Bulk enrollment in Azure AD and Intune

In a previous blog I explained how to enroll Windows 10 into Microsoft Intune manually. You can prepare a guide with screenshots and send it to your users or ask your Help Desk team to help users enroll their devices when you have a few dozen computers. But what do you do when you have thousands? You can create a provisioning package for bulk enrollment.

Prerequisites for Windows devices bulk enrollment:

This package will automatically enroll your corporate devices into Azure Active Directory. That’s why automatic enrollment is required, because then all enrolled devices in Azure AD will be automatically enrolled into Intune.

You will need Windows Configuration Designer (WCD) tool for creating and editing provisioning packages. You can download this tool from the Windows Store:

After installing WCD go to the Start menu and run the tool. Select Provision desktop devices:

Provide project details – name, description, and project folder:

Click Finish.

The first page of the wizard is providing a computer name. You can use two variables: for having the serial number in computer name use %SERIAL% or the computer name will be generated automatically by %RAND:x% where x is number of digits (must be less than 63):

Click on Set up network. Here you can configure your Wi-Fi network if required:

On the Account Management page choose Enroll in Azure AD first, then click Get Bulk Token:

You will see a window where you need to provide user credentials. This account needs to have enroll to Azure AD permissions. In my lab environment I provide my Global admin credentials:

Click Next, enter the password, and click Sign in. Then click Accept:

Uncheck Allow my organization to manage my device and click No, sign in to this app only:

If you leave the checkbox checked and click OK, your provisioning package will become managed. Then wait a couple of seconds for a confirmation Bulk Token Fetched Successfully:

Optionally you can create a local admin account:

Remember this account will be created on all corporate computers you run this provisioning package.

Then go to the next page entitled Add application. You can add any application as a part of the provisioning process like .msi, .exe, .vbs or even a PowerShell script. On the next page you can add certificates (.cer) if needed.

Then click Finish:

Check the summary and click Create:

In the project folder you will find a couple of files:

You have a few options for how to provision your corporate devices:

  • Inject provisioning package into your reference image with DISM
  • Deploy this package with MECM or other deployment systems
  • Copy the package on a shared folder and run this file remotely
  • Copy the package on USB drive and use it during OOBE
  • Copy the package on a corporate computer locally and run this package manually from the local folder
  • Script the process with PowerShell for silent mass provisioning

Let me show you how two other options look.

When you run this package locally you will see a warning window:

Confirm you want to enroll your device in Azure AD and click Yes, add it. Then in 1 minute your device will be automatically restarted to finish the provisioning process:

Remember you need local admin permissions to apply a provisioning package.

You can use a PowerShell command for silent provisioning as I mentioned above:

Install-ProvisioningPackage -PackagePath “c:\folder\package_name.ppkg” -QuietInstall -ForceInstall

Then in 1 minute your device will be automatically restarted.

After restart, you can find your computers in Azure AD. I see my two computers I provisioned manually and with PowerShell:

MDM column shows both are enrolled into Intune automatically. Owner column shows that you are not a user account, but unique provisioning package ID. You can find this package ID in Settings as well:

Happy bulk enrollment!

If you need help, we’re always a click away through email. Let us know how we can help!



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 014
Cyber Security

WME Security Briefing 14 June 2024

LightSpy Spyware’s macOS Variant Detected with Advanced Surveillance Capabilities Overview Findings reveal a previously undocumented macOS variant of the LightSpy spyware. It was initially thought to target only iOS users. This spyware utilizes a plugin-based system

Read More »
WME Cybersecurity Briefings No. 013
Cyber Security

WME Security Briefing 10 June 2024

CISA Urges Patching of Actively Exploited Linux Kernel Vulnerability Overview CISA just issued an urgent advisory concerning a newly discovered security flaw in the Linux kernel. The flaw is being actively exploited to affect the netfilter component of

Read More »
3 Things to Consider Before You Enable Copilot for Microsoft 365
Microsoft Copilot

3 Things to Consider Before You Enable Copilot for Microsoft 365

In today’s digital landscape, any productivity tool that streamlines workflow and boosts performance is a pleasant addition. With its AI-powered productivity-enhancing capabilities, Microsoft Copilot has emerged as a game-changer for employees, particularly for organizations using Microsoft

Read More »
WME Cybersecurity Briefings No. 012
Cyber Security

WME Security Briefing 03 June 2024

Moroccan Cybercrime Group Exploits Gift Card Systems for Major Financial Gains Overview: Storm-0539, also called Atlas Lion, is a Moroccan cybercrime group that executes advanced email and SMS phishing attacks. They are committing fraud by utilizing

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.