Skip to main content

Onboarding

Onboarding Device - Windows

  1. If a device is not Brand / OEM then (re)install Windows

    Use specific internal procedure, windows image etc. Keep in mind for secure boot to setup mode. EFI partition to be above 260 MB due to EFI firmware upgrades etc.

  2. Make sure that correct BIOS/EFI settings are configured, like:

    1. Enable Secure Boot
    2. Enable Device Guard
    3. Enable Virtualization Technology
    4. Enable Microsoft Pluton (if available)
    5. Specific other hardware vendor settings

  3. If company owned device and using Intune, then Enroll device to Windows Autopilot

    On fresh Windows installation and OOBE screen proceed with Shift+F10 to open CMD and get Autopilot info. Need to specify your GroupTag as per organization policy.

    PowerShell.exe -ExecutionPolicy RemoteSigned
    Install-Script -Name Get-WindowsAutopilotInfo -Force

    # Option A - Sign-in and add directly to Windows Autopilot devices 
    Get-WindowsAutopilotInfo -GroupTag "Default" -Online 
    Get-WindowsAutopilotInfo -GroupTag "Shared" -Online 

    # Option B - Get info to file
    Get-WindowsAutopilotInfo -GroupTag "Default" -OutputFile C:\AutopilotHWID.csv 
    Get-WindowsAutopilotInfo -GroupTag "Shared" -OutputFile C:\AutopilotHWID.csv

    If Option B is used, use import on Intune Admin Center > Enrollment > Windows Devices with proper account which has Intune Admin permissions

  4. Windows Out-Of-Box Experience (OOBE), go with one scenario:

    • Scenario A - Intune on Company owned device for one primary user (using Windows Autopilot - user driven deployment)
      1. Should not ask for initial language, if it asks, wait and reboot
      2. If Microsoft Entry hybrid - be connected to local network and connectivity to Domain Controller
      3. End-user sign-in with Microsoft Entra account. Can use Microsoft Authenticator, or (preferred) temporary access pass provided by IT admin
      4. Computer will start MDM/Intune enrollment (if hybrid, also local domain join)
    • Scenario B - Intune on Company owned device for shared user scenario (without primary user) (using Windows Autopilot - self-deployment)
      1. Should not ask for initial language, if it asks, wait and reboot
      2. If Microsoft Entry hybrid - be connected to local network and connectivity to Domain Controller
      3. Computer will start MDM/Intune enrollment (if hybrid, also local domain join)
    • Scenario C - Microsoft Entra cloud only (without Intune)
      1. End-user sign-in with Microsoft Entra account. Can use Microsoft Authenticator, or (preferred) temporary access pass provided by IT admin
    • Scenario D - Microsoft Windows Server Active Directory (without Intune)
      1. Sign-in to local Windows Server Active Directory
      2. Move AD computer object to corresponding AD Organization Unit
    • Scenario E - Without Microsoft Entra and without Windows Server Active Directory
      1. Ask for confirmation from project owner, should it be personal Microsoft Account, or Windows local account
      2. If using, hybrid or on-prem, move Windows Server Active Directory - Computer object to corresponding AD Organization Unit

  5. After OOBE which includes Intune enrollment and/or domain join, users can do the first login on Windows sign-in prompt:

    • If using hybrid, use Windows Server Active directory username or password
    • If using cloud-only, use Microsoft Entra account. Should use the web-sign option (available in a while after policy is deployed) with sign-in from temporary access pass (from IT admin, preferred) or with Microsoft authenticator

  6. After end-user first login, end-user need to setup Windows Hello for Business where use minimum PIN (additional options fingerprint, face recognition etc.). In future logins use username and PIN as minimum.

Onboarding Device - Android Corporate-owned, Fully managed user devices

  1. Must be factory reset
  2. On language prompt, tap few times on right blank space to open enrollment
  3. Scan QR code - Corporate Device Enrollment Token
  4. connect device to WiFi or mobile internet
  5. This device belongs to your organization> Next
  6. Setup your phone > Continue
  7. This device isn't private > Next
  8. Log in with user account and TAP
  9. Next set PIN/Password
  10. "Install Work Apps", choose Next
  11. On "Register your device" select Set-up and login with your MS account with TAP, and when registration is complete click "Done"
  12. Give Google Services permissions (location, diagnostic data etc...) and click on "Accept"
  13. Agree to End user License Agreement and click "Next"
  14. Configure Microsoft Authenticator app (login with company account and then register authenticator with company)
  15. Login to Microsoft Defender (if already logged in with company account account should be present, just select it) and give it requested permissions, wait for the scan to complete
  16. Open Outlook and Teams app, check if auto logged in (if already logged in with company account account should be present, just select it)

Onboarding Device - Android Personally-owned devices with work profile

  1. Install Intune Company Portal from Google Play store, https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal
  2. Login to Company Portal (using Microsoft Entra with TAP) and within Company portal:
    1. Create work profile
    2. Activate work profile
    3. On last step resolve any warnings and Confirm Device settings
  3. Configure Microsoft Authenticator app (login with company account and then register authenticator with company)
  4. Login to Microsoft Defender (if already logged in, company account account should be present, just select it)
  5. Open Outlook and Teams app, check if auto logged in (if already logged in with company account account should be present, just select it)

Onboarding Device - iOS web based enrollment

Reference: Set up web based device enrollment

  1. Open Safari and go to https://portal.manage.microsoft.com/enrollment/webenrollment/ios. Sign in with your work or school account (with TAP)
  2. On welcome screen select "Get started"
  3. On the next screen download management profile
  4. Open device settings > Profile downloaded> Install profile
  5. Root certificate > Install
  6. Confirm installation of default apps when prompted
  7. Configure Microsoft Authenticator app (login with company account and then register authenticator with company)
  8. Login to Microsoft Defender (if already logged in with company account account should be present, just select it)
  9. Open Outlook and Teams app, check if auto logged in (if already logged in with company account account should be present, just select it)

Onboarding User - Windows Users Profile

  1. After first Windows sign in - configure Windows Hello, PIN, and optionally FingerPrint, Face Recognition
  2. If using Lenovo notebook, configure Lenovo Vantage, setting: Device > Power > Battery charge threshold: On
  3. Install Other apps if needed from Microsoft Intune Web Company Portal
    1. Devices > Choose active this current device
    2. Apps > filter Availability: Device management required. Install apps:
      1. Microsoft 365 Apps

Onboarding User - Microsoft 365 Profile

  1. Configure Outlook as user
    • General > Language and Time
      • Turn on "Use my Microsoft 365 settings"
      • Time Format: 01:01 - 23:59
      • Time zone: UTC+01 Zagreb
    • General > Appearance - Dark mode: "Use system settings"
    • Mail > Compose and reply:
      • Configure "My signature"
      • Select default signatures: for new messages
      • Message format: Always show Bcc, Always show From
      • Reply All
    • Calendar > View
      • Calendar appearance - Monday
      • Time zones: Zagreb
    • Calendar > Events and invitations - Invitations from other people - Turn Off "Delete.."
    • Go to Outlook Places, set work location to Office
    • Set your work hours and location in Outlook
      • Mon-Fri
      • 9:00 - 17:00, Location: Office
      • Turn on "Show work location on my calendar"
      • Turn on "Share office location details"
    • User Profile, Add your pronouns, He/Him or She/Her
    • Add shared mailbox (if needed)
  2. Configure Microsoft Teams, Settings
  3. Edit your profile in Microsoft 365
    • Update About tab with your Biography, Skills, Interests and hobbies, Projects
  4. Connect your LinkedIn and work or school accounts
  5. Set Dynamics 365 - Personal Options (timezone and currency)