This guide outlines the process of using Windows Configuration Designer to create a provisioning package that automates device enrollment in Microsoft Entra ID and Intune. This method is particularly effective for bulk deployments and scenarios where direct Azure AD join isn't practical. The guide covers both package creation and deployment methods, suitable for both new device setup (OOBE) and existing Windows installations.

Prerequisites

  • Administrative access to Microsoft Entra ID (formerly Azure AD)
  • Windows Configuration Designer installed from Microsoft Store
  • Administrative access to the local Windows device
  • Active internet connection
  • USB drive (if applying via portable media)

Steps to Create a Provisioning Package

  1. Install Windows Configuration Designer (WCD) from the Microsoft Store if not already installed.
  2. Open Windows Configuration Designer.
  3. Select Provision desktop devices.
  4. Enter a name for your project and select a save location, then choose Finish.
  5. Under Set up device:
  • (Required) Device name: enter a device name template for devices joining Entra. If you'd like to use the existing name of the device, enter a placeholder here (for example "placeholder"), and we will adjust the configuration further.
  • (Optional) Enter a product key if you'd like to apply an edition upgrade.
  • Choose Next.
  1. Under Set up network:
  • Turn off Set up network if you'd like to skip joining a wireless network automatically.
  • Choose Next.
  1. Under Account Management:
  • Choose Enroll in Azure AD.
  • Set Refresh AAD credentials to Yes.
  • Click Get Bulk Token.
  • You will be prompted for tenant admin credentials.
NOTE: When you complete this step, a new user account will be created in the Entra ID tenant with a prefix of "package_". This will be the provisioning package service account bound to the original Entra join. This package will only remain valid for 180 days, but can be disabled prematurely by disabling or deleting the "package_" user in Entra.
  1. Click Next through the Account Management screen once you see "Bulk Token Fetched Successfully".
  2. Click Next through Add applications and Add certificates.
NOTE: Do not choose Create. Additional adjustment is necessary in the advanced editor.

Adjust the Advanced package payload

Before choosing Create on the final screen, scroll to the bottom and choose Switch to advanced editor on the bottom left corner, then Yes to proceed.

To remove the device name "placeholder" and use the existing PC hostname:

  1. Expand Runtime settings on the right side of the page.
  2. Open DevDetail.
  3. Choose DNSComputerName.
  4. Choose Remove.

Disable SharedPC mode

By default, provisioning packages will not allow the "Last signed in user" to be displayed on the Windows Sign In screen. Disabling SharedPC in the configuration allows this experience.
  1. Expand Runtime settings on the LEFT, and choose SharedPC.
  2. Select EnableSharedPCMode, and choose FALSE.

Export the Provisioning Package

  1. From the Advanced editor, choose Export > Provisioning package.
  2. You will be prompted for a package name. Choose Next.
  3. Skip security details, unless signing is desired, and choose Next.
  4. Choose a save location for your new Provisioning package and choose Next, then Build.

Apply Package

There are multiple ways to deploy the Provisioning Package. Choose the best suited method below. Source: Microsoft Learn.

During OOBE

  1. Add the provisioning package folder (exported in the previous step) to a USB thumb drive.
  2. Insert the USB drive into a new Windows 10/11 device at the Out-of-box experience (OOBE).
  3. If only one provisioning package exists on the USB drive, it will be automatically installed on the device.

After initial setup

  1. Insert the USB drive, then navigate to Settings > Accounts > Access work or school > Add or remove a provisioning package > Add a package.
  2. Select the provisioning package (.ppkg) that you want to apply, and select Add.
  3. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you're installing before accepting the UAC prompt. Select Yes.
  4. The provisioning runtime asks if the package is from a source you trust. Verify that you're applying the correct package and that it's trusted. Select Yes, add it.

Apply directly

To apply a provisioning package directly, such as from a USB drive, folder, network, or SharePoint site:

  1. Navigate to the provisioning package and double-click it to begin the installation.
  2. Provisioning packages require administrator privileges. Ensure you trust the package you're installing before accepting the UAC prompt. Select Yes.
  3. The provisioning runtime asks if the package is from a source you trust. Verify the package and select Yes, add it.

Run via Command Line or Scripting

If you'd prefer to apply the provisioning package using a Command Line instead of double-clicking it, the syntax as described in the DISM provisioning package docs is:

DISM.exe /Image=C:\ /Add-ProvisioningPackage /PackagePath:C:\BulkEnroll.ppkg

Alternatively, you can use the Install-ProvisioningPackage PowerShell cmdlet to perform a silent installation.

Verification

Once the Provisioning Package has been added, you can find the package under Settings > Access Work or School > Add or Remove a Provisioning Package.

Additionally, in the Access Work or School section, you will see the device has been connected to Entra ID using the "package_" service account.

Lastly, running the following command from a Terminal should result in an Entra-joined and Intune-enrolled status:

dsregcmd /status

Next Steps

You can restart the PC, choose Other User on the Sign in page, and sign in with the Entra credentials of the desired user. Intune enrollment should have occurred in the background.

User profile migration might be desired in some cases. If so, please explore the offerings from forensit.com.