In most cases, onboarding device to Microsoft Intune should be done by the device owner. This procedure is for onboarding device to Microsoft Intune, via departmental IT support or PC vendor
Enroll Microsoft Intune via third party account
A. Setup Enrollment Account (One Off)
To enroll devices for colleagues, department must designate an account that acts as "Enrollment Manager".
ITSC strongly recommends creating a departmental account for "Enrollment Manager" purpose. To do so:
- Ask IDLP to apply for a departmental account.
- Ask IDLP to apply a enrollment manager that this new account will be used for enrolling departmental devices to Microsoft Intune.
- Determine whether need to apply a security key that serve as Multi-Factor Authentication for that account.
B. Enroll device to Microsoft Intune using Enrollment Account
With enrollment account and token dongle ready, one can use them to enroll devices to Microsoft Intune. Depending on the enrollment scenarios, one may choose one of the following options:
- Set up newly acquired desktop and onboard Microsoft Intune
- Set up newly acquired notebook and onboard Microsoft Intune
- Re-install Windows 10/11 devices and onboard Microsoft Intune
- Onboard existing device to Microsoft Intune
Please follow one of the above instructions, replace the ITSC network account with the departmental enrollment account.
C. Post Enrollment Tasks
Upon successful enrollment of the device, it is readily usable by other colleagues with a valid ITSC network account.
There are some points to note here:
- Administrative Access
By design, the account that enrolled the device to Microsoft Intune will automatically become the administrator. If a department would like to retain administrative access to such devices and let users to use them as general user, one may leave the current scenario as is.
To delegate another user as device administrator:- Start elevated command prompt by press Windows + R, type cmd in Run box, and press Ctrl + Shift + Enter. Click Yes in the pop-up User Account Control window.
- Type the command
net localgroup administrators /add "AzureAD\[User's ITSC account]@ust.hk"
- Then re-login using the users account and check if the administrative privilege has been granted.
- Change Device Owner
If departmental IT support would no longer need to access the device, he/she may need to change the device owner. Details are as follows:- Rename the computer using some meaningful identity, like [dept]-[Abbreviation or Team or Owner]-[sequence]. This step is highly recommended as it'll be easier to locate the computer should alerts arise in future.
- Start elevated command prompt by press Windows + R, type cmd in Run box, and press Ctrl + Shift + Enter. Click Yes in the pop-up User Account Control window.
- Type the command
net localgroup administrators /add "AzureAD\[User's ITSC account]@ust.hk"
Here, the user's ITSC account refers to the owner's account. - Then re-login using the owner's account and check if the administrative privilege has been granted.
- With the owner's account logged in, one may further remove the enrollment account from the device via "Settings" -> "Accounts" -> "Other Users". Expand the enrollment account and click "Remove".
- Then, departmental IT support need to send a mail to cchelp@ust.hk, using the following template:
From : [Departmental IT Support Account]@ust.hk To : cchelp@ust.hk Subject : Change Intune Device Owner Dear CCHELP, Please help to change the owner of a Intune device with the following details: Intune Device Name : xxxxxxxxx New Device Owner : yyyyyyyy@ust.hk Best Regards, zzzzzz