FAQ - Microsoft Intune onboarded device
Q1: How can I configure Windows Hello for Business
Q2: How can I access my Intune-managed device using Remote Desktop

Microsoft has published a detailed procedure for connecting to remote Azure Active Directory-joined PC

According to this document, there are limitations connecting to an Azure AD joined device. See Supported Configurations for detailed description.

Allow user of a device to be accessed via Remote Desktop
  • Login to the device that you want to remote desktop login into.
  • Start elevated command prompt by press Windows + R, type cmd in Run box, and press Ctrl + Shift + Enter. Click Yes in the pop-up User Account Control window.
  • Type the following command:
    net localgroup "Remote Desktop Users" /add "AzureAD\<HKUST Account>@ust.hk"
    Here <HKUST Account> is the account that you'll use during connection.
Remote Desktop Login

First thing first, you must make sure the device you are using (e,g, home device) complies with Microsoft's Supported Configuration. To login to a AAD joined PC:

  • Enter the username in this format
    AzureAD\<HKUST Account>@ust.hk

  • Here <HKUST Account> is the account that you have added in the above step on the target remote desktop device.

Q3: How can I force sync with Microsoft Intune to get latest policies?

Sometimes, your device may not have properly synchronized with Microsoft Endpoint Manager due to various reasons. Or, you may be asked by system administrator to perform a forced synchronization with Microsoft Endpoint Manager. Here is the procedure to perform such action:

  1. Make sure you've logged in the device using device owner's HKUST account.
  2. Open "Settings", "Accounts", "Access work or school"
  3. Click the "Work or school account" with owner's HKUST account, then click "Info" button.
  4. Check under "Device sync status" section to see if there are errors, or if the "Last Attempted Sync:" is long ago.
  5. Click "Sync" to start forced synchronization.
  6. Upon finishing, you may see the message: "The sync was successful".
Q4: How can I get back Bitlocker key when I was asked during system recovery

Sometimes when the device was crashed and need to perform some recovery actions, you may be prompted to provide Bitlocker key to proceed. Here is the procedure to lookup your account and get back the Bitlocker key

  1. Login into https://myaccount.microsoft.com/device-list using ITSO account.
  2. Find the matching device in the list and expand it. If you cannot find the matching device, probably the device was not registered using the account that you used in above login.
  3. Click "View Bitlocker Keys" and then "Show recovery key" to get back the Bitlocker key.
  4. Proceed to the device asking for the key, type the key and start further recovery.

If it happened that you used personal Microsoft account to register the device, you may login into https://account.microsoft.com/devices/ instead. Your personal Microsoft account should be somewhat like @outlook.com or @hotmail.com.

Q5: How can I know what Windows version my device is pre-installed during first-time setup?

For purchased Windows devices, it usually come with either Home or Professional Edition. For reset Windows devices, it'll retain previous installed version. For re-installed Windows devices, it'll depend on the media used for re-installation.

Typically, you can identify the Windows version when you are asked to provide login details during installation:


Home Edition Professional Edition Enterprise Edition


In short, during device installation:

Home Edition
  • Ask only Microsoft Personal Account for login.
  • Have option to name the device.
Professional Edition
  • Ask either Microsoft Personal Account or School account for login.
  • Have option to name the device.
Enterprise Edition
  • Ask only School account for login.
  • Need to rename device after installation.


Q6. How can I change device ownership?

There are scenarios that user may want to change an Intune-managed device to another user:

  • Existing owner is leaving HKUST.
  • Owner may transfer to another department.
  • Department may need to reassign devices to other colleagues.


ITSO would recommend "Reset the device to factory setting and onboard Microsoft Intune". This would clear the machine's old registration and setup from fresh. 

If user would like to keep the software installed, one may opt for "Sysprep the device".

The above options need to be performed by an administrative account of the device. If the administrative account cannot be used, one must opt for "Use USB Flash Drive to Reinstall Windows and onboard Microsoft Intune".

Q7. Can UG/PG students access Microsoft Intune-managed device?

UG and PG students' cloud accounts have suffix of @connect.ust.hk. In general, their accounts cannot login office devices that are managed by Microsoft Intune service.

To allow students to login to an office device, that device must be on-premise domain joined.