Bulk enrollment in Azure AD and Intune

In a previous blog I explained how to enroll Windows 10 into Microsoft Intune manually. You can prepare a guide with screenshots and send it to your users or ask your Help Desk team to help users enroll their devices when you have a few dozen computers. But what do you do when you have thousands? You can create a provisioning package for bulk enrollment.

Prerequisites for Windows devices bulk enrollment:

This package will automatically enroll your corporate devices into Azure Active Directory. That’s why automatic enrollment is required, because then all enrolled devices in Azure AD will be automatically enrolled into Intune.

You will need Windows Configuration Designer (WCD) tool for creating and editing provisioning packages. You can download this tool from the Windows Store:

After installing WCD go to the Start menu and run the tool. Select Provision desktop devices:

Provide project details – name, description, and project folder:

Click Finish.

The first page of the wizard is providing a computer name. You can use two variables: for having the serial number in computer name use %SERIAL% or the computer name will be generated automatically by %RAND:x% where x is number of digits (must be less than 63):

Click on Set up network. Here you can configure your Wi-Fi network if required:

On the Account Management page choose Enroll in Azure AD first, then click Get Bulk Token:

You will see a window where you need to provide user credentials. This account needs to have enroll to Azure AD permissions. In my lab environment I provide my Global admin credentials:

Click Next, enter the password, and click Sign in. Then click Accept:

Uncheck Allow my organization to manage my device and click No, sign in to this app only:

If you leave the checkbox checked and click OK, your provisioning package will become managed. Then wait a couple of seconds for a confirmation Bulk Token Fetched Successfully:

Optionally you can create a local admin account:

Remember this account will be created on all corporate computers you run this provisioning package.

Then go to the next page entitled Add application. You can add any application as a part of the provisioning process like .msi, .exe, .vbs or even a PowerShell script. On the next page you can add certificates (.cer) if needed.

Then click Finish:

Check the summary and click Create:

In the project folder you will find a couple of files:

You have a few options for how to provision your corporate devices:

  • Inject provisioning package into your reference image with DISM
  • Deploy this package with MECM or other deployment systems
  • Copy the package on a shared folder and run this file remotely
  • Copy the package on USB drive and use it during OOBE
  • Copy the package on a corporate computer locally and run this package manually from the local folder
  • Script the process with PowerShell for silent mass provisioning

Let me show you how two other options look.

When you run this package locally you will see a warning window:

Confirm you want to enroll your device in Azure AD and click Yes, add it. Then in 1 minute your device will be automatically restarted to finish the provisioning process:

Remember you need local admin permissions to apply a provisioning package.

You can use a PowerShell command for silent provisioning as I mentioned above:

Install-ProvisioningPackage -PackagePath “c:\folder\package_name.ppkg” -QuietInstall -ForceInstall

Then in 1 minute your device will be automatically restarted.

After restart, you can find your computers in Azure AD. I see my two computers I provisioned manually and with PowerShell:

MDM column shows both are enrolled into Intune automatically. Owner column shows that you are not a user account, but unique provisioning package ID. You can find this package ID in Settings as well:

Happy bulk enrollment!

If you need help, we’re always a click away through email. Let us know how we can help!



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.