How to enroll Microsoft Teams rooms devices into Intune

Introduction

I recently was tasked to enroll Microsoft teams rooms device into Intune as the customer needed compliance policy to allow the device to communicate to cloud service. There are plenty of good resources on the internet how to get started, how and what to do. However, I stumbled across lack of information in the area of creating a bulk token with the Windows Configuration Designer. First, I created the bulk token in my test tenant to see, what it did and to find out exactly what permission was needed. After that I went on to the customer environment and got a funny error message.

Once we tried to get the bulk token we saw it failing and to begin with didn’t really know why, but after some troubleshooting we found the missing piece.

This blog post can be your missing piece of the puzzle. Read along.

Picture source: https://techcommunity.microsoft.com/t5/image/serverpage/image-id/162061i45C6F07EB8820581?v=v2

 

Requirements

• Windows Configuration Designer (Download it from the store)
• Azure AD permission to create Enterprise App registration
• Setting in Azure AD “Users may join devices to Azure AD” = “All”

 

How to get started

I strongly recommend reading this fine piece of information from Lothar Zeitler – Senior Program Manager

Also this guide on WCD

 

In high level what you need is to create an Azure AD group with a dynamic rule. The dynamic rule could be on the displayName but that would require that in the enrollment process that the device is named something that the rule will recognize. So how do we do that?

This is where Windows Configuration Designer (WCD) comes into the picture. As MTR devices does not support Autopilot, there are no real automated solution to make sure the device onboard and that it gets a naming standard we want.

Open the WCD and click “Provision desktop devices”

 

To have a naming standard to search for in our Azure AD group, lets make our device named MTR-%RAND:5%

I use 5 random characters to make sure we have enough possibilities for our meeting rooms.

As we will insert wired network to all MTR devices let’s not configure the Wi-Fi profile.

 

Choose Enroll in Azure AD and click on the “Get Bulk Token”

 

Here it is important that you use an account where you will be able to consent and say it is ok to create a new Enterprise Application and user in Azure AD. (Global Admin or Application Admin + user admin)

 

It will ask you to consent on behalf and what it will do is that it will create an Enterprise Application and create a user.

 

After 30 seconds you should see “Bulk Token Fetched Successfully”

Make sure to be aware that your token will expire 180 days later. Mark the date in your calendar so you will have no surprises

 

While fetching the bulk token I saw some different errors while provisioning this:

If you somehow canceled the process during the get bulk token you will experience this error code:

Bulk token retrieval failed

Error: UserCancel -2146233088

 

If you forgot to check whether Azure AD “Users may join devices to Azure AD” and it is NOT set to “all” then you will experience this error:

Bulk token retrieval failed

User not authorized

Now this error really does not make sense, and this was what we were experiencing. We went into the portal of Azure AD and changed the setting, and everything finally went smoothly.

 

Now we just need to verify that we got the Enterprise application and a user created:

In Azure AD – All Users we can verify the user “Package_”

And an Enterprise Application

Everything is good!

Continuing the WCD wizard: We won’t add any applications

No certificate

And on the last page we want to protect our provisioning package with a password. Why you ask?

Because there is no protection whatsoever, if you do not do that. If someone got hold of that provisioning package, they will be enabled to onboard devices to Azure AD joined state + Intune enrolled.

Press create when you are happy with the result.

 

Put the files on a USB to use the provisioning package on a physical device or if you want to test it with hyper-v, create an ISO file: (Very important to put the files into the root of either the USB or ISO.

Create an ISO file with PowerShell! (thelowercasew.com)

Code:
$source_dir = “.Windows Imaging and Configuration Designer (WICD)MTR Provisioning package”

get-childitem “$source_dir” | New-ISOFile -path c:tempMyProvisioningPackage.iso

 

Once the file has been created it should look like this:

 

To test I have a new Windows 11 Enterprise in Out of box experience (OOBE)

I attach the ISO to the virtual device

Press Windows key 5 times

 

Insert the password to your provisioning package

 

Device will be enrolling into the tenant

Rebooting

 

And after a minute or so you will be able to logon to the device

 

If Windows Hello for business is configured tenant wide, you will be prompted to setup your pin while logging on to the device. You can prohibit that by deactivating it tenant wide.

 

Our naming standard applied as we liked it to:

 

And if we look into Azure AD

 

And in Intune

Our goal was to have a naming standard.

No primary user assigned to the device.

Compliance to make sure it can reach out to the cloud services.

Great success

 

Summary

Playing around with provisioning packages can be a great experience if you know how. I hope that this article helped you along on your journey towards using WCD and go straight to the reward – onboarding a device.

Happy testing!

Source: Bulk join a Windows device to Azure AD and Microsoft Endpoint Manager using a provisioning package – Microsoft Tech Community

Managing Microsoft Teams Rooms with Intune – Microsoft Tech Community