This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 76%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi everybody,
we want to use the bulk enrollment option during OOBE (using a provisioning package - PPKG) as described by Microsoft in the following link for Windows 10 (1909+): https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
AAD Join works correctly, but the AutoEnrollment into Intune doesn't.
The AutoEnrollment will only work if the "MDM user scope" is set to "ALL". But we want to set the "MDM user scope" to "Some". We set it to "Some" and defined a AAD group (e.g. Intune_MDM_AutoEnrollment) and added the users to this group. But this won't help as the user does not initiate the enrollment process into Intune.
Even if we add the user "package_..." - which was created during the creation of the provisioning package (see link above) - to the AAD group the enrollment won't work.
Is there any chance to get this working without setting the MDM user scope to All?
(Why we don't want to set it to "ALL"? Not all users should have the option to enroll devices into Intune as Intune should be used in a single location at the moment).
Thanks in advance.
Regards,
Phil
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Out of interest, what was the reason for wanting to use that method rather than Autopilot to do the enrollment?
Because we only have a few clients (about 20) that should be enrolled into Azure AD and Intune at the moment. As this method is documented by Microsoft we thought this way should work.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
The devices enrolled by bulk enrollment are not associated with any user accounts. To meet your requirements, you can just use automatic enrollment instead of bulk enrollment.
During OOBE, you don't need to deploy the provision package, instead, you just enter the Azure AD user accounts during the stage for sign in with Microsoft(Please see the screenshot). This can join in Azure AD and enroll in Intune automatically.
Plus, before the enrollment, please make sure the user accounts have been assigned the Intune license, and added in the AAD user group. The AAD user group should be added in the "MDM user scope".
Update
======
If you need to grant only standard user privileges to the AAD user accounts, and use the %SERIAL% macro for the computer name, you can enroll the devices with Windows AutoPilot. For more details, please click the following link.
https://learn.microsoft.com/en-us/mem/autopilot/enrollment-autopilot
Just for reference, you can view the profile settings for Autopilot in Intune as below.
If the response is helpful, please click "Accept Answer" and upvote it.
Thanks for your reply and your ideas.
Yes, we also tried this way and it is working with Azure AD Join and Intune Enrollment. But there are two points for which we didn't find a solution with this way:
1.) How can we set the correct computername? (%serial% should be used)
2.) Is there a way that the normal user for the device won't be a local admin? (we can enroll the 20 devices with an admin user, but therefore the assignment for the user won't be set correctly)
If we find a solution for these two topics than this way would be easier than the provisioning profile.
AutoPilot enrollment can meet the two requirements. Please see the screenshot about profile settings as below.
For more details about how to enroll devices with Autopilot, please click the following link.
https://learn.microsoft.com/en-us/mem/autopilot/enrollment-autopilot
The only way to use AutoPilot is the "Get-WindowsAutoPilotInfo.ps1" script if the data is not delivered or imported by the OEM - or is there another option to import the clients into Intune?
If you don't have the devices already registered to Autopilot, you can use Autopilot for existing devices where it has the Autopilot profile saved to a JSON file. You can create an image like this for example https://powers-hell.com/2020/05/04/create-a-bootable-windows-10-autopilot-device-with-powershell/ or read the official docs https://learn.microsoft.com/en-us/mem/autopilot/existing-devices
You can convert the previous enrolled devices to Autopilot. This method doesn't use the script, and is best for already enrolled devices in Intune.
Please view the following statement for more info.
If you want all devices in the assigned groups to automatically convert to Autopilot, set Convert all targeted devices to Autopilot to Yes. All corporate owned, non-Autopilot devices in assigned groups will register with the Autopilot deployment service. Personally owned devices will not be converted to Autopilot. Allow 48 hours for the registration to be processed. When the device is unenrolled and reset, Autopilot will enroll it. After a device is registered in this way, disabling this option or removing the profile assignment won't remove the device from the Autopilot deployment service. You must instead remove the device directly.
