In this post I will be showing how to do bulk enrollment of windows devices using Windows Configuration Designer. This method requires to create a provisioning package which is in ppkg format and can be created using Windows Configuration Designer (WCD).
What is Bulk Enrollment
Bulk enrollment is a process to enroll the devices to Azure AD tenant with the help of simply running provisioning package (ppkg file). Once provisioning package is applied to the device, it performs 2 tasks:
- Joins the device to Azure AD Tenant
- Enrolls the device to Intune Portal
Pre-requisites for Bulk enrollment process
There are few pre-requisites needs to be met for bulk enrollment process.
- Device should be atleast on Windows 10 build version 1709 or Windows 11.
- Automatic enrollment should be enabled. This can be verified either through Azure Portal by navigating to Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune or can be accessed through Intune Portal by navigating to Devices > Enroll devices > Automatic Enrollment
For Automatic enrollment to work Azure Active Directory Premium subscription is required.
What is Windows Configuration Designer (WCD)
Windows Configuration Designer is a tool to create provisioning package (in .ppkg format) to customise the settings and apply on Windows device. We can directly run the provisioning package on Windows device running Windows 10 / Windows 11 operating system.
Windows Configuration Designer to create provisioning package can be installed on either Server OS or Client OS.
There are 2 ways to install Windows Configuration Designer (WCD):
- Download WCD from Microsoft Store App : Applicable for Client OS such as Windows 10 / 11
- WCD is part of Windows Assessment and Deployment Kit (ADK) for Windows 11 which can be either used for Server OS / Client OS.
Create Provisioning package using WCD
Once Windows Configuration Manager is installed, launch it. Click on Provision desktop devices.
Under New Project page, provide the name “Bulk Enrollment Package”, you may change Project folder path and click on Finish.
Package creation will come up with multiple steps including:
Set up device: We can use it to specify custom name for device such as Desktop-%SERIAL% or Desktop-%RAND:5%, where Desktop is a fix value while serial / random number is dynamic one.
Set up network: We can provision the Wi-Fi network configuration over here. Turn it off.
Under Application Management we have multiple values to specify under section “Manage organization/School Accounts”:
- Enroll into Active Directory
- Enroll in Azure AD
- Local Admin
We will be selecting Enroll in Azure AD, will ask us to create Bulk Token. It will automatically create Bulk Token Expiry for 6 months which can be changed.
Under Bulk AAD Token, click on Get Bulk Token and provide user credentials to login.
Once successful, you will be greeted with message “Bulk Token Fetched Successfully”.
Optionally you can create a local administrator account, click Next.
We can add applications and Add Certificates as well. That’s not our requirement is here, click on Finish
Verify the summary and click on Create to process with creation of provisioning package.
We can see the Bulk Enrollment Package.ppkg is created along with other supported files:
Apply provisioning Package
The whole folder can be copied to a USB drive and while starting your new device during initial setup, you will see the first page for selecting the region.
If you insert the USB, provisioning package will be automatically detected and will ask you to “Set up PC”, just proceed with that to provision the package.
Check the link for more details
Manually initiate the provisioning package
The package is ready and can be initiated manually as well on up and running Windows device. Just double click the .ppkg file.
You will be prompted with a message “Is this package from a source you trust”, click on Yes, add it.
The process will apply changes by enrolling the device to Azure Active Directory and will reboot the system.
Provisioning package can also be applied by navigating to Settings > Accounts > Access work or school > Add or remove a provisioning package
Once Provisioning package is applied, you can see the results under Provisioning packages window along with date time stamp.
Important Links
Bulk enrollment for Windows devices – Microsoft Intune | Microsoft Docs
Apply a provisioning package (Windows 10/11) – Configure Windows | Microsoft Docs
