How to enroll Microsoft teams rooms devices into Intune

How to enroll Microsoft teams rooms devices into Intune

Introduction

I recently was tasked to enroll Microsoft teams rooms device into Intune as the customer needed compliance policy to allow the device to communicate to cloud service. There are plenty of good resources on the internet how to get started, how and what to do. However, I stumbled across lack of information in the area of creating a bulk token with the Windows Configuration Designer. First, I created the bulk token in my test tenant to see, what it did and to find out exactly what permission was needed. After that I went on to the customer environment and got a funny error message.

Once we tried to get the bulk token we saw it failing and to begin with didn’t really know why, but after some troubleshooting we found the missing piece.

This blog post can be your missing piece of the puzzle. Read along.

Managing Microsoft Teams Rooms with Intune - Microsoft Tech Community

Picture source: https://techcommunity.microsoft.com/t5/image/serverpage/image-id/162061i45C6F07EB8820581?v=v2

 

Requirements

  • Windows Configuration Designer (Download it from the store)
  • Azure AD permission to create Enterprise App registration
  • Setting in Azure AD “Users may join devices to Azure AD” = “All”

 

How to get started

I strongly recommend reading this fine piece of information from Lothar Zeitler – Senior Program Manager

Also this guide on WCD

 

In high level what you need is to create an Azure AD group with a dynamic rule. The dynamic rule could be on the displayName but that would require that in the enrollment process that the device is named something that the rule will recognize. So how do we do that?

This is where Windows Configuration Designer (WCD) comes into the picture. As MTR devices does not support Autopilot, there are no real automated solution to make sure the device onboard and that it gets a naming standard we want.

Open the WCD and click “Provision desktop devices”

clip_image002

 

To have a naming standard to search for in our Azure AD group, lets make our device named MTR-%RAND:5%

I use 5 random characters to make sure we have enough possibilities for our meeting rooms.

clip_image004

 

As we will insert wired network to all MTR devices let’s not configure the Wi-Fi profile.

clip_image006

 

Choose Enroll in Azure AD and click on the “Get Bulk Token”

clip_image008

 

Here it is important that you use an account where you will be able to consent and say it is ok to create a new Enterprise Application and user in Azure AD. (Global Admin or Application Admin + user admin)

clip_image010

clip_image012

 

It will ask you to consent on behalf and what it will do is that it will create an Enterprise Application and create a user.

clip_image014

 

After 30 seconds you should see “Bulk Token Fetched Successfully”

clip_image016

Make sure to be aware that your token will expire 180 days later. Mark the date in your calendar so you will have no surprises

 

While fetching the bulk token I saw some different errors while provisioning this:

If you somehow canceled the process during the get bulk token you will experience this error code:

Bulk token retrieval failed

Error: UserCancel -2146233088

clip_image018

 

If you forgot to check whether Azure AD “Users may join devices to Azure AD” and it is NOT set to “all” then you will experience this error:

Bulk token retrieval failed

User not authorized

clip_image020

Now this error really does not make sense, and this was what we were experiencing. We went into the portal of Azure AD and changed the setting, and everything finally went smoothly.

 

clip_image022

 

Now we just need to verify that we got the Enterprise application and a user created:

In Azure AD – All Users we can verify the user “Package_”

clip_image024

 

And an Enterprise Application

clip_image026

Everything is good!

 

Continuing the WCD wizard: We won’t add any applications

clip_image028

 

No certificate

clip_image030

And on the last page we want to protect our provisioning package with a password. Why you ask?

Because there is no protection whatsoever, if you do not do that. If someone got hold of that provisioning package, they will be enabled to onboard devices to Azure AD joined state + Intune enrolled.

 

clip_image032

Press create when you are happy with the result.

 

Put the files on a USB to use the provisioning package on a physical device or if you want to test it with hyper-v, create an ISO file: (Very important to put the files into the root of either the USB or ISO.

Create an ISO file with PowerShell! (thelowercasew.com)

Code:
$source_dir = “.Windows Imaging and Configuration Designer (WICD)MTR Provisioning package”

get-childitem “$source_dir” | New-ISOFile -path c:tempMyProvisioningPackage.iso

 

Once the file has been created it should look like this:

clip_image034

 

To test I have a new Windows 11 Enterprise in Out of box experience (OOBE)

I attach the ISO to the virtual device

clip_image036

 

Press Windows key 5 times

clip_image038

 

Insert the password to your provisioning package

clip_image040

 

Device will be enrolling into the tenant

clip_image042

 

Rebooting

clip_image044

 

And after a minute or so you will be able to logon to the device

clip_image046

 

If Windows Hello for business is configured tenant wide, you will be prompted to setup your pin while logging on to the device. You can prohibit that by deactivating it tenant wide.

clip_image048

 

Our naming standard applied as we liked it to:

clip_image050

 

And if we look into Azure AD

clip_image052

 

And in Intune

Our goal was to have a naming standard.

No primary user assigned to the device.

Compliance to make sure it can reach out to the cloud services.

clip_image054

Great success

 

Summary

Playing around with provisioning packages can be a great experience if you know how. I hope that this article helped you along on your journey towards using WCD and go straight to the reward – onboarding a device.

Happy testing!

Source: Bulk join a Windows device to Azure AD and Microsoft Endpoint Manager using a provisioning package – Microsoft Tech Community

Managing Microsoft Teams Rooms with Intune – Microsoft Tech Community

+ posts

Mattias Melkersen is a community driven and passionate modern workplace consultant with 20 years’ experience in automating software, driving adoption and technology change within the Enterprise. He lives in Denmark and works at Mindcore.

He is an Enterprise Mobility Intune MVP, Official Contributor in a LinkedIn group with 41.000 members and Microsoft 365 Enterprise Administrator Expert.

Mattias blogs, gives interview and creates a YouTube content on the channel "MSEndpointMgr" where he creates helpful content in the MEM area and interview MVP’s who showcase certain technology or topic.

Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.

Modern Workplace consultant and a Microsoft MVP in Windows and Devices.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

Modern workplace and infrastructure architect with a focus on Microsoft 365 and security.

follow us in feedly
Categories

Follow on SoMe