A. Install Windows 11 Home on the device

As most newly purchased devices come with Windows 11 Home edition, you may need to create a personal Microsoft account to proceed installation. Just follow the setup instructions of Windows 11. If your device is already installed with Windows 11 Professional / Enterprise editions, you may go directly to enroll the device using ITSC account.

Here are some points to note when installing:

1. Network Connection during installation

   • For wireless connection, please refer to On-Campus WI-FI connection for campus community
   • For wired connection, in office area, plug-in network cable. ITSC will provide limited network access that allows Windows 11 installation to complete. Upon successful login to device desktop, user must complete node registration before resuming normal network access. 
      

2. Name your device during installation

   During installation, you'll be given an option to name your device. The computer name that you provided here doesn't matter at this point. Just press "Skip for now" to proceed.
   
    

3. Windows 11 Microsoft Account registration during installation

   Windows 11 installation process requires registration using personal Microsoft account before one can access the computer desktop. This personal Microsoft account will store BitLocker recovery key for future disk recovery. See 

   
   
   Here you can have three options:

   • Create a new personal Microsoft account by clicking "Create One!". You may then use this account for your own personal use, like registering your devices at home. ITSC strongly suggest NOT to use your campus network account to create personal Microsoft account as it may cause confusion in future.
   • Sign in with an existing personal Microsoft account that you possess. 
   • Sign in using a shared personal Microsoft account possessed by your departmental support.
   In fact the personal Microsoft account registered here may be irrelevant in case you reset the machine at later step. However, Windows 11 home edition will sync your Desktop, Documents and Pictures folder. You cannot refuse synchronization at installation stage, but you can stop synchronization after accessing Windows Desktop. See Back up your Documents, Pictures, and Desktop folders with OneDrive.
    

4. Create PIN, Bioinformatic Authentication, Restore from Device, and Microsoft 365

   • The PIN you created during Windows 11 Home installation procedure is just usable in that particular device. It gives you a passwordless login experience. You may just create a six-digits PIN for this device.
   • You may by-pass bioinformatic authentication setting at this point as you may need to do it again when you use ITSC account for the device in future.
   • DO NOT restore from another device. This option will restore settings of your personal Microsoft account from other devices. However, you shouldn't use personal Microsoft account to login the device after enrolling Microsoft Intune.
     You may just select "Setup as new device"
     
      
   • You may just press "Decline" when you are given an option to purchase Microsoft 365. Once you login using your ITSC account in future, you can automatically access Microsoft 365 without purchasing.
     
     
      

5. Node Registration for wired connection device

   By now, you should be able to access the Windows desktop. First thing first, if you are using wired connection for your installation, you should now perform node registration in order to gain access to full network access.

---

B. Upgrade to Enterprise edition and Reset Computer

To enroll Microsoft Intune, Windows devices must of Professional or Enterprise version. To do so:

1. Open "Settings", "System", "Activation". Make sure your device's Windows version is Windows 11 Home, then at the "Change product key" row, click "Change"
   
    
2. Now, at the "Enter a product key" dialog, enter the Windows 11 Enterprise KMS setup key 
   NPPR9-FWDCX-D2C8J-H872K-2YT43 or a MAK key, and then click "Next"
   
    
3. You'll then be prompt to upgrade your edition of Windows, just press "Start" to begin upgrade process.
4. The upgrade process may take a few minutes and your device will restart after upgrade.

 

Upon successful upgrade and restart, your device version will now be Windows 11 Enterprise. At this point, ITSC highly recommend to reset the device to factory default due to the following reasons:

• The reset action will regenerate the BitLocker key of the device and store it in the Corporate Account. This would make future device maintenance or device transfer much easier.
• The personal Microsoft account that was used to register Windows 11 Home will be reset. Personal data of that account will be erased. OneDrive backup using personal Microsoft Account will also be reset.
• In case you use a personal Microsoft account for just device installation, you may not manage that account securely. It may cause future recovery a great trouble as you need to get back the Bitlocker key.

 

To perform device reset:

1. Open "Settings", "System", "Recovery", Click "Reset PC".
   
    
2. Select "Remove everything".
   
    
3. Select "Cloud download". This will give you the latest version of Windows 11 Enterprise.
   
    
4. Click "Next" to proceed.
   
    
5. Finally, click "Reset" to reset the computer and make it as freshly installed Windows 11 Enterprise.
   
    
6. Now, wait the system to reset your device. This process may take around 45-60 min. When finished, the device will reboot into new installation interface.

---

C. Install Windows 11 Enterprise and Enroll the device using ITSC account of the device user

Following the set up instructions of Windows 11 Enterprise

1. Follow the set up instructions

2. At the prompt "Let's set things up for your work or school", enter your ITSC credentials (i.e., johnchan@ust.hk) and complete the MFA challenge using DUO mobile (or other registered authentication methods)
   Note that the account you provided here will be the owner and administrator of the device. The new Bitlocker key will be stored under this account's devices.
   
    

3. Wait until the installation completed and follow the setup instructions

The device is now successfully enrolled to the Microsoft Intune. This could be verified by checking the presence of "Managed by HKUST - Info" under "Settings", "Accounts", "Access work or school", "Connected to HKUST's Azure AD".

The device will have arbitrary computer name like "DESKTOP-ABCDEFG" or "LAPTOP-ABCDEFG". ITSC imposes no restriction on computer name for new Windows 10/11 devices enrolling to Microsoft Intune. However, we strongly recommend changing your device name at this stage. By changing device name now will give you ease to manage devices. Also, it'll help to locate the device should there be security alerts raised in future. ITSC would like to suggest using one of the following naming conventions:

• [dept]-[Abbreviation]-[sequence] (e.g., ITSC-P-001 for personal 001, ITSC-T-001 for team 001)

To do so, in "Settings", "System", "About", click "Rename this PC".

After renaming PC, a reboot is required to make changes effective.

---

The device is now successfully enrolled to the Microsoft Defender for Endpoint, or MDE (previously known as Advanced Threat Protection, or ATP). This could be verified by checking the presence of "ITSC Support" under the "Windows Security" application page.