Join Bulk Devices using a Provisioning Package to Azure
In this guide, you will learn how to join bulk devices using a provisioning package to Azure. I explain how to create a provisioning package and enrol all devices in Intune and Entra ID. Bulk joining of Windows devices to your Microsoft Entra tenant leverages the Windows Configuration Designer (WCD) to generate a provisioning package. Applying this package to company-owned devices facilitates their integration with your Entra ID tenant. Please see automate Infrastructure Deployments in the Cloud with Ansible and Azure Pipelines.
With the provisioning package, devices that are joined to Azure are also joined to Intune for subsequent management. This means that automatic MDM enrollment into Intune is enabled for Azure AD-joined devices. After package deployment, your Microsoft Entra users can sign in and benefit from Intune features.
Enrolling devices using provisioning packages enables the status of those devices to appear as “joined” in the Microsoft Entra ID and Microsoft Intune.
Registering devices to Intune and EntraID using the Company Portal enables device status to be reported as "Registered". See also how to Configure Windows LAPS Management with Microsoft Intune
Also, see Single App Kiosk Mode Configuration using MDM Bridge WMI Provider post. There is also a post on How to set up a Single App Kiosk Mode Configuration using a Local Account / MDM Bridge WMI Provider.
Enrolling Bulk Windows Devices Using Provisioning Package
According to Microsoft, to create a bulk enrollment token. You must have a supported Microsoft Entra role assignment such as Global Administrator, Cloud Device Administrator, Intune Administrator, or Password Administrator.
The role must not be scoped to an administrative unit in Microsoft Entra ID. To enrol bulk Windows devices. You are required to carry out the following steps:.
Install Windows Configuration Designer
Visit the Windows Store and download and install Windows Configuration Designer (WCD)
Click on “Install” and then “Get” to download the WCD utility tool.
Create and configure the provisioning package.
Provision Desktop Devices
To configure the provisioning package, launch the WCD utility tool you just installed in step 1. Click on Provision desktop devices to create a project
Enter the project, select the directory for the project as the project folder, specify the description for the project, and then click on Finish.
Set up the device
Here, you need to specify the device name. Pay close attention to the highlighted text below the name stating the supported version of Windows 10.
From the above screenshot, scroll down the screen and click on “Next” to set up the network.
Set up Network
On the setup network page, turn off “Connect devices to a Wi-Fi network” by toggling the button to the left and clicking on “Next” to continue.
Set up account management
On the account management screen, select “Enroll in Azure AD. Next, toggle the “Refresh AAD credentials” button to “Yes.”
Supply Login Credentials to Microsoft Azure
After toggling the refresh AAD credentials button to yes, click on “Get Bulk Token”.
The Microsoft official sign-in page will be populated, prompting you to sign in with your Microsoft Azure credentials. Depending on your Microsoft Entra ID settings, the next screens will look different and will probably ask you for multi-factor authentication (MFA) alongside your credentials.
Follow the prompt through to the “Stay signed in to all your apps” screen, and then click on “No, sign into this app only.”
Generate Bulk Token
After successful authentication,the bulk token will be fetched successfully, as shown below.
If you checked through a bulk token user account in your Intune Admin Center, similar to package_d286460b-f469-41dd-88cb-d4e4f42ecf7d@YourFQDN.
At the finishing part, don’t click on “Create” first; instead, use the button below to switch to the advanced editor.
You will be prompted, as shown below. When you click on “Switch to advanced editor,” click Yes to continue.
From the Advanced Editor, locate the DNSComputerName on the right-hand side of the screen. Clearing out the field “TechDirectArchive-PC” in the middle pane of the editor will not work; you will be required to go to the right pane and select “Remove” to remove DNSComputerName altogether, as shown in the screenshot below:
After removing the DNSComputerName, you should have only the Authority and BPRT left, as shown below:
Export the provisioning package
Now that the provisioning package only contains two items, that’s items and customizations, we are now ready to select “Export” from the menu bar up top, as shown in Figure 17: Export Provisioning Package.
The next dialog box gives you the provisioning package metadata, which makes it easier to version the package.
As shown in the screenshot below, the default version is 1.0. We will accept the default version and continue.
The next screen will take you to the Encrypt & Sign package details page. For this demonstration, we will click on Next to skip it.
For the pre-build stage, as shown in the screenshot below, you are required to choose the right location to store the package.
Choose a Storage location for the package
Build Package
The build package stage shows the summary screen and affords you the opportunity to verify package details. This is like a last chance to reverse the process of creating the package in case you want to change something.
If you're satisfied with the information shown on the screen. Click on "Build” to start.
After a few seconds, the package creation will be successful. Click on Finish to close the dialog.
Test Package
To test the package, run dsregcmd /status. This helps to confirm that your device is not Azure AD-joined. This is because you have not applied the package yet.
As shown in the screenshot above, “Device State,” the AzureAdJoined is set to No because we have not applied the package yet.
To apply the package, navigate to the location where you built and dropped the package, and double-click to run it. Confirm by pressing “Yes, add it.“
You’re simply being prompted by the fact that there is no signed certificate attached to the package.
You can also apply the provisioning package using the command line by running:
DISM.exe /Image=C:\ /Add-ProvisioningPackage/PackagePath:C:/Documents\BulkDeviceJoin.ppkg
Finally, you have successfully joined the device to Azure AD using a provisioning package. Feel free to run and apply this package to any device you want to join Microsoft Azure and Intune.
The device will also report on the Microsoft Entra ID as “joined.“
I hope you found this article useful on how to join bulk devices using a provisioning package to Azure. Please feel free to leave a comment below.
