4. Set up your computer
Set up your new Windows 11 device
After you complete the steps on the Account Setup and PRMFA Setup pages, follow these instructions to complete your setup.
The OEM image includes Windows 11 and Microsoft 365 Apps (formerly Office 365 Pro Plus).
Important: An internet connection is required to complete the setup of your new Windows 11 device.
If you are setting up a BYOD/personal Windows device, please note the following limitations:
- Your BYOD/personal device must be running Windows 11 Pro or Enterprise. Home edition is not supported.
- Windows OS Workplace Join (WPJ) is no longer supported in the production environment. Devices must be enrolled in Microsoft Entra ID.
Device setup
Step 1: Before you begin, ensure your device is connected to a power supply and is connected to the internet. Then turn on your device.
Step 2: Select the country or region for your device and then select Yes.
Step 3: Select your preferred keyboard layout or input method and select Yes.
Step 4: If you want to add a second keyboard layout select Add layout. Otherwise, select Skip to continue.
Step 5: Choose your preferred network and select Connect. If you're setting up your device in a Microsoft building, select MSFTGUEST.
Note: If you are unable to connect to the MSFTGUEST network, we recommend connecting via wired ethernet cable or personal Wi-Fi network with internet access to complete setup. Once setup is complete and policies are applied, you can connect to the MSFTCONNECT wireless network.
Step 6: Windows will next check for updates. Your device may restart during this time.
Step 7: After any updates are complete, you should see the page Let’s set things up for your work or school. If you are prompted on how to set up your device, select Set up for work or school and select Next.
Step 8: Enter your Microsoft corporate email address (alias@microsoft.com) and select Next.
Step 9: If you are a new employee, enter your password or temporary access pass (TAP) and then select Sign in. If you are an existing employee setting up a new device, you can skip to step 11.
Step 10: Select Sign in with your phone or token device and authenticate from your mobile device.
Step 11: For existing employees, instead of the above steps, you should be prompted to open your Authenticator App and enter the number shown to sign in. If you completed steps 9-10 successfully, skip to step 12.
Step 12: It will take a few minutes to complete setup after entering your credentials and your device may restart. After Device preparation is completed, you can continue by selecting Continue anyway.
Note: This prompt might appear again, and you should again select Continue anyway.
Step 13: Next you will see a prompt to configure Windows Hello, which is a required security component. Select Yes, set up to configure now. If your device does not have either a Windows Hello supported camera or a fingerprint scanner, select Skip for now. Skip to step 14 of this document.
Step 14: You will be prompted to create a PIN. Select Next.
Step 15: Well done! Your device is now set up and you can sign into Windows 11 with your corporate credentials.
Step 16: In the Windows search box, type Check for updates and then select the first result. Install any recommended updates and restart your device if needed.
After successfully installing all updates, you are now ready to access internal resources. To learn more about those resources, and make your first few days more productive, visit the New Joiner Site Page.
Need to be productive while on the go? Then set up your mobile phone to access your work emails or join meetings! Visit our Mobile device setup guide to learn how.
Set up Azure Virtual Desktop
If you don't have a dedicated Microsoft device, you can still access Microsoft resources from any device using Azure Virtual Desktop (AVD).
Using the AVD client
Step 1: Install the Azure Virtual Desktop Client for your device.
- Windows (or modern appWindows App)
- Android
- MacOS
- iOS
Step 2: Open the Microsoft Remote Destop app (or Windows app).
Step 3: Click Subscribe and sign in with your Microsoft corporate user credential and Multi-Factor Authentication you setup in the earlier steps.
Step 4: Select the Desktop icon in the region that's geographically closest to you. Cloud regions are preferred.
Using AVD on the web
Step 1: Open the Microsoft Remote Desktop web version.
Step 2: Signing-in is required to see the Desktops page, and sign-in is not required when accessing a Desktop.
Sign in using your Microsoft corporate email account (alias@microsoft.com) with your PRMFA setup.
Step 3: Select the Desktop icon in the region that's geographically closest to you.
You are now ready to access internal resources. To learn more about those resources, and make your first few days more productive, visit the New Joiner Site Page.
Need to be productive while on the go? Then set up your mobile phone to access your work emails or join meetings! Visit our Mobile device setup guide to learn how.
Set up your corporate-owned Mac device
If you were issued a new corporate-owned Mac device, it will arrive connected to the Microsoft corporate tenant through Apple Business Manager (ABM). ABM support is available for new devices purchased in the US, Canada, EMEA, and more locales.
Turn on your ABM-connected device for the first time and follow these steps:
Step 1: The first time you turn on your device, the Remote Management page appears:
Step 2: Sign in with your Microsoft credentials and complete multifactor authentication (MFA).
Step 3: The Migration Assistant page is not included in the out-of-the-box experience but is available after setup is complete. If you're using Migration Assistant to transfer settings from another Mac, clear the System & Network checkbox. Leaving this checked will result in corruption that will require you to reset your device.
Step 4: During setup, you'll be prompted to sign in with your Apple ID or create one. You'll then be asked to create a local computer account. This is different from your Microsoft account and you should not use the same password.
Step 5: During setup, you'll also be prompted to use FileVault Disk Encryption; select Turn on FileVault disk encryption. This is required. If you don't enable FileVault at this point, it will be enforced after you complete Company Portal enrollment.
Important: After the out-of-the-box experience is complete, ensure your device is upgraded to the latest version of macOS before proceeding.
Step 6: After upgrading to the latest version of macOS, open the Company Portal app from Launchpad to complete your enrollment.
Step 7: Select Sign in and enter your Microsoft credentials.
Step 8: During enrollment, you may be prompted for the local computer account and then find your password is not accepted. This is a bug we've filed with Apple. To resolve this, restart your Mac. When you log in with your local computer account password, you'll be prompted to change the password. At this point, you can set it to match your Microsoft account password.
Step 9: Review the Software License Agreement and installation details for the Company Portal app. After your device completes the enrollment process, it should receive the corporate wireless certificate within 20 minutes.
Step 10: Along with Company Portal, Microsoft Defender for Endpoint (MDE) and Microsoft Edge are automatically installed during setup.
Step 11: If you did not need to restart and change your password at step 8, do so now before proceeding. Then follow the steps in the PRMFA Setup section to Add PRMFA Passkey to Mac device.
Note: There is a known issue on newly enrolled macOS devices where Company Portal shows the device as non-compliant and reports that user needs to install MDE when it's already installed. This issue should resolve within 48 hours and requires no action on your part. It should not affect your ability to access company resources.
Set up a non-ABM Mac
If you were issued a Mac device that does not show the Remote Management page when turned on for the first time, the device does not support ABM. In these cases, follow these steps:
Step 1: Make sure your device is connected to the internet. If you're at a Microsoft worksite, connect to MSFTGUEST.
Step 2: Complete the normal out-of-the-box experience. Ensure your device is upgraded to the latest version of macOS before proceeding.
Step 3: Download the Company Portal app by visiting Enroll My Mac. From your Downloads, run the Company Portal installer package and follow the steps to begin installation.
Step 4: You'll be prompted for your local account credentials. Enter the password and select Install Software.
During this step, some devices may hit a password failure despite typing in the correct password. This is a bug we've filed with Apple. To resolve this, restart your Mac. When you log in with your local computer account password, you'll be prompted to change the password.
Step 5: Wait for Company Portal to finish installing and then open the Company Portal app.
Step 6: Sign in with your Microsoft credentials and complete multifactor authentication (MFA).
Step 7: Follow the steps to register your Mac device with Intune.
Step 8: Install the management profile by selecting Download profile. In the confirmation window, select Install.
Step 9: Another confirmation window opens, which shares the information that the administrator might collect from your device. Review the details and then select Install to continue. You’ll be prompted to provide your local admin password again.
Step 10: After enrollment is complete, your Mac will appear in the Company Portal.
Step 11: Reboot your Mac. When logging in, you'll be prompted to change your local computer account password.
Step 12: Microsoft Defender for Endpoint (MDE) and Microsoft Edge are automatically installed during setup.
Step 13: FileVault disk encryption is required for connecting to Microsoft resources. If you don't have FileVault enabled on your Mac, it will be enforced after you complete Company Portal enrollment.
Note: There is a known issue on newly enrolled macOS devices where Company Portal shows the device as non-compliant and reports that user needs to install MDE when it's already installed. This issue should resolve within 48 hours and requires no action on your part. It should not affect your ability to access company resources.
You are now ready to access internal resources. To learn more about those resources, and make your first few days more productive, visit the New Joiner Site Page.
Need to be productive while on the go? Then set up your mobile phone to access your work emails or join meetings! Visit our Mobile device setup guide to learn how.
