![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 82%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Enrollment
Registering devices with Intune for management and policy enforcement
The error “Bulk token retrieval failed. The operation returned an empty response” typically occurs when tenant or client prerequisites for Windows Configuration Designer (WCD) bulk enrollment aren’t met.
Validate the following in order:
- Confirm Windows automatic enrollment is enabled
- In Intune/Microsoft Entra, ensure Windows automatic MDM enrollment is enabled and that this method is supported for the Windows version being enrolled.
- Reference: “Enable Windows automatic enrollment” is listed as a tenant requirement for bulk enrollment.
- Verify the Microsoft.Azure.SyncFabric service principal exists
- On a machine with Microsoft Graph PowerShell:
- Run:
Get-MgServicePrincipal -Filter "AppId eq '00000014-0000-0000-c000-000000000000'" - If no object is returned, create it:
New-MgServicePrincipal -AppId "00000014-0000-0000-c000-000000000000"
- Run:
- Without this service principal, WCD cannot retrieve the bulk enrollment token and will fail.
- On a machine with Microsoft Graph PowerShell:
- Use an account with the correct Microsoft Entra role
- The account used in WCD to get the bulk token must have one of these roles (and must not be scoped to an administrative unit):
- Cloud Device Administrator
- Intune Administrator
- Password Administrator
- The account used in WCD to get the bulk token must have one of these roles (and must not be scoped to an administrative unit):
- Ensure the account is in the MDM user scope
- The user account signing in from WCD must be included in the MDM user scope configured for Windows automatic enrollment.
- If the account is removed from a group tied to the MDM user scope, bulk enrollment stops working and token retrieval fails.
- Use supported authentication method in WCD
- When WCD prompts for Microsoft Entra credentials to get the bulk token, authenticate only with:
- Password, or
- Certificate-based authentication (CBA)
- Other methods (for example, MFA prompts enforced directly on that sign-in) are not supported by the app for this operation and can cause failures.
- On the “Stay signed in to all your apps” page, select “No, sign in to this app only” to avoid unintentionally enrolling the WCD authoring device itself.
- When WCD prompts for Microsoft Entra credentials to get the bulk token, authenticate only with:
- Check for TLS 1.2 and older Windows versions
- If WCD is running on Windows versions earlier than Windows 10, version 2004, ensure TLS 1.2 is enabled (especially if using bulk enrollment tokens). Missing TLS 1.2 support can cause Azure AD-related calls to fail.
- If the icd.log shows
AADSTS1002016about deprecated TLS versions, follow the guidance in “Enable TLS 1.2 on client or server operating systems.”
- Confirm WCD limitations and environment
- Only one instance of WCD can run at a time.
- If using older server SKUs or hardened environments, ensure required Internet Explorer / TLS settings are not blocking WCD’s sign-in flow.
After correcting the above, reopen Windows Configuration Designer, use the “Provision desktop devices” wizard, and try “Get Bulk Token” again.
References: