Windows Autopilot is pretty great… when it works. But the last few months there has been more issues with the Windows Autopilot service than I have fingers to count with, so here is a post on setting up a backup plan for enrolling devices automatically into Intune during deployment, without Autopilot.
The Plan
The Autopilot backup plan is fairly straightforward:
- Create a provisioning package that contains a bulk enrollment token for Intune
- Modify your deployment task sequence to stage the provisioning package during imaging
Creating a Provisioning Package for Bulk Enrollment
Creating a provisioning package for bulk enrollment can be done either by using the Windows Configuration Designer (part of Windows ADK, and also available on the Microsoft store), or via the AADInternals PowerShell module written by Dr. Nestori Syynimaa (@DrAzureAD).
Note: Provisioning Packages for bulk enrollment can also be created in the ConfigMgr console, which is really just using the Windows Configuration Designer behind the scenes when exporting an enrollment profile to an enrollment package.
Anyway, here is an excellent post from Michael Niehaus (@mniehaus) that covers both scenarios, plus some extra tips around automation:
Automatically join devices to Azure AD
https://oofhours.com/2022/03/04/automatically-join-devices-to-azure-ad/
Note: I have also added some additional great reading in the end of this blog post, see the "Additional Resources" section.
Adding the Provisioning Package to your Task Sequence
In this section you find instructions on how to add a bulk enrollment package to a task sequence in both ConfigMgr and MDT Lite Touch. Let's start with ConfigMgr.
Add the Enrollment Package to a ConfigMgr Task Sequence
First, create a ConfigMgr package without a program, holding the content of the bulk enrollment package. Then download the StageEnrollmentPackage_CM.ps1 script, add that to the package, and distribute the package to your distribution points. In my example I named the package AAD Bulk Enrollment – Expire 06032022.
Second, edit your task sequence, and after the built-in Apply Network Settings action, add a Run PowerShell Script action with the following settings:
Name: Stage Enrollment Package
Select a package with a PowerShell script: <your previously created enrollment package>
Script name: StageEnrollmentPackage_CM.ps1
PowerShell execution policy: Bypass
Add the Enrollment Package to an MDT Lite Touch Task Sequence
In your MDT deployment share, create a folder named ProvisioningPackages, and copy your bulk enrollment package folder to the ProvisioningPackages folder. In my example, the folder for my enrollment package was named BulkEnrollment-Expire06032022.
Add a new custom variable to your CustomSettings.ini file named EnrollmentPackage, and set the variable to the path of your provisioning package. For example:
[Settings]
Priority=Default
Properties=EnrollmentPackage
[Default]
EnrollmentPackage=%DeployRoot%\ProvisioningPackages\BulkEnrollment-Expire06032022\BulkEnrollment-Expire06032022.ppkgDownload the StageEnrollmentPackage_MDT.ps1 from GitHub, and copy it to the scripts folder in your deployment share. In my example my deployment share path is E:\MDTProduction.
Edit your Windows 10 or Windows 11 task sequence, and in the Postinstall node, add a Run Command Line action with the following settings
Name: Stage Enrollment Package
Command Line: PowerShell.exe -ExecutionPolicy Bypass -File "%SCRIPTROOT%\StageEnrollmentPackage_MDT.ps1"
When deploying the MDT Lite Touch Task Sequence, make sure to configure your CustomSettings.ini to join the machine into a workgroup, or prompt for Domain/Workgroup during deployment.
Additional Resources
Bulk enrollment for Windows 10 devices – By Peter van der Woude
https://www.petervanderwoude.nl/post/bulk-enrollment-for-windows-10-devices/
Bulk enrollment for Windows devices – Microsoft Docs
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
BPRT unleashed: Joining multiple devices to Azure AD and Intune – By Dr. Nestori Syynimaa
https://o365blog.com/post/bprt/