How to enroll Microsoft teams rooms devices into Intune

How to enroll Microsoft teams rooms devices into Intune


I recently was tasked to enroll Microsoft teams rooms device into Intune as the customer needed compliance policy to allow the device to communicate to cloud service. There are plenty of good resources on the internet how to get started, how and what to do. However, I stumbled across lack of information in the area of creating a bulk token with the Windows Configuration Designer. First, I created the bulk token in my test tenant to see, what it did and to find out exactly what permission was needed. After that I went on to the customer environment and got a funny error message.

Once we tried to get the bulk token we saw it failing and to begin with didn’t really know why, but after some troubleshooting we found the missing piece.

This blog post can be your missing piece of the puzzle. Read along.

Managing Microsoft Teams Rooms with Intune - Microsoft Tech Community

Picture source:



  • Windows Configuration Designer (Download it from the store)
  • Azure AD permission to create Enterprise App registration
  • Setting in Azure AD “Users may join devices to Azure AD” = “All”


How to get started

I strongly recommend reading this fine piece of information from Lothar Zeitler – Senior Program Manager

Also this guide on WCD


In high level what you need is to create an Azure AD group with a dynamic rule. The dynamic rule could be on the displayName but that would require that in the enrollment process that the device is named something that the rule will recognize. So how do we do that?

This is where Windows Configuration Designer (WCD) comes into the picture. As MTR devices does not support Autopilot, there are no real automated solution to make sure the device onboard and that it gets a naming standard we want.

Open the WCD and click “Provision desktop devices”



To have a naming standard to search for in our Azure AD group, lets make our device named MTR-%RAND:5%

I use 5 random characters to make sure we have enough possibilities for our meeting rooms.



As we will insert wired network to all MTR devices let’s not configure the Wi-Fi profile.



Choose Enroll in Azure AD and click on the “Get Bulk Token”



Here it is important that you use an account where you will be able to consent and say it is ok to create a new Enterprise Application and user in Azure AD. (Global Admin or Application Admin + user admin)




It will ask you to consent on behalf and what it will do is that it will create an Enterprise Application and create a user.



After 30 seconds you should see “Bulk Token Fetched Successfully”


Make sure to be aware that your token will expire 180 days later. Mark the date in your calendar so you will have no surprises


While fetching the bulk token I saw some different errors while provisioning this:

If you somehow canceled the process during the get bulk token you will experience this error code:

Bulk token retrieval failed

Error: UserCancel -2146233088



If you forgot to check whether Azure AD “Users may join devices to Azure AD” and it is NOT set to “all” then you will experience this error:

Bulk token retrieval failed

User not authorized


Now this error really does not make sense, and this was what we were experiencing. We went into the portal of Azure AD and changed the setting, and everything finally went smoothly.




Now we just need to verify that we got the Enterprise application and a user created:

In Azure AD – All Users we can verify the user “Package_”



And an Enterprise Application


Everything is good!


Continuing the WCD wizard: We won’t add any applications



No certificate


And on the last page we want to protect our provisioning package with a password. Why you ask?

Because there is no protection whatsoever, if you do not do that. If someone got hold of that provisioning package, they will be enabled to onboard devices to Azure AD joined state + Intune enrolled.



Press create when you are happy with the result.


Put the files on a USB to use the provisioning package on a physical device or if you want to test it with hyper-v, create an ISO file: (Very important to put the files into the root of either the USB or ISO.

Create an ISO file with PowerShell! (

$source_dir = “.Windows Imaging and Configuration Designer (WICD)MTR Provisioning package”

get-childitem “$source_dir” | New-ISOFile -path c:tempMyProvisioningPackage.iso


Once the file has been created it should look like this:



To test I have a new Windows 11 Enterprise in Out of box experience (OOBE)

I attach the ISO to the virtual device



Press Windows key 5 times



Insert the password to your provisioning package



Device will be enrolling into the tenant






And after a minute or so you will be able to logon to the device



If Windows Hello for business is configured tenant wide, you will be prompted to setup your pin while logging on to the device. You can prohibit that by deactivating it tenant wide.



Our naming standard applied as we liked it to:



And if we look into Azure AD



And in Intune

Our goal was to have a naming standard.

No primary user assigned to the device.

Compliance to make sure it can reach out to the cloud services.


Great success



Playing around with provisioning packages can be a great experience if you know how. I hope that this article helped you along on your journey towards using WCD and go straight to the reward – onboarding a device.

Happy testing!

Source: Bulk join a Windows device to Azure AD and Microsoft Endpoint Manager using a provisioning package – Microsoft Tech Community

Managing Microsoft Teams Rooms with Intune – Microsoft Tech Community

Table of Contents

Share this post
Search blog posts
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly

Follow on SoMe