In a previous blog I explained how to enroll Windows 10 into Microsoft Intune manually. You can prepare a guide with screenshots and send it to your users or ask your Help Desk team to help users enroll their devices when you have a few dozen computers. But what do you do when you have thousands? You can create a provisioning package for bulk enrollment.
Prerequisites for Windows devices bulk enrollment:
- Windows 10 1709 or later
- Windows automatic enrollment (we configured before)
This package will automatically enroll your corporate devices into Azure Active Directory. That’s why automatic enrollment is required, because then all enrolled devices in Azure AD will be automatically enrolled into Intune.
You will need Windows Configuration Designer (WCD) tool for creating and editing provisioning packages. You can download this tool from the Windows Store:
After installing WCD go to the Start menu and run the tool. Select Provision desktop devices:
Provide project details – name, description, and project folder:
The first page of the wizard is providing a computer name. You can use two variables: for having the serial number in computer name use %SERIAL% or the computer name will be generated automatically by %RAND:x% where x is number of digits (must be less than 63):
Click on Set up network. Here you can configure your Wi-Fi network if required:
On the Account Management page choose Enroll in Azure AD first, then click Get Bulk Token:
You will see a window where you need to provide user credentials. This account needs to have enroll to Azure AD permissions. In my lab environment I provide my Global admin credentials:
Click Next, enter the password, and click Sign in. Then click Accept:
Uncheck Allow my organization to manage my device and click No, sign in to this app only:
If you leave the checkbox checked and click OK, your provisioning package will become managed. Then wait a couple of seconds for a confirmation Bulk Token Fetched Successfully:
Optionally you can create a local admin account:
Remember this account will be created on all corporate computers you run this provisioning package.
Then go to the next page entitled Add application. You can add any application as a part of the provisioning process like .msi, .exe, .vbs or even a PowerShell script. On the next page you can add certificates (.cer) if needed.
Then click Finish:
Check the summary and click Create:
In the project folder you will find a couple of files:
You have a few options for how to provision your corporate devices:
- Inject provisioning package into your reference image with DISM
- Deploy this package with MECM or other deployment systems
- Copy the package on a shared folder and run this file remotely
- Copy the package on USB drive and use it during OOBE
- Copy the package on a corporate computer locally and run this package manually from the local folder
- Script the process with PowerShell for silent mass provisioning
Let me show you how two other options look.
When you run this package locally you will see a warning window:
Confirm you want to enroll your device in Azure AD and click Yes, add it. Then in 1 minute your device will be automatically restarted to finish the provisioning process:
Remember you need local admin permissions to apply a provisioning package.
You can use a PowerShell command for silent provisioning as I mentioned above:
Install-ProvisioningPackage -PackagePath “c:\folder\package_name.ppkg” -QuietInstall -ForceInstall
Then in 1 minute your device will be automatically restarted.
After restart, you can find your computers in Azure AD. I see my two computers I provisioned manually and with PowerShell:
MDM column shows both are enrolled into Intune automatically. Owner column shows that you are not a user account, but unique provisioning package ID. You can find this package ID in Settings as well:
Happy bulk enrollment!