Guide for existing device to onboard Microsoft Intune

This procedure is for existing non-domain joined devices which would opt for the device management scheme. Please refer to Device management using Microsoft Intune for more information.

  • For those existing devices that have already joined to on-premises domain, you can continue to use the device without onboarding Microsoft Intune. However, if there is an upgrade or replacement of such devices, ITSO recommends onboarding to Microsoft Intune.
  • If your device has already joined the on-premises domain and you would like to enjoy the advanced protection mechanism provided by Intune, you may send us an email at cchelp@ust.hk. ITSO will provide custom procedures for hybrid-join (attaching the device to both the on-premises AD and Microsoft Intune).
Getting Started

This option allows user to keep existing user data and configurations (user profile). Upon successful onboarding, the device can be protected by Microsoft Intune. User may then choose to:

  • Add HKUST account to current user.
    One can then access eligible cloud resources like Office 365, OneDrive, Teams etc... The existing user data, configuration and applications are kept. But this profile cannot readily access on premise domain resources like network shares. Additional configuration or login may be needed.
  • Login the device using HKUST account. 
    A new user profile will then be created. One can readily access on premise domain resources without further logon. Eligible cloud resources are also available. To access existing user data, you may need to re-login using existing account.
 
Steps to be performed by device user
  1. Make sure the device is running in Windows 10/11 Professional or Enterprise editions
  2. Rename device
  3. Keep the current device and join Entra ID as added protection
  4. Add HKUST account to current user
  5. Verify Intune Enrollment

A. Make sure the device is running in Windows 10/11 Professional or Enterprise editions

To enroll in Microsoft Intune, your Windows device must be of Professional or Enterprise edition. To check your device's Windows version, go to "Setting", then "System", and Select "About", you can verify the Windows Edition in the "Windows Specifications" section.

If the Windows version is not Professional or Enterprise, you may:

Windows 10 Windows 11

Go to "Settings", then "Update and Security", and select "Activation". Make sure your device's Windows version is Windows 10 Home, then click "Change product key".

Go to "Settings", then "System", and select "Activation". Make sure your device's Windows version is Windows 11 Home, then at the "Change product key" row, click "Change"

Now, at the "Enter a product key" dialog, enter the  Enterprise KMS setup key 
NPPR9-FWDCX-D2C8J-H872K-2YT43 or a MAK key, and then click "Next"

You'll then be prompted to upgrade your edition of Windows, Simply press "Start" to begin the upgrade process.

The upgrade process may take a few minutes and your device will restart after the upgrade.

 

B. RENAME DEVICE

At this stage, the device will have an arbitrary computer name such as "DESKTOP-ABCDEFG" or "LAPTOP-ABCDEFG". ITSO imposes no restriction on computer names for new Windows 10/11 devices enrolling in Intune. However, we strongly recommend changing your device name at this stage. Changing device name now will make device management easier for you and help locate the device in case of future security alerts. ITSO would like to suggest using the following naming conventions:

  • [dept]-[Abbreviation or Team or Owner]-[sequence]
    e.g., ITSO-DIR-001, ITSO-PROJ-001 or ITSO-CCTEST-001

To do so, go to "Settings", then "System", and select "About". From there, click on "Rename this PC" to change the device name.

Windows 10 Windows 11



After renaming your PC, a reboot is required to apply the changes effectively.

C. KEEP THE CURRENT device AND JOIN Entra ID as added protection

This option is used for non-domain joined devices that want to keep everything and join Entra ID with Microsoft Intune to benefit from additional security features. The following procedure is the same for both Windows 10/11.

  1. Go to "Settings", then "Accounts", and select "Access work or school", From there, click on "Connect" to proceed.
  2. On the "Set up a work or school account", select "Join this device to Microsoft Entra ID".
  3. Now, sign in with your HKUST account credential. Once the sign-in process is complete, you may proceed to reboot your machine.

D. ADD HKUST ACCOUNT TO CURRENT USER

This option enables the current user (non-ITSC account) to access eligible cloud resources such as Office 365, OneDrive, and Teams. The following procedure is the same for both Windows 10 and Windows 11.

  1. Go to "Settings", then "Accounts", and select "Email & accounts". From there, click on "Add a work or school account".
  2. Now, sign in with your HKUST Account credential.
  3. Upon completion, open applications such as OneDrive or Teams. Click "Sign-In". You only need to enter your HKUST Email address and then you can access the application without providing password.

E. Verify Intune Enrollment

To verify your device Intune enrollment status, follow these steps:

  1. Go to "Settings" on your device.
  2. Select "Accounts" and then choose "Access work or school."
  3. Look for the presence of "Managed by HKUST - Info" under the "Connected to HKUST's Entra ID" section.

  4. If you see "Managed by HKUST - Info" listed under "Connected to HKUST's Entra ID," it indicates that your device is successfully enrolled in Intune.

  5. To verify if your device is protected by Microsoft Defender for Endpoint, follow these steps:
  6. Open the "Windows Security" application on your device.
  7. Look for the presence of "ITSO Support" within the application page.

  8. If you see "ITSO Support" listed in the "Windows Security" application, it indicates that your device is protected by Microsoft Defender for Endpoint.

Learn More

FAQ - Microsoft Intune onboarded device