Category filter

How to enroll Windows devices using provisioning package files?

What is a Windows provisioning package (ppkg)?

Windows provisioning is the best way to configure end-user devices without imaging. Using Windows provisioning, administrators can quickly and seamlessly set up the configurations and settings required for the enrollment process, and deploy the configurations to bulk devices.

A provisioning package file (.ppkg) is a container for a collection of configuration settings. It can be created using a Windows 10/11 device, which can later be used for the bulk enrollment of Windows devices without any user intervention.

Benefits of enrolling devices using a provisioning package

  • One-time setup – It is a one-time setup where end-users have to power on the device, get connected to the network and install the ppkg file to enroll in Hexnode UEM.
  • Bulk enrollment of devices – It allows large-scale roll-out of corporate-owned devices.
Note:

  • The Execute Custom Script action and Remote View & Control functionality are supported only on devices enrolled via the Hexnode installer as they require the latest version of the Hexnode UEM app to be installed on them.

Before you begin

Ensure you have configured the enrollment settings under Enroll > Platform-Specific > Windows > Windows PCs & Tablets on the Hexnode portal.

Create a ppkg file using Windows Configuration Designer

Create a Project

  1. Download and Install Windows Configuration Designer on a Windows 10/11 device.
  2. Open Windows Configuration Designer.
  3. Click on File and choose New project.
  4. Provide the project details.
    • Name: Provide a suitable name to identify the project.
    • Project folder: Choose the destination path for the file to be saved.
    • Description: Provide a suitable description regarding the package.
  5. Select project workflow as Provisioning package and click on Next.
  6. Choose the type of Windows edition and click on Next.
  7. You can import an existing provisional package to your project or click on Finish to create your project.

Customize the provisioning package

Once the project is created, you can select the desired customizations from Available customizations.

  1. Expand Runtime settings and choose Workplace.
  2. Click on Enrollments.
  3. Provide your User Principal Name (UPN) and click on Add.
  4. Note:

    • The UPN acts as a unique identifier for the user during the device enrollment process.
    • You can also provide a UPN with a username different from the one you selected previously on the Hexnode enrollment settings. However, for authenticated enrollments, the enrollment will proceed under the username specified in the UPN.
    • For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as “enroll@mydomain.com”.

  5. On the left navigation page, click on the UPN and provide the following details for the enrollment process.
    • AuthPolicy: Select On-Premise.
    • DiscoveryServiceFullUrl: Provide the complete URL for the discovery service (https://yourportal.hexnodemdm.com/enroll/).
    • EnrollmentServiceFullUrl: Provide the complete URL here (https://yourportal.hexnodemdm.com/windowsenroll/).
    • PolicyServiceFullUrl: Provide the complete URL here (https://yourportal.hexnodemdm.com/windowsenroll/).
    • Secret: Provide the secret key for the Windows enrollment here.
      • For Open Enrollment, you can get the secret key from your Hexnode UEM console by going to Enroll > Settings > Authentication Modes > Open Enrollment. Click on the unhide icon to view and note the Default Password.
      • For Authenticated Enrollment, the password of the corresponding user should be provided as the secret key.
  6. Save the project once you add all the settings (File > Save).

    Note:


    For Authenticated Enrollment, PPKG enrollment is not supported for Google Workspace and Okta users.


Build the provisioning package

Once you have customized the provisioning package,

  1. Click on Export and select Provisioning package.
  2. Provide the following details and click on Next.
    • Name: This field will be pre-filled with the Project Name. However, you can change this name to a required one.
    • Version (in Major.Minor format): This field represents the default package version. You can change the current version by specifying a new value. (Optional)
    • Owner: Choose the package owner type here.
    • Rank (between 0-99): Choose a package rank between 0-99. The default rank is 0.
  3. You can select the required security type if the package contains sensitive data that cannot be compromised.
    • Encrypt package: Select the option to encrypt the package. An encryption password will have to be provided.
    • Sign package: If you are signing the package, you must provide a valid certificate.
  4. Provide the destination path to save the package and click on Next.
  5. Click on Build to build the package.
  6. If your build is successful, the package name, along with the project and output locations will be displayed.
  7. Click on Finish.

Apply the provisioning package to the devices

Once the ppkg file is created, you can use this file to enroll Windows devices without any user intervention.

  1. On a Windows PC/Tablet, navigate to Settings > Accounts > Access work or school > Add or remove a provisioning package and click on Add a package.
  2. From the removable media that contains the ppkg file, select the package to install.
  3. The device gets enrolled in Hexnode UEM.
Note:

  • ppkg file can be shared by any means, and you need to click on the file to install, and the device gets enrolled in Hexnode UEM.
  • To automatically install the Hexnode agent app on devices enrolled through PPKG enrollment, make sure to enable the “Install Hexnode Service App Silently on Windows Devices” option in the Hexnode App Updates section under Admin > General Settings before enrollment. The installation process will begin automatically after 5 minutes.

    Enable the 'Install Hexnode Service App Silently on Windows devices' option to automatically install the Hexnode agent on devices enrolled in Hexnode without the Hexnode agent app

  • If you haven’t enabled the “Install Hexnode Service App Silently on Windows Devices” option during enrollment, you can still manually trigger the installation of the Hexnode agent app by clicking the refresh button next to the Hexnode Service (Agent) App status in the Enrollment Details section of the Device Summary for that Windows device from the Hexnode UEM console.

    Refresh button on the Device Summary page to initiate the installation of the Hexnode agent app


Note:


You can verify the enrollment process by navigating to Settings > Accounts > Access work or school > Add or remove a provisioning package. The provisional package will be listed here.

  • Enrolling Devices
  • Managing Windows Devices