Reference: Learn about Windows Hello and set it up
Microsoft has published a detailed procedure for connecting to remote Azure Active Directory-joined PC
According to this document, there are limitations connecting to an Azure AD joined device. See Supported Configurations for detailed description.
Allow user of a device to be accessed via Remote Desktop
- Login to the device that you want to remote desktop login into.
- Start elevated command prompt by press Windows + R, type cmd in Run box, and press Ctrl + Shift + Enter. Click Yes in the pop-up User Account Control window.
- Type the following command:
net localgroup "Remote Desktop Users" /add "AzureAD\<ITSC Network Account>@ust.hk"
Here <ITSC Network Account> is the account that you'll use during connection.
Remote Desktop Login
First thing first, you must make sure the device you are using (e,g, home device) complies with Microsoft's Supported Configuration. To login to a AAD joined PC:
-
Enter the username in this format
AzureAD\<ITSC Network Account>@ust.hk -
Here <ITSC Network Account> is the account that you have added in the above step on the target remote desktop device.
Sometimes, your device may not have properly synchronized with Microsoft Endpoint Manager due to various reasons. Or, you may be asked by system administrator to perform a forced synchronization with Microsoft Endpoint Manager. Here is the procedure to perform such action:
- Make sure you've logged in the device using device owner's ITSC network account.
- Open "Settings", "Accounts", "Access work or school"
- Click the "Work or school account" with owner's ITSC network account, then click "Info" button.
- Check under "Device sync status" section to see if there are errors, or if the "Last Attempted Sync:" is long ago.
- Click "Sync" to start forced synchronization.
- Upon finishing, you may see the message: "The sync was successful".
Sometimes when the device was crashed and need to perform some recovery actions, you may be prompted to provide Bitlocker key to proceed. Here is the procedure to lookup your account and get back the Bitlocker key
- Login into https://myaccount.microsoft.com/device-list using ITSC account.
- Find the matching device in the list and expand it. If you cannot find the matching device, probably the device was not registered using the account that you used in above login.
- Click "View Bitlocker Keys" and then "Show recovery key" to get back the Bitlocker key.
- Proceed to the device asking for the key, type the key and start further recovery.
If it happened that you used personal Microsoft account to register the device, you may login into https://account.microsoft.com/devices/ instead. Your personal Microsoft account should be somewhat like @outlook.com or @hotmail.com.
For purchased Windows devices, it usually come with either Home or Professional Edition. For reset Windows devices, it'll retain previous installed version. For re-installed Windows devices, it'll depend on the media used for re-installation.
Typically, you can identify the Windows version when you are asked to provide login details during installation:
Home Edition | Professional Edition | Enterprise Edition |
---|---|---|
In short, during device installation:
Home Edition |
|
Professional Edition |
|
Enterprise Edition |
|
There are scenarios that user may want to change an Intune-managed device to another user:
- Existing owner is leaving HKUST.
- Owner may transfer to another department.
- Department may need to reassign devices to other colleagues.
ITSC would recommend "Reset the device to factory setting and onboard Microsoft Intune". This would clear the machine's old registration and setup from fresh.
If user would like to keep the software installed, one may opt for "Sysprep the device".
The above options need to be performed by an administrative account of the device. If the administrative account cannot be used, one must opt for "Use USB Flash Drive to Reinstall Windows and onboard Microsoft Intune".
UG and PG students' cloud accounts have suffix of @connect.ust.hk. In general, their accounts cannot login office devices that are managed by Microsoft Intune service.
To allow students to login to an office device, that device must be on-premise domain joined.