Edit

Bulk enrollment using Windows Configuration Designer

Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the Provisioning CSP for bulk enrollment, except for the Microsoft Entra join enrollment scenario.

Typical use cases

  • Set up devices in bulk for large organizations for MDM management.
  • Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
  • Set up school computers.
  • Set up industrial machinery.
  • Set handheld POS devices.

On the desktop, you can create an Active Directory account, such as enrollment@contoso.com and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.

On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as enroll@contoso.com and enrollmentpassword. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.

Note

  • Bulk-join is not supported in Microsoft Entra join.
  • Bulk enrollment does not work in Intune standalone environment.
  • Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
  • To change bulk enrollment settings, login to Microsoft Entra ID, then Devices, and then click Device Settings. Change the number under Maximum number of devices per user.
  • Bulk Token creation is not supported with federated accounts.

What you need

  • Windows devices.

  • Windows Configuration Designer (WCD) tool.

    To get the WCD tool, download from the Microsoft Store. For more information about the WCD tool, see Windows Configuration Designer and Getting started with Windows WCD.

  • Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).

  • Wi-Fi credentials, computer name scheme, and anything else required by your organization.

    Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.

Create and apply a provisioning package for on-premises authentication

Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.

  1. Open the WCD tool.

  2. Select Advanced Provisioning.

    icd start page.

  3. Enter a project name and select Next.

  4. Select All Windows editions, since Provisioning CSP is common to all Windows editions, then select Next.

  5. Skip Import a provisioning package (optional) and select Finish.

  6. Expand Runtime settings > Workplace.

  7. Select Enrollments, enter a value in UPN, and then select Add. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as enrollment@contoso.com.

  8. On the left navigation pane, expand the UPN and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings:

    • AuthPolicy - Select OnPremise.
    • DiscoveryServiceFullUrl - specify the full URL for the discovery service.
    • EnrollmentServiceFullUrl - Optional and in most cases, it should be left blank.
    • PolicyServiceFullUrl - Optional and in most cases, it should be left blank.
    • Secret - Password

    For detailed descriptions of these settings, see Provisioning CSP. Here's the screenshot of the WCD at this point.

    bulk enrollment screenshot.

  9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, Runtime settings > ConnectivityProfiles > WLANSetting).

  10. When you're done adding all the settings, on the File menu, select Save.

  11. On the main menu, select Export > Provisioning package.

    icd menu for export.

  12. Enter the values for your package and specify the package output location.

    enter package information. enter additional information for package information. specify file location.

  13. Select Build.

    icb build window.

  14. Apply the package to some test devices and verify that they work. For more information, see Apply a provisioning package.

  15. Apply the package to your devices.

Create and apply a provisioning package for certificate authentication

Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.

  1. Open the WCD tool.

  2. Select Advanced Provisioning.

  3. Enter a project name and select Next.

  4. Select Common to all Windows editions, since Provisioning CSP is common to all Windows editions.

  5. Skip Import a provisioning package (optional) and select Finish.

  6. Specify the certificate:

    1. Go to Runtime settings > Certificates > ClientCertificates.
    2. Enter a CertificateName and then select Add.
    3. Enter the CertificatePassword.
    4. For CertificatePath, browse and select the certificate to be used.
    5. Set ExportCertificate to False.
    6. For KeyLocation, select Software only.

    icd certificates section.

  7. Specify the workplace settings.

    1. Got to Workplace > Enrollments.
    2. Enter the UPN for the enrollment and then select Add. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as enrollment@contoso.com.
    3. On the left column, expand the UPN and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings:
      • AuthPolicy - Select Certificate.
      • DiscoveryServiceFullUrl - specify the full URL for the discovery service.
      • EnrollmentServiceFullUrl - Optional and in most cases, it should be left blank.
      • PolicyServiceFullUrl - Optional and in most cases, it should be left blank.
      • Secret - the certificate thumbprint.

    For detailed descriptions of these settings, see Provisioning CSP.

  8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, Runtime settings > ConnectivityProfiles > WLANSetting).

  9. When you're done adding all the settings, on the File menu, select Save.

  10. Export and build the package (steps 10-13 in previous section).

  11. Apply the package to some test devices and verify that they work. For more information, see Apply a provisioning package.

  12. Apply the package to your devices.

Apply a provisioning package

Validate that the provisioning package was applied

  1. Go to Settings > Accounts > Access work or school.
  2. Select Add or remove a provisioning package. You should see your package listed.

Retry logic if there's a failure

  • If the provisioning engine receives a failure from a CSP, it retries provisioning three times in a row.
  • If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts are run from the SYSTEM context.
  • It also retries the provisioning each time it's launched, if started from somewhere else as well.
  • In addition, provisioning will be restarted in the SYSTEM context after a sign in and the system has been idle.