How to Set Up a New Windows 11 PC for Business

Power on the PC. The Out-of-Box Experience (OOBE) setup wizard will start automatically. Select your Country or Region (Malaysia), Keyboard Layout (US or your preferred layout) and click Yes. Add a second keyboard layout if needed or click Skip.

On the network screen, select your office WiFi network and enter the password. If setting up via a wired Ethernet connection, this screen will be skipped automatically. An internet connection is required to complete setup and activate Windows.

When prompted to sign in, choose Set up for work or school. Enter your Microsoft 365 work email address. Windows 11 will connect to your organisation’s Azure AD tenant and join the device automatically. If your IT team uses Intune, the device will be enrolled in mobile device management as part of this step.

If the PC should use a local account instead (not recommended for managed environments), click Sign-in options > Domain join instead.

After the initial setup completes and you reach the desktop, immediately run Windows Update. Go to Settings > Windows Update and click Check for updates. Install all available updates including optional updates.

Pay particular attention to:

• Cumulative updates for Windows 11 (security patches)
• Driver updates (especially for network adapters, graphics and storage)
• Microsoft Defender antivirus definition updates

The PC will likely need to restart once or twice. Keep running Windows Update until it shows You’re up to date.

Open Microsoft Edge and go to portal.office.com. Sign in with the work Microsoft 365 account. On the home page, click Install apps in the top right corner, then click Microsoft 365 apps.

The installer file (OfficeSetup.exe) will download. Run it and allow the installation to complete. This installs Word, Excel, PowerPoint, Outlook, Teams, OneNote and other Microsoft 365 apps. The installation takes 10 to 20 minutes depending on internet speed.

After installation, open Outlook and sign in with the work email account to configure the mailbox.

Search for BitLocker in the Start menu and open Manage BitLocker. Click Turn on BitLocker next to the C: drive. Follow the wizard:

• Choose how to unlock at startup (recommend: Automatically unlock)
• Choose how to back up the recovery key – select Save to your Microsoft account or Save to a file (save to a USB drive or network location, not on the C: drive)
• Choose how much of the drive to encrypt – select Encrypt entire drive for existing data or new PCs
• Choose encryption mode – select New encryption mode (XTS-AES)
• Click Start encrypting

Encryption runs in the background and takes 30 minutes to several hours depending on drive size. The PC remains usable during encryption.

Windows Defender is enabled by default and provides baseline protection. If your organisation uses a third-party antivirus:

• McAfee Total Protection / McAfee Endpoint Security: Download the installer from the McAfee ePolicy Orchestrator (ePO) server or McAfee portal. Run the installer and the agent will auto-configure from the ePO policy.
• Kaspersky Endpoint Security: Download from the Kaspersky Security Center console. Deploy via the push installation feature or run the installer manually.
• Sophos Endpoint: Log into the Sophos Central dashboard and use the Protect Devices link to download the installer. Sophos auto-registers the device with your Central account.

After installation, verify the antivirus is running and definitions are up to date before proceeding.

Click the OneDrive cloud icon in the system tray (bottom right). If not visible, search for OneDrive in the Start menu and sign in with the work Microsoft 365 account.

Once signed in, click the OneDrive icon > Settings > Backup > Manage backup. Enable backup for Desktop, Documents and Pictures. Click Start backup.

Files in these folders will now sync automatically to OneDrive. If the PC is lost, stolen or damaged, all files are recoverable from any other device signed into the same account.

If the PC is managed by Cybergate or an internal IT team using ManageEngine Endpoint Central:

• Download the agent installer provided by your IT team
• Run the installer as Administrator (right-click > Run as administrator)
• The agent installs silently and connects to the ManageEngine console automatically
• Within 5 minutes, the device will appear in the Endpoint Central console

Once enrolled, the IT team can remotely manage patches, deploy software, access the desktop remotely and monitor device health from the central console.