Bulk enrollment for Windows 10 devices

My first post after my vacation will be about bulk enrollment for Windows 10 devices. Not bulk enrollment for on-premises enrollment, but bulk enrollment for cloud enrollment. In other words, Microsoft Intune is required. This blog post will contain a short introduction about bulk enrollment, the configuration of bulk enrollment and the end-user and administrator experience with bulk enrollment.

Introduction

Bulk enrollment is a more automated method for enrolling devices, as compared to normal end-user enrollment, which requires end-users to enter their credentials to enroll the device. Bulk enrollment uses an enrollment package to authenticate the device during enrollment. That enrollment package also contains a certificate profile and optionally a Wi-Fi profile.

At this moment bulk enrollment for Windows 10 devices is not supported, or does not work, in all scenarios. Keep the following in mind when thinking about bulk enrollment for Windows 10 devices:

  • Bulk enrollment does not support Azure AD join;
  • Bulk enrollment does not work with Microsoft Intune standalone;
  • Bulk enrollment does work with Microsoft Intune hybrid, where the enrollment package is generated via the Configuration Manager console.

Configuration

Now let’s have a look at the configuration. The configuration of an enrollment profile for bulk enrollment contains two main steps. The first step is to create the enrollment profile and the second step is to create the enrollment package.

Step 1: Create enrollment profile

The first step is to create an enrollment profile. This can be achieved by performing the steps below. Before starting with the steps below, make sure that a certificate profile for the root certificate is available, as it’s a requirement during the creation of the enrollment certificate.

1 In the Configuration Manager administration console, navigate to Assets and Compliance > Overview > All Corporate-owned Devices  > Windows > Enrollment Profile;
2 On the Home tab, click Create Enrollment Profile to open the Create Enrollment Profile wizard;
3

CEP_GeneralOn the General page, provide the following information and click Next;

  • Name: [Specify an unique name for the enrollment profile];
  • Description: [Specify details that help identifying the enrollment profile];
  • Select Cloud with Management Authority.
4

CEP_CertificateOn the Select Trusted Root Certificate page, select the required root certificate profile and click Next;

Note: The certificate profile is required during the creation of the enrollment profile.

5

CEP_WiFiOn the Select Wi-Fi profile page, optionally select a Wi-Fi profile and click Next;

Note: The Wi-Fi profile is optional during the creation of the enrollment profile. This can be useful when the device must be configured to connect to Internet first.

6 On the Summary page, click Next;
7 On the Completion page, click Close;

Step 2: Create enrollment package

The second step is to create the enrollment package. The enrollment package is the actual file that is used to bulk-enroll devices. This file is created via the Configuration Manager administration console and can eventually be opened with the Windows Image and Configuration Designer (ICD),. Within the Windows ICD the configuration can be verified. To create the enrollment package, perform the following steps.

1 In the Configuration Manager administration console, navigate to Assets and Compliance > Overview > All Corporate-owned Devices  > Windows > Enrollment Profile;
2 Select the just created enrollment profile and on the Home tab, click Export to open the Export Enrollment Package dialog box;
3

IEEPn the Export Enrollment Package dialog box, provide the following information and click OK;

  • Validity period (days): [Specify an unique name for the enrollment profile];
  • Package File: [Specify details that help identifying the enrollment profile];
  • Select Encrypt Package.
4

EEPEPIn the Export Enrollment Package Encryption Password dialog box, select Copy to copy the encryption password and click OK to close the dialog box;

Note: The encryption password will not be saved. Make sure to store the encryption password to keep the ability to use the enrollment package.

Experience

Now it’s time to look at the experience, from both the end-user perspective and the administrator perspective. Both experiences show interesting information, which makes it good to show as part of this blog post.

End-user experience

From the end-user experience it’s interesting to show the usage of the enrollment package. Just to show how easy it works. However, the enrollment package must be physically delivered to the device of the end-user. Once the end-user double-clicks the enrollment package, the end-user receives the standard User Account Control (UAC) message followed by the messages show below. The first message is only applicable once the enrollment package is encrypted and the second message is always applicable. The second message simply show what the enrollment package will adjust and asks if the enrollment package is from a trusted source.

ppgk_Password ppgk_Trust

Once the enrollment is successful the end-user can verify the two places shown below. The first place is Settings > Accounts > Access work or school, which will show that the device is connected to MDM. The second place is Settings > Accounts > Access work or school > Add or remove a provisioning package, which will show the added provisioning package.

EnrollmentProfile EnrollmentPackage

Administrator experience

From the administrator experience it’s interesting to look at, at least, the two places in the Configuration Manager administration console shown below. The first place is Assets and Compliance > Overview > All Corporate-owned Devices > Windows > Enrollment Profile, which will show the created enrollment profile including interesting details like Device Count. That device count relates to the number of devices that are enrolled via the enrollment profile. The second place is Assets and Compliance > Overview > Devices, which simply shows the devices in the environment. This is interesting as it will show that the Device Owner is set to Company for (bulk) enrolled devices.

CM_EnrollmentProfile CM_EnrollmentProfileDevice

More information

For more information about bulk enrollment for Windows 10, please refer to:

Share

Leave a Comment