Zehadi Alam
Introduction
Applying a provisioning package to a Windows device is a convenient way to enroll devices into Intune within minutes. A provisioning package is a file that applies a collection of specified settings to a target computer upon installation. It is a file with a .ppkg extension and is created using the Windows Configuration Designer. This is an app that can be acquired from the Microsoft Store. The following section demonstrates the process of creating a provisioning package with the required settings for joining a device to Entra ID and enrolling it with Intune.
Procedure
1. Install Windows Configuration Designer from the Microsoft Store. Launch the application and choose Provision desktop devices
2. Enter project details and click Finish
3. For the Set up device step, enter the device name. Variables can be used as placeholders to dynamically populate values during the device provisioning process. By using variables, you can create provisioning packages that are flexible and can be used to provision many devices with unique configurations. The remaining settings are optional. Click Next to continue.
4. The options for configuring the network will not be relevant to the University of Georgia. The available network types are Open and WPA2-Personal. This setting can be disabled. If enabled but left unconfigured, this step will be considered incomplete. Click Next to continue.
5. Under Account Management, select the Enroll in Azure AD option. Next, select Get Bulk Token. You will be prompted to sign in to your work or school account the first time executing this operation. Use your cloud Z-Account for logging in.
Note: If you have used the Windows Configuration Designer before, enable the Refresh AAD credentials option before clicking on Get Bulk Token
Note: Before completing this step, make sure the Azure security group for your Intune administrators is included in the MDM user scope. Submit an Intune support request to EITS for them to complete this. A provisioning package created with an account that is not in the MDM user scope will not enroll a device into Intune.
If prompted with the following window, uncheck Allow my organization to manage my device and select No, this app only.
Ensure that Bulk Token Fetched successfully is indicated. Click Next to continue.
Note: Bulk enrollment tokens expire after a maximum time of 180 days. A new provisioning package must be created afterward.
6. Under Add Applications, applications can be added to be automatically installed during the device provisioning process. This option can be useful if a unit does not maintain a custom Windows image with software already included. Click Next to continue.
7. Under Add certificates, certificates (e.g., Root certification authority, client certificates, VPN certificates, etc.) can be added depending on the needs of the IT unit. Click Next to continue.
8. Review the summary of the provisioning package. Do not click create at this stage. Instead, click on the Switch to advanced editor at the bottom-left.
9. In the advanced editor, search for and select the PreferredAadTenantDomainName in the Available customizations panel. Type in uga.edu for that option. This setting will allow for users to exclude the suffix of their user prinicipal name (UPN) in the username field (i.e., if their UPN is myid@uga.edu, then they only need to type in myid in the username field). If there are additional customization options that are relevant to your unit, configure them in this editor with the appropriate values.
Tip: The advanced editor is also a useful way of excluding settings that were required in the basic editor. For instance, the basic editor mandates the specification of a device name, which can cause issues when a provisioning package is utilized to enroll an existing device in Azure AD, as it will rename the device during the provisioning process. To overcome this challenge, search for DNSComputerName in the Available customizations panel to view the computer name value that will be set by the provisioning package. To eliminate this setting from the provisioning process, navigate to the Selected customizations section in the right panel, select DNSComputerName, and click Remove at the top.
10. When all configurations are complete, export the provisioning package.
11. Enter the relevant information and click Next
12. Configure any security details for the provisioning package and click Next
13. Save the provisioning package to your preferred location and click Next
14. Click Build
15. Click Finish and navigate to the directory where the provisioning package is saved.
The provisioning package is represented by the ppkg file. This file can be transferred to a removable storage device and utilized during the device’s out-of-box-experience stage or applied to an existing device by copying it to the desktop and launching it through double-clicking.
16. Upon double-clicking the provisioning package file, the following message will be displayed if your package is unsigned. To proceed with the installation of the package, select Yes, add it. After about a minute, a restart will be initiated.
17. Upon reaching the login screen, sign back into the local account, wait several seconds, and then sign out. The option to sign in as Other user should then be visible at the bottom-left of the lock screen. Selecting that option will allow for a user to sign in with their UGA credentials.