I recently was tasked to enroll Microsoft teams rooms device into Intune as the customer needed compliance policy to allow the device to communicate to cloud service. There are plenty of good resources on the internet how to get started, how and what to do. However, I stumbled across lack of information in the area of creating a bulk token with the Windows Configuration Designer. First, I created the bulk token in my test tenant to see, what it did and to find out exactly what permission was needed. After that I went on to the customer environment and got a funny error message.
Once we tried to get the bulk token we saw it failing and to begin with didn’t really know why, but after some troubleshooting we found the missing piece.
This blog post can be your missing piece of the puzzle. Read along.
- Windows Configuration Designer (Download it from the store)
- Azure AD permission to create Enterprise App registration
- Setting in Azure AD “Users may join devices to Azure AD” = “All”
How to get started
I strongly recommend reading this fine piece of information from Lothar Zeitler – Senior Program Manager
Also this guide on WCD
In high level what you need is to create an Azure AD group with a dynamic rule. The dynamic rule could be on the displayName but that would require that in the enrollment process that the device is named something that the rule will recognize. So how do we do that?
This is where Windows Configuration Designer (WCD) comes into the picture. As MTR devices does not support Autopilot, there are no real automated solution to make sure the device onboard and that it gets a naming standard we want.
Open the WCD and click “Provision desktop devices”
To have a naming standard to search for in our Azure AD group, lets make our device named MTR-%RAND:5%
I use 5 random characters to make sure we have enough possibilities for our meeting rooms.
As we will insert wired network to all MTR devices let’s not configure the Wi-Fi profile.
Choose Enroll in Azure AD and click on the “Get Bulk Token”
Here it is important that you use an account where you will be able to consent and say it is ok to create a new Enterprise Application and user in Azure AD. (Global Admin or Application Admin + user admin)
It will ask you to consent on behalf and what it will do is that it will create an Enterprise Application and create a user.
After 30 seconds you should see “Bulk Token Fetched Successfully”
Make sure to be aware that your token will expire 180 days later. Mark the date in your calendar so you will have no surprises
While fetching the bulk token I saw some different errors while provisioning this:
If you somehow canceled the process during the get bulk token you will experience this error code:
Bulk token retrieval failed
Error: UserCancel -2146233088
If you forgot to check whether Azure AD “Users may join devices to Azure AD” and it is NOT set to “all” then you will experience this error:
Bulk token retrieval failed
User not authorized
Now this error really does not make sense, and this was what we were experiencing. We went into the portal of Azure AD and changed the setting, and everything finally went smoothly.
Now we just need to verify that we got the Enterprise application and a user created:
In Azure AD – All Users we can verify the user “Package_”
And an Enterprise Application
Everything is good!
Continuing the WCD wizard: We won’t add any applications
And on the last page we want to protect our provisioning package with a password. Why you ask?
Because there is no protection whatsoever, if you do not do that. If someone got hold of that provisioning package, they will be enabled to onboard devices to Azure AD joined state + Intune enrolled.
Press create when you are happy with the result.
Put the files on a USB to use the provisioning package on a physical device or if you want to test it with hyper-v, create an ISO file: (Very important to put the files into the root of either the USB or ISO.
$source_dir = “.Windows Imaging and Configuration Designer (WICD)MTR Provisioning package”
get-childitem “$source_dir” | New-ISOFile -path c:tempMyProvisioningPackage.iso
Once the file has been created it should look like this:
To test I have a new Windows 11 Enterprise in Out of box experience (OOBE)
I attach the ISO to the virtual device
Press Windows key 5 times
Insert the password to your provisioning package
Device will be enrolling into the tenant
And after a minute or so you will be able to logon to the device
If Windows Hello for business is configured tenant wide, you will be prompted to setup your pin while logging on to the device. You can prohibit that by deactivating it tenant wide.
Our naming standard applied as we liked it to:
And if we look into Azure AD
And in Intune
Our goal was to have a naming standard.
No primary user assigned to the device.
Compliance to make sure it can reach out to the cloud services.
Playing around with provisioning packages can be a great experience if you know how. I hope that this article helped you along on your journey towards using WCD and go straight to the reward – onboarding a device.