Posted in: Intune, Microsoft 365, Powershell Automation

UnAttended Azure AD Join

This is a blogpost about joining Windows 10 machines unattended to Azure AD with a provisioning package created with the Windows Configuration Designer. The enrollment is done with a token which is created by a service account which services the Azure AD Join.


Create a service account in Azure AD to create the bulk enrollment token. This can be a normal Azure AD account. No roles are required.

Download the Windows Configuration Designer

Creating the WCD Package

Launch the Windows Configuration Designer, this is mentoined in the prerequisites. This piece of the blogpost looks a lot like the Microsoft document but I have added some improvements. Furthermore, I have added this to my blog to make it complete. Otherwise I would only have the example of the unattended Azure AD join to show you.

Click on “Provision desktop devices”:

Name the project, choose a location and provide a description:

Set the device name:

In addition, here you could set the devices for shared use:

Optional: Set up a Network (I skipped this):

Select “Enroll in Azure AD”, choose a Bulk token Expiry date and click on “Get Buk Token”:

After you logged on to get the bulk token you get the need to accept this prompt:

Select sign in to this app only:

You can optionally add Applications and Certificates.

Last but not least, click on “Create”:

This is the output:

Please check the existence of all files. Now it is time to run the package in the example.

Example unattended Azure AD Join

This is an example to show you how to enroll a machine which is managed by a Remote Management tool but not domain joined.

I have created an Hyper VM with Windows 10 installed. I created a local useraccount to run the package for the unattended Azure AD Join. Furthermore, exclude the serviceaccount from Conditional Access since this is not supported at the time of writing.

I copied the package to VM to mimic the remote management tool that will do this for you.

Then I ran “dsregcmd /status” to check the current state of the machine:

Here you see the current state of the machine. The Azure AD Join is not available and the naming convention is not applied.

Run the following command to run the package:

Install-ProvisioningPackage -PackagePath "C:\temp\BulkEnrollment\BulkEnrollmentPackage.ppkg" -QuietInstall #use the PackagePath accordingly

Reboot -r -f -t 00

After you run the command this will show:

The machine boots again and you are logged in to Windows.

Run “dsregcmd /status” again:

The machine is now joined and the naming convention is applied.

In Endpoint manager the machine doesn’t have a primairy owner yet:

After that I logged on with my Intune test user. The Enrollment Status Page was shown:

The desktop of the user is shown and the user is able to use the device with their Intune account:


Nick Manganiello contacted me via LinkedIN with this. I helped with his AutoPilot deployment.
AutoPilot Tip & Tricks

Leave a Reply