This procedure is for reinstalling Windows 10/11 devices and opting for the device management scheme, For more information, please refer to Device management using Microsoft Intune.
- For existing device that are in use and not AD joined, please refer to the "To join an already configured Windows 10/11 device" section available here.
Steps to be performed by device user (who must possess a valid HKUST account)
- Make sure the device is running in Windows 10/11 Professional or Enterprise editions
- Determine a reinstall strategy to onboard Microsoft Intune
- Reset device to factory setting and onboard Microsoft Intune
- Sysprep the device to Out-of-box Experience (OOBE) mode and onboard Microsoft Intune
- Use USB flash drive to reinstall Windows 10/11 and onboard Microsoft Intune
- Install Windows 10/11 Enterprise and enroll the device using HKUST account of the device user (May take about 15-30 min)
- Enable Windows Hello PIN and Rename Device
- Verify Intune Enrollment
A. Make sure the device is running in Windows 10/11 Professional or Enterprise editions
To enroll Microsoft Intune, Windows device must of Professional and Enterprise edition. To check your device's Windows version, go to "Settings", then "System", and select "About", you can verify the Windows Edition in the "Windows Specifications" section.
If the Windows version is not Professional or Enterprise, you may:
| Windows 10 | Windows 11 |
|---|---|
|
Open "Settings", then go to "Update and Security", and select "Activation". Ensure that your device's Windows version is Windows 10 Home, If it is, click on "Change product key". |
Open "Settings", then go to "System", and select "Activation". Ensure that your device's Windows version is Windows 11 Home, If it is, locate the "Change product key" option and click on "Change". |
|
Now, at the "Enter a product key" dialog, enter the Enterprise KMS setup key You'll then be prompted to upgrade your edition of Windows, Simply press "Start" to begin the upgrade process. The upgrade process may take a few minutes, and your device will restart after the upgrade. |
|
B. Determining a strategy to Onboard Microsoft Intune
To onboard an existing Windows device to Microsoft Intune, you may choose one of the following:
|
Reset the device to factory setting and onboard |
This option will remove everything on the device, including installed programs, configurations , and user data. After the reset, this machine can be treated as a new Windows 10/11 installation before distributing it to users. ITSO recommends this option for most usage scenarios, such as changing device ownership. |
| Sysprep the device to OOBE mode and onboard | This option removes all configurations and user data on the device, turning it into an Out-Of-Box Environment (OOBE) mode. However, installed programs will be retained. This option is best suited when the department IT support has installed new devices and required software on them. Using this option allows the device to be distribute to actual user without leaving any credentials used by department IT support. |
| Use USB flash drive to reinstall Windows 10/11 and onboard | Unlike the first option mentioned above, this option involves using an external USB flash drive to install a fresh copy of Windows 10/11. It is recommended to choose this option when the device's hard disk is corrupted or replaced. |
For those existing devices that have already joined the on-premises domain, you can continue using those devices without onboarding them to Microsoft Intune. However, if there is an upgrade or replacement of such devices, ITSO recommends onboarding them to Microsoft Intune.
B1. RESET THE DEVICE TO FACTORY SETTING AND onboard Microsoft Intune
This procedure will delete everything on the device and perform a fresh installation of Windows 10/11 Enterprise, effectively resetting the device to its initial state.
| Windows 10 | Windows 11 |
|---|---|
|
Open "Settings", "Update and Security", "Recovery" and click "Get started" button under "Reset this PC" section.
|
Open "Settings", "System", "Recovery", Click "Reset PC" |
Select "Remove everything". |
|
|
Select "Cloud download". This will give you the latest version of Windows 10/11 Enterprise.
|
|
|
Click "Next" to proceed. |
|
|
Finally, click "Reset" to reset the computer and make it as freshly installed Windows 10/11 Enterprise.
|
|
Now, please wait for the system to reset your device. This process may take approximately 30-45 min. Once finished, the device will reboot and display the new installation interface. Proceed to the next step, "Install Windows 10/11 Enterprise and Enroll the device using HKUST account of the device user".
B2. SYSPREP THE DEVICE TO OOBE MODE AND Onboard Microsoft Intune
NOTE: If you choose this method on newly delivered devices, SYSPREP may fail due to disk encryption, such as BitLocker. To resolve this error, you will need to decrypt the system volume before proceeding with SYSPREP. For detailed instructions, please refer to SYSPREP WAS NOT ABLE TO VALIDATE YOUR WINDOWS INSTALLATION.
This option removes all configurations and user data on the device, turning it into an Out-Of-Box Environment (OOBE) mode. However, installed programs will be retained. This option is best suited when department IT support has installed a new device and some required software on it. you can use this option to reset the computer and pass the device to actual user without leaving any credentials behind. To do so, follow these steps:
- Start elevated command prompt by press Windows + R, type cmd in Run box, and press Ctrl + Shift + Enter. Click Yes in the pop-up User Account Control window.
- Type the command
%SYSTEMROOT%\system32\sysprep\sysprep.exe /generalize /oobe /shutdown
- The system will process and shutdown afterwards.
After shutting down the device, it is now ready to be dispatched to the actual user. When powering up the device, please proceed to the next step: "Install Windows 10/11 Enterprise and Enroll the device using HKUST account of the device user".
B3. Use USB FLASH DRIVE to reinstall Windows 10/11 AND Onboard Microsoft Intune
In case that when the hard disk of a device is corrupted or replaced, the above two options may not work. To install a fresh copy of Windows 10/11 on the device, you will need to download the Windows 10/11 installation ISO image and create a bootable USB flash drive. Use this USB flash drive to boot the device to be re-installed and proceed installing. The detailed procedures can be found at:
- Windows 10 Installer Download (HKUST login required)
- Windows 11 Installer Download (HKUST login required)
After booting up the device using the USB flash drive, the installation process will commence. Please proceed to "Install Windows 10/11 Enterprise and Enroll the device using HKUST account of the device user" for next step.
C. Install Windows 10/11 Enterprise and Enroll the device using HKUST account of the device user
Following the set-up instructions of Windows 11 Enterprise
- Follow the set-up instructions.
-
At the following prompt, enter your HKUST account credential.
Note that the account you provided here will be the owner and administrator of the device.
Windows 10 Windows 11 
- Wait until the installation completed and follow the setup instructions.
D. Enable Windows Hello PIN Login and Rename Device
Upon installation completion and machine boot up, you'll be given option to configure Windows Hello. Windows Hello is a new way of signing into your device using PIN or Biometric. You need not use complex password to login. Please refer to Passwordless Strategy in HKUST page for details.
Now, simply follow the on-screen instructions to sign in with your HKUST account once again. If you haven't set up the Azure MFA(Microsoft Multi-Factor Authenticator) yet, you'll be prompted to do so before setting up the Windows Hello PIN. This is required as it is used to reset the Windows Hello PIN or biometric if needed. We recommend setting up Microsoft Authenticator App as your preferred Azure MFA method. You can enable passwordless authentication for browser-based applications at a later stage.
Follow the steps and you'll finally reach "All Set".
Now, your new desktop device installation has completed. You may login your HKUST account on this device using PIN in future.
At this stage, the device will have an arbitrary computer name like "DESKTOP-ABCDEFG" or "LAPTOP-ABCDEFG". ITSO does not imposes any restrictions on computer name for new Windows 10/11 devices enrolling to Intune. However, we strongly recommend changing the device name at this stage. By changing device name now will give you ease to manage devices. Also, it'll help to locate the device if there are any security alerts raised in the future. ITSO would like to suggest using the following naming conventions:
- [dept]-[Abbreviation or Team or Owner]-[sequence]
e.g., ITSO-DIR-001, ITSO-PROJ-001 or ITSO-CCTEST-001
To do so, in "Settings", "System", "About", click "Rename this PC".
| Windows 10 | Windows 11 |
|---|---|
 |
 |
After renaming PC, a reboot is required to make changes effective.
E. Verify Intune Enrollment
- Verify Intune Enrolment
You can verify your device enrolment status by checking the presence of "Managed by HKUST - Info" under "Settings", "Accounts", "Access work or school", "Connected to HKUST's Entra IDS".
- Verify Microsoft Defender for Endpoint protection.
Your device should also be protected by the Microsoft Defender for Endpoint. This could be verified by checking the presence of "ITSC Support" under the "Windows Security" application page.
