Guide for existing device to onboard Microsoft Intune

This procedure is for existing non-domain joined devices which would opt for the device management scheme, see Device management using Microsoft Intune

For those existing devices that has already joined to on-premises domain, you can keep using the device without onboarding Microsoft Intune. Should there be upgrade or replace of such devices, ITSO recommend onboarding to Microsoft Intune.
If your device has already joined on-premises domain, and if you would like to enjoy the advanced protection mechanism provided by Intune, you may send us a mail (cchelp@ust.hk). ITSO will provide custom procedures for hybrid-join (attach device to both on-premises AD and Microsoft Intune).

Getting Started

This option allows user to keep existing user data and configurations (user profile). Upon successful onboarding, the device can be protected by Microsoft Intune. User may then choose to:

Add ITSO account to current user.
One can then access eligible cloud resources like Office 365, OneDrive, Teams etc... The existing user data, configuration and applications are kept. But this profile cannot readily access on premise domain resources like network shares. Additional configuration or login may be needed.
Login the device using ITSO account.
A new user profile will then be created. One can readily access on premise domain resources without further logon. Eligible cloud resources are also available. To access existing user data, you may need to re-login using existing account.

Steps to be performed by device user

Make sure the device is running in Windows 10/11 Professional or Enterprise editions
Rename device
Keep the current device and join AAD as added protection
Add ITSO account to current user
Verify Intune Enrollment

A. Make sure the device is running in Windows 10/11 Professional or Enterprise editions

To enroll Microsoft Intune, Windows device must of Professional and Enterprise edition. To check your device Windows version, under "Setting", "System", "About", you can verify Windows Edition at "Windows Specifications" section.

If the Windows version is not Professional or Enterprise, you may:

Windows 10	Windows 11
Open "Settings", "Update and Security", "Activation". Make sure your device's Windows version is Windows 10 Home, then click "Change product key".	Open "Settings", "System", "Activation". Make sure your device's Windows version is Windows 11 Home, then at the "Change product key" row, click "Change"
Now, at the "Enter a product key" dialog, enter the Enterprise KMS setup key NPPR9-FWDCX-D2C8J-H872K-2YT43 or a MAK key, and then click "Next" You'll then be prompt to upgrade your edition of Windows, just press "Start" to begin upgrade process. The upgrade process may take a few minutes and your device will restart after upgrade.

Windows 10

Windows 11

Open "Settings", "Update and Security", "Activation". Make sure your device's Windows version is Windows 10 Home, then click "Change product key".

Open "Settings", "System", "Activation". Make sure your device's Windows version is Windows 11 Home, then at the "Change product key" row, click "Change"

Now, at the "Enter a product key" dialog, enter the Enterprise KMS setup key
NPPR9-FWDCX-D2C8J-H872K-2YT43 or a MAK key, and then click "Next"

You'll then be prompt to upgrade your edition of Windows, just press "Start" to begin upgrade process.

The upgrade process may take a few minutes and your device will restart after upgrade.

B. RENAME DEVICE

At this stage, the device will have arbitrary computer name like "DESKTOP-ABCDEFG" or "LAPTOP-ABCDEFG". ITSO imposes no restriction on computer name for new Windows 10/11 devices enrolling to Intune. However, we strongly recommend changing your device name at this stage. By changing device name now will give you ease to manage devices. Also, it'll help to locate the device should there be security alerts raised in future. ITSO would like to suggest using the following naming conventions:

[dept]-[Abbreviation or Team or Owner]-[sequence]
e.g., ITSO-DIR-001, ITSO-PROJ-001 or ITSO-CCTEST-001

To do so, in "Settings", "System", "About", click "Rename this PC".

Windows 10	Windows 11

After renaming PC, a reboot is required to make changes effective.

C. KEEP THE CURRENT device AND JOIN AAD as added protection

This option is used for non-domain joined device who want to keep everything and join AAD with Microsoft Intune to enjoy added security feature. The following procedure is the same for both Windows 10/11.

Open "Settings", "Accounts", "Access work or school", click "Connect"
On the "Set up a work or school account", select "Join this device to Azure Active Directory"
Now, sign in with your ITSO credential. Upon completion, You may now reboot your machine.

D. ADD ITSO ACCOUNT TO CURRENT USER

This option allows current (non-ITSO account) user to access eligible cloud resources like Office 365, OneDrive and Teams. The following procedure is the same for both Windows 10/11.

Open "Settings", "Accounts", "Email & accounts", click "Add a work or school account"
Now, sign in with your ITSO credential.
Upon completion, open your applications like OneDrive or Teams. Click "Sign-In". You only need to type your ITSO Email address and then you can access the application without providing password.

E. Verify Intune Enrollment

Verify Intune Enrolment
You can verify your device enrolment status by checking the presence of "Managed by HKUST - Info" under "Settings", "Accounts", "Access work or school", "Connected to HKUST's Azure AD".

Windows 10 Windows 11
Verify Microsoft Defender for Endpoint protection.
Your device should also be protected by the Microsoft Defender for Endpoint. This could be verified by checking the presence of "ITSO Support" under the "Windows Security" application page.

Learn More

FAQ - Microsoft Intune onboarded device