11 Home installation procedure is just usable in that particular device. It gives you a passwordless login experience. You may just create a six-digits PIN for this device.
    • You may by-pass bioinformatic authentication setting at this point as you may need to do it again when you use ITSC account for the device in future.
    • DO NOT restore from other device. This option will restore settings of your personal Microsoft account from other devices. However, you shouldn't use personal Microsoft account to login  the device after enrolling Intune management.
      You may just select "Setup as new device"

       
    • You may just press "Decline" when you are given an option to purchase Microsoft 365. Once you login using your ITSC account in future, you can automatically access Microsoft 365 without purchasing.

       

B. Upgrade to Enterprise edition and Reset Computer

To enroll Intune management, Windows devices must of of Professional or Enterprise version. To do so:

  1. Open "Settings", "System", "Activation". Make sure your device's Windows version is Windows 11 Home, then at the "Change product key" row, click "Change"

     
  2. Now, at the "Enter a product key" dialog, enter the Windows 11 Enterprise KMS setup key NPPR9-FWDCX-D2C8J-H872K-2YT43 and then click "Next"

     
  3. You'll then be prompt to upgrade your edition of Windows, just press "Start" to begin upgrade process.
  4. The upgrade process may take a few minutes and your device will restart after upgrade.

 

Upon successful upgrade and restart, your device version will now be Windows 11 Enterprise. At this point, ITSC highly recommend to reset the device to factory default due to the following reasons:

  • The reset action will regenerate the BitLocker key of the device and store it in the Corporate Account. This would make future device maintenance or device transfer much easier.
  • The personal Microsoft account that was used to register Windows 11 Home will be reset. Personal data of that account will be erased. OneDrive backup using personal Microsoft Account will also be reset.
  • In case you use a personal Microsoft account for just device installation, you may not manage that account securely. It may cause future recovery a great trouble as you need to get back the Bitlocker key.

 

To perform device reset:

  1. Open "Settings", "System", "Recovery", Click "Reset PC".

     
  2. Select "Remove everything".

     
  3. Select "Cloud download". This will give you the latest version of Windows 11 Enterprise.

     
  4. Click "Next" to proceed.

     
  5. Finally, click "Reset" to reset the computer and make it as freshly installed Windows 11 Enterprise.

     
  6. Now, wait the system to reset your device. This process may take around 45-60 min. When finished, the device will reboot into new installation interface.

C. Install Windows 11 Enterprise and onboard the device using ITSC account of the device owner

Following the setup instructions of Windows 11 Enterprise

  1. Follow the setup instructions
  2. At the prompt "Let's set things up for your work or school", enter your ITSC credential.
    Note that the account you provided here will be the owner and administrator of the device.

     

  3. Wait until the installation completed and follow the setup instructions.

D. Enable Windows Hello PIN Login and Rename Device

Upon installation completion and machine boot up, you'll be given option to configure Windows Hello. Windows Hello is a new way of signing into your device using PIN or Biometric. You need not use complex password to login. Please refer to Passwordless Strategy in HKUST page for details.

Now, just follow the on-screen instruction to login you ITSC network account again. If you have not yet set up the Azure MFA, you'll be asked to setup at this step before the Windows Hello PIN. This is required as it is used to reset the Windows Hello PIN or biometric if needed. We recommend to setup Microsoft Authenticator App as your preferred Azure MFA method and you can enable Passwordless authentication for browser-based applications later.

Follow the steps and you'll finally reach "All Set".

Now, your new desktop device installation has completed. You may login your ITSC account on this device using PIN in future.

At this stage, the device will have arbitrary computer name like "DESKTOP-ABCDEFG" or "LAPTOP-ABCDEFG". ITSC imposes no restriction on computer name for new Windows 10/11 devices enrolling to Intune. However, we strongly recommend changing your device name at this stage. By changing device name now will give you ease to manage devices. Also, it'll help to locate the device should there be security alerts raised in future. ITSC would like to suggest using the following naming conventions:

  • [dept]-[Abbreviation or Team or Owner]-[sequence]
    e.g., ITSC-DIR-001, ITSC-PROJ-001 or ITSC-CCTEST-001

To do so, in "Settings", "System", "About", click "Rename this PC".




After renaming PC, a reboot is required to make changes effective.


E. Verify Intune Enrollment

  1. Verify Intune Enrolment
    You can verify your device enrolment status by checking the presence of "Managed by HKUST - Info" under "Settings", "Accounts", "Access work or school", "Connected to HKUST's Azure AD".

     
  2. Verify Microsoft Defender for Endpoint protection.
    Your device should also be protected by the Microsoft Defender for Endpoint. This could be verified by checking the presence of "ITSC Support" under the "Windows Security" application page.