This procedure is for setting up newly acquired device which would opt for the device management scheme, see other deployment options in Device management using Microsoft Intune
Starting from 1-Jan-2023, the new desktop devices procured via standard term contracts will come with Windows 11 Professional Edition. These devices are ready for Intune onboarding. This page gives detailed procedures on installation and Intune onboarding.
Steps to be performed by device user (who must possess a valid ITSC staff account)
A. Install Windows 11 Pro
Here are some points to note when installing:
-
Network Connection during installation
- For wireless connection, please refer to On-Campus WI-FI connection for campus community
- For wired connection, in office area, plug-in network cable. ITSO will provide limited network access that allows Windows 11 installation to complete. Upon successful Intune onboarding, the device's network connection will automatically be registered and gain full access to all sites and services. No manual node registration is needed.
-
Device Naming
During installation, you'll be given an option to name your device.Here, ITSO imposes no restriction on computer name for new Windows 10/11 devices enrolling to Intune. However, we strongly recommend changing your device name at this stage. By changing device name now will give you ease to manage devices. Also, it'll help to locate the device should there be security alerts raised in future. ITSO would like to suggest using the following naming convention:
- [dept]-[Abbreviation or Team or Owner]-[sequence]
e.g., ITSO-DIR-001, ITSO-PROJ-001 or ITSO-CCTEST-001
- [dept]-[Abbreviation or Team or Owner]-[sequence]
B. Enroll the device using ITSO account of the device user
Upon renaming device and device restart
- At the "How would you like to set up this device?" page, select "Set up for work or school", and click "Next".
- At the prompt "Let's set things up for your work or school", enter your ITSO credentials (i.e., johnchan@ust.hk) and complete the MFA challenge using DUO mobile (or other registered authentication methods). Note that the account you provided here will be the owner and administrator of the device. The new Bitlocker key will be stored under this account's devices.
-
Wait until the installation completed and follow the set-up instructions
C. Enable Windows Hello PIN Login
Upon installation completion and machine boot up, you're required to configure Windows Hello. Windows Hello is a new way of signing into your device using PIN or Biometric. You need not type complex password to login. Please refer to our Passwordless page for benefits of setting up Windows Hello.
Now, just follow the on-screen instruction to sign on your ITSO network account again. If you have not yet set up the Azure MFA, you'll be asked to setup at this step before the Windows Hello PIN. This is required as it is used to reset the Windows Hello PIN or biometric if needed. We recommend to setup Microsoft Authenticator App as your preferred Azure MFA method and you can enable Passwordless authentication for browser-based applications later.
Follow the steps and you'll finally reach "All Set".
Now, your new desktop device installation has completed. You may login your ITSO account on this device using PIN in future.
D. Verify Intune EnrolLment
- Verify Intune Enrolment
You can verify your device enrolment status by checking the presence of "Managed by HKUST - Info" under "Settings", "Accounts", "Access work or school", "Connected to HKUST's Azure AD".
- Verify Microsoft Defender for Endpoint protection.
Your device should also be protected by the Microsoft Defender for Endpoint. This could be verified by checking the presence of "ITSO Support" under the "Windows Security" application page.