Skip to content

New Device Setup Processes

Asset Tracking

All devices must be checked out to the assigned user in IT Asset Database before handoff. This applies to Windows computers, Mac computers, and Samsung phones. Accurate asset records are essential for inventory management and device lifecycle tracking.

Windows Computers

Procurement

New Windows laptops deployed in the organization should be from Lenovo's ThinkPad line when possible. Micro Center in Saint Louis Park usually has very good deals on open box or manufacturer refurbished ThinkPads, and is our primary vendor. At the current time, we have not standardized across a specific model or specification, instead tailoring purchases to the computing needs of the role and user preferences (screen size, numpad, etc).

After a device has been purchased, add the device and purchase info to the HOURCAR Asset Management database. An asset ID (e.g. HC-00123) will be assigned to the device.

Imaging with OSDCloud

We use OSDCloud for Windows imaging and deployment. OSDCloud installs a clean copy of Windows 11 Pro with the necessary drivers for the target hardware, replacing the need for manual driver injection and custom ISOs.

Staff computers should always be wiped after procurement, as they may come preinstalled with unsupported software (e.g. vendor bloatware, third-party antivirus).

Boot the target device from the OSDCloud USB drive and follow the on-screen prompts to install Windows 11 Pro.

Intune Enrollment and Autopilot

Once Windows is installed, the device needs to be enrolled in HOURCAR's Microsoft Intune environment and registered with Autopilot. This locks the device to our domain and ensures it can only be set up and used by HOURCAR staff.

  1. Collect the hardware hash — Open Terminal or PowerShell on the new device and run the PowerShell script found in the "Directly upload the hardware hash to an MDM service" section of this Microsoft Learn article: Manually register devices with Windows Autopilot. This will automatically collect all needed information and enroll the device.

  2. Configure in Intune — In the Microsoft Intune Admin Center, find the device in the Autopilot registered devices list. Identify it by its serial number, then:

    • Set the Device name to the asset ID from the Asset Database.
    • Set the Group tag to 0.
    • Select Assign User and choose the HOURCAR staff member who will receive the device.

  3. Add to security group — Add the device to the "Hardware - Windows - User Assigned" Security Group so that all necessary configuration policies are applied.

  4. Trigger Autopilot Reset — In Intune's Windows devices list, select the device and click Autopilot Reset. This may take up to 60 minutes to complete.

  5. Unassign yourself — After the reset begins, open the device's Properties in Intune and remove yourself as the primary user.

Device Handoff

After handing off the device to the user:

  • Check out the device to the user in IT Asset Database.
  • Be available to answer questions and assist with final setup.
  • Some staff may require specialized software that needs admin permissions — this is a good time to handle those installations.

Samsung Phones

Knox Enrollment

Samsung phones are managed through Samsung Knox. New devices must be manually enrolled in Knox before they can be managed through Intune.

  1. Register the device in Knox — Add the device to HOURCAR's Knox account using the QR code feature during initial device setup.
  2. Enroll in Intune — Once the device is registered in Knox, it will automatically enroll in Intune on the next device setup or factory reset. The Knox profile will direct the device through HOURCAR's enrollment process.
  3. Rename in Intune — After the device appears in Intune, rename it to match its IT Asset Database asset tag. This is important for keeping records consistent across systems.
  4. Check out in IT Asset Database — Check out the device to the assigned user in IT Asset Database.

Mac Computers

Add to Apple Business Manager

macOS devices must be registered in HOURCAR's Apple Business Manager account. This locks the device to our organization and ensures that users must sign in with their hourcar.org Managed Apple ID during setup.

Registration is done using the Apple Configurator app (iOS) during initial device setup, following the steps in this Apple support article.

Intune Enrollment

Once the device is registered in Apple Business Manager, it will automatically enroll in Intune. MacBooks are assigned to a dynamic Intune security group based on hardware ID, so no manual group assignment is needed.

Device Setup

Complete the macOS setup process on the device. The device will require the user to sign in with their hourcar.org Managed Apple ID — this is enforced by the Apple Business Manager enrollment. No additional software needs to be installed by IT at this stage.

Rename and Check Out

After the device appears in Intune, rename it to match its IT Asset Database asset tag. Then check out the device to the assigned user in the IT Asset Database.

Legacy: Manual Windows Imaging (Old Process)

Expand for the old manual imaging process

This process was used before OSDCloud was adopted, and may still be needed for older HP computers that are incompatible with OSDCloud.

Overview

Download a Windows 11 .iso directly from Microsoft. The default .iso may not include all necessary drivers for the target hardware, so the image must be rebuilt with injected drivers.

For Lenovo computers, download drivers from the support website for the specific model. Ensure you have the correct Type / Revision, as different revisions may require different drivers. Run the .exe to extract drivers to a directory.

Driver Injection with NTLite

We use NTLite to compile custom Windows 11 builds with injected drivers.

  1. Open NTLite and select Add > Image (ISO, WIM, ESD, SWM), then select the Windows 11 .iso.
  2. Under the Read-Only section, open Content > Operating systems | install.wim.
  3. Select Windows 11 Pro, click Load, then OK to create the reference image. Wait for it to appear under Mounted with a green dot.
  4. Go to Integrate > Drivers in the sidebar. Select Add > Directory containing drivers and point to the extracted Lenovo drivers.
  5. Go to Finish > Apply and set:
    • Saving mode: Save the image and trim editions
    • Image format: Standard, editable (WIM)
    • Options: Create ISO
    • Save with a filename that identifies the model.

Hardware checklist

The hardware checklist on the right side of the Drivers screen shows hardware for your current computer, not the target. Ignore any warnings about missing drivers.

USB Creation with Rufus

Write the .iso to a bootable flash drive using Rufus. Ensure:

  • Partition Scheme: GPT
  • Target System: UEFI (non-CSM)

Leave all other options as default. Press START, decline any customization options, and press OK to begin. This takes a few minutes.

Windows Installation

  1. With the computer off, insert the USB drive.
  2. Power on and enter boot options when the manufacturer logo appears (typically ENTER or F10 on ThinkPads).
  3. Select the USB drive and press ENTER to boot.

Note

If the device won't boot from the USB, enter BIOS and enable Accept Third Party Secure Boot CAs (found in the Security section on Lenovo devices).

  1. Continue through the Windows setup. Erase old drive partitions and install to Partition 0.
  2. Once installation completes, remove the USB drive.
  3. When prompted for a Microsoft account, sign in with the IT staff account preparing the device.
  4. When prompted for a device name, set it to the Asset ID from the Asset Database.

After reaching the Windows desktop, proceed with the Intune Enrollment and Autopilot steps above.