Guide for re-installing Windows 10/11 and onboard Microsoft Intune

This procedure is for reinstalling Windows 10/11 devices and opt for the device management scheme, see Device management using Microsoft Intune.

For existing device in-use and not AD joined, please refer to the "To join an already configured Windows 10/11 device" section here.

Getting Started

Steps to be performed by device user (who must possess a valid ITSC staff account)

Make sure the device is running in Windows 10/11 Professional or Enterprise editions
Determine a reinstall strategy to onboard Microsoft Intune
1. Reset device to factory setting and onboard Microsoft Intune
2. Sysprep the device to Out-of-box Experience (OOBE) mode and onboard Microsoft Intune
3. Use USB flash drive to reinstall Windows 10/11 and onboard Microsoft Intune
Install Windows 10/11 Enterprise and enroll the device using ITSC account of the device user (May take about 15-30 min)
Enable Windows Hello PIN and Rename Device
Verify Intune Enrollment

A. Make sure the device is running in Windows 10/11 Professional or Enterprise editions

To enroll Microsoft Intune, Windows device must of Professional and Enterprise edition. To check your device Windows version, under "Setting", "System", "About", you can verify Windows Edition at "Windows Specifications" section.

If the Windows version is not Professional or Enterprise, you may:

Windows 10	Windows 11
Open "Settings", "Update and Security", "Activation". Make sure your device's Windows version is Windows 10 Home, then click "Change product key".	Open "Settings", "System", "Activation". Make sure your device's Windows version is Windows 11 Home, then at the "Change product key" row, click "Change"
Now, at the "Enter a product key" dialog, enter the Enterprise KMS setup key NPPR9-FWDCX-D2C8J-H872K-2YT43 or a MAK key, and then click "Next" You'll then be prompt to upgrade your edition of Windows, just press "Start" to begin upgrade process. The upgrade process may take a few minutes and your device will restart after upgrade.

Windows 10

Windows 11

Open "Settings", "Update and Security", "Activation". Make sure your device's Windows version is Windows 10 Home, then click "Change product key".

Open "Settings", "System", "Activation". Make sure your device's Windows version is Windows 11 Home, then at the "Change product key" row, click "Change"

Now, at the "Enter a product key" dialog, enter the Enterprise KMS setup key
NPPR9-FWDCX-D2C8J-H872K-2YT43 or a MAK key, and then click "Next"

You'll then be prompt to upgrade your edition of Windows, just press "Start" to begin upgrade process.

The upgrade process may take a few minutes and your device will restart after upgrade.

B. Determining a strategy to Onboard Microsoft Intune

To onboard an existing Windows device to Microsoft Intune, you may choose one of the following:

Reset the device to factory setting and onboard (RECOMMENDED)	This option removes everything (installed programs, configurations and user data) on device. Upon reset, this machine can be treated as a new Windows 10/11 installation before distributing to users. ITSC recommends this option for most of the usage scenarios, like change device ownership.
Sysprep the device to OOBE mode and onboard	This option removes all configurations and user data on device, turn the device to Out-Of-Box Environment (OOBE) mode. Installed programs will be retained. This option best suites when department IT supports installed a new device and some required software on a device. Then use this option to distribute the device to actual user without leaving credentials used by department IT supports.
Use USB flash drive to reinstall Windows 10/11 and onboard	Unlike the first option above, this option will use an external USB flash drive to install a brand-new Windows 10/11. One may opt this option when the hard disk of the device is corrupted or replaced.

For those existing devices that has already joined to on-premises domain, you can keep using the device without onboarding Microsoft Intune. Should there be upgrade or replace of such devices, ITSC recommend onboarding them to Microsoft Intune.

B1. RESET THE DEVICE TO FACTORY SETTING AND onboard Microsoft Intune

This procedure will delete everything on the device, make it as new Windows 10/11 Enterprise installation.

Windows 10	Windows 11
Open "Settings", "Update and Security", "Recovery" and click "Get started" button under "Reset this PC" section.	Open "Settings", "System", "Recovery", Click "Reset PC"
Select "Remove everything".
Select "Cloud download". This will give you the latest version of Windows 10/11 Enterprise.
Click "Next" to proceed.
Finally, click "Reset" to reset the computer and make it as freshly installed Windows 10/11 Enterprise.

Now, wait for the system to reset your device. This process may take around 30-45 min. When finished, the device will reboot into new installation interface. Please proceed to "Install Windows 10/11 Enterprise and Enroll the device using ITSC account of the device user" for next step.

B2. SYSPREP THE DEVICE TO OOBE MODE AND Onboard Microsoft Intune

NOTE: If you opt this method on newly delivered devices, SYSPREP may fail due to disk encryption (based on BitLocker). To fix the error, one need to decrypt the system volume before SYSPREP. Detailed illustration can be found at SYSPREP WAS NOT ABLE TO VALIDATE YOUR WINDOWS INSTALLATION.

This option removes all configurations and user data on device, turn the device to Out-Of-Box Environment (OOBE) mode. Installed programs will be retained. This option best suites when department IT supports installed a new device and some required software on a device. Then use this option to reset the computer and pass the device to actual user without leaving any credentials used. To do so:

Start elevated command prompt by press Windows + R, type cmd in Run box, and press Ctrl + Shift + Enter. Click Yes in the pop-up User Account Control window.

Type the command

%SYSTEMROOT%\system32\sysprep\sysprep.exe /generalize /oobe /shutdown

The system will process and shutdown afterwards.

Upon shutdown, the device is now ready for dispatching to actual user. When powering up the device, please proceed to "Install Windows 10/11 Enterprise and Enroll the device using ITSC account of the device user" for next step.

B3. Use USB FLASH DRIVE to reinstall Windows 10/11 AND Onboard Microsoft Intune

In case that when the hard disk of a device is corrupted or replaced, the above two options may not work. To install a brand-new Windows 10/11 on that device, one may need to download Windows 10/11 installation ISO image, burn it into a bootable USB flash drive. Then, use this USB flash drive to boot the device to be re-installed and proceed installing. The detailed procedures can be found at:

Windows 10 Installer Download (HKUST login required)
Windows 11 Installer Download (HKUST login required)

Upon USB flash drive boot up, the device is undergoing installation. Please proceed to "Install Windows 10/11 Enterprise and Enroll the device using ITSC account of the device user" for next step.

C. Install Windows 10/11 Enterprise and Enroll the device using ITSC account of the device user

Following the set-up instructions of Windows 11 Enterprise

Follow the set-up instructions.
At the following prompt, enter your ITSC credential.
Note that the account you provided here will be the owner and administrator of the device.

Windows 10 Windows 11
Wait until the installation completed and follow the setup instructions.

D. Enable Windows Hello PIN Login and Rename Device

Upon installation completion and machine boot up, you'll be given option to configure Windows Hello. Windows Hello is a new way of signing into your device using PIN or Biometric. You need not use complex password to login. Please refer to Passwordless Strategy in HKUST page for details.

Now, just follow the on-screen instruction to sign on your ITSC network account again. If you have not yet set up the Azure MFA, you'll be asked to setup at this step before the Windows Hello PIN. This is required as it is used to reset the Windows Hello PIN or biometric if needed. We recommend to setup Microsoft Authenticator App as your preferred Azure MFA method and you can enable Passwordless authentication for browser-based applications later.

Follow the steps and you'll finally reach "All Set".

Now, your new desktop device installation has completed. You may login your ITSC account on this device using PIN in future.

At this stage, the device will have arbitrary computer name like "DESKTOP-ABCDEFG" or "LAPTOP-ABCDEFG". ITSC imposes no restriction on computer name for new Windows 10/11 devices enrolling to Intune. However, we strongly recommend changing your device name at this stage. By changing device name now will give you ease to manage devices. Also, it'll help to locate the device should there be security alerts raised in future. ITSC would like to suggest using the following naming conventions:

[dept]-[Abbreviation or Team or Owner]-[sequence]
e.g., ITSC-DIR-001, ITSC-PROJ-001 or ITSC-CCTEST-001

To do so, in "Settings", "System", "About", click "Rename this PC".

Windows 10	Windows 11

After renaming PC, a reboot is required to make changes effective.

E. Verify Intune Enrollment

Verify Intune Enrolment
You can verify your device enrolment status by checking the presence of "Managed by HKUST - Info" under "Settings", "Accounts", "Access work or school", "Connected to HKUST's Azure AD".
Windows 10 Windows 11
Verify Microsoft Defender for Endpoint protection.
Your device should also be protected by the Microsoft Defender for Endpoint. This could be verified by checking the presence of "ITSC Support" under the "Windows Security" application page.

Learn More

FAQ - Microsoft Intune onboarded device