Skip to main content
Matrix42 Self-Service Help Center

Windows 10/11 Bulk Enrollments with Empirum and Provisioning Packages

  1. Last updated
  2. Save as PDF

Classic to Modern Management

With the power of Matrix42 Unified Endpoint Management it's very easy to perform a bulk-migration from a traditional or classic management system, like Empirum, to new modern management scenarios with Silverback. As an outcome, devices will be co-managed by Empirum and Silverback with all positive effects for you and your endpoint devices.  By leveraging the bulk provisioning method via provisioning packages, it is very easy to enroll and configure multiple devices with a staging user. To use bulk provisioning, the Windows Configuration Designer tool from the Microsoft Store is used as this tool creates provisioning packages originally used to image and configure devices. As part of these provisioning packages, you can include Silverback configuration settings so that provisioned devices will be automatically enrolled into Silverback. This provisioning package will be distributed and executed on Empirum managed devices. Within this guide, we will create pending enrollments in Silverback, create a Provisioning Package and a Software Package that will be distributed to managed devices which should perform the enrollment to the modern device management layer with Matrix42 Silverback. 

Create Enrollments

The first step is to authorize a bulk enrollment user on whose name the devices will be integrated into the management system. This user can be named or classified in several ways, like a Service Account, a Staging User, a Device Enrollment Manager user and so. In our setup, we will call the used account as staging user and depending on your setup you can use either an existing local user account or create a new one or if you have Silverback connected to your LDAP, you can use an existing account from your LDAP, or simply create a new one for this special purpose. In this guide we will create a new local staging user, but for LDAP users you can skip the creation of the staging user. After that we will enable the Bulk Staging Mode. The Bulk Staging Mode ensures that the expiration date of the pending enrollment One Time Password will be set to unlimited when you create new pending enrollments for this user. If you intend to perform the bulk enrollment for all of your devices in a certain time frame, you can skip the Bulk Staging Mode Enablement and pre-define the One Time Password expiration at the Create a new Bulk Enrollment step. The finale steps are to create and upload a *.csv for the creation of multiple pending enrollments for the staging user. In case you want to enroll e.g. 50 devices, you will need to create 50 Lines with the staging user in the *.csv file and the *.csv file will be uploaded afterwards to generate these 50 pending enrollments for your 50 devices. 

Create your Staging User

  • Login as an Administrator into Silverback
  • Navigate to Users
  • Click New Device User
  • Enter as Username e.g. staging@imagoverum.com
  • Add the following information
    • First Name
    • Last Name
    • Email Address
    • Password
    • Confirm Password
  • Click Save

Enable Bulk Staging Mode

  • Navigate to Admin > Self Service > One Time Passwords
  • Enable Allow Multiple Pending Enrollments
  • Enable Activate Bulk Staging Mode
  • Enable Set OTP Expiration Date to unlimited
  • Add your Staging User, e.g staging@imagoverum.com
  • Press Save

Create a *.csv file 

  • Open any Text Editor, e.g. Notepad++
  • Enter in the first line your created username, e.g. staging@imagoverum.com
  • Copy the username and paste it in the next lines as often as much devices you want to enroll

Each Pending Enrollment will bind one license, so do not exceed your remaining Silverback licenses.

  • The following example shows a *.csv file that is for 5 devices

clipboard_e37b7aee16ae477b12d20007e6e4a5cc5.png

  • Save the file as *.csv, e.g. as bulkprovisionuser.csv

Create Bulk Enrollment

  • Navigate back to your Silverback Management Console
  • Navigate to Devices
  • Select Pending
  • Click Bulk Provision Users
  • Select Create New Bulk Provision
  • In case you have not enabled Bulk Staging Mode, define an OTP Expiry (h). The maximum value is 720 for one month validity

With Enabled Bulk Staging Mode, any entered value will be overwritten for the specific user.

  • Enable Define OTP
  • Enter a OTP, e.g. 4444

Keep your OTP in mind, as you will need this later on. 

  • Select Choose File and upload your previously created bulkprovisionuser.csv 
  • In case you are using an LDAP staging user, enter administrative LDAP credentials
  • In case you are using a local staging user, enter any other local user credentials
  • Press Submit
  • Click OK to confirm the new queued bulk enrollment
  • Wait until the process is completed
  • Depending on the amount of lines in the *.csv, the process may take a while, so you may want to proceed already with next steps in the meantime
  • When the process is finished, click Download and open the exported file 
  • Each Line should contain now the True value for success and the OTP 4444 

Create a provisioning package

To generate the needed provisioning package, you need to download the Windows Configuration Designer first. A provisioning package (*.ppkg) is a file for a collection of configuration settings. For Windows 10 and 11 devices, Administrator can create provisioning packages that let you quickly configure a device without the need of installing images. Additionally, provisioning packages can be used to enroll devices into a Mobile Device Management like Silverback and this is what we want to achieve, so we will download the Windows Configuration Designer and create a provisioning package, that will be used later on to enroll the devices into Silverback. The provsioning package will contain the username of the staging user, the previously created OTP and the URL to the Discovery Service of your Silverback server. 

Download Windows Configuration Designer 

  • Open on a Windows 10 device the Microsoft Store
  • Search for Windows Configuration Designer
  • Download and Install Windows Configuration Designer
  • Click Launch

Create Provisioning Package

  • Select Advanced provisioning
  • Enter a Name e.g, Matrix42 Co-Management
  • Enter a Description e.g, Provisioning Package for Modern Co-Management (optional)
  • Click Next
  • Select All Windows desktop editions and click next
  • Click Finish
  • Expand Runtime settings in the left pane
  • Left click Workplace
  • Click Add in the middle pane
  • Enter as UPN your created user, e.g. staging@imagoverum.com
  • Click Add
  • Double Click on the newly generated Enrollment under Existing Enrollments
  • Configure the Enrollment as following:
    • Change Auth Policy to OnPremise
    • Enter as DiscoveryServiceFullUrl your adjusted URL
    • https://silverback.imagoverum.com/EnrollmentServer/Discovery.svc
    • You find your Discovery URL under Settings Admin > General > Windows Enrollment Server. You need to add Discovery.svc at the end 
    • Enter as Secret your defined OTP, e.g. 4444
  • Click File and Save your project and confirm with OK
  • Click Export and select Provisioning Package
  • Provide a name Co-Management
  • Click Next (3x)
  • Click Build
  • Open your Output Location and click Finish

Create Installation Package

After the successful creation of the provisioning package, we will download a prepared Empirum package, that contains already a dummy provisioning package. We will unzip the package and replace the Co-Managed.ppkg with the previously created one and we will review the execution steps from the Setup.inf file. After that we will archive the package again, as we want to distribute the package with Empirum. 

Download Package

  • Download the following package: Matrix42_Co-Management.zip
  • Extract the package to a temporary folder: e.g. C:\temp\co-management\

Replace Provisioning Package

  • Navigate to C:\temp\co-management\{85A66475-D3CE-437C-8AF6-5DF2AE2206F9}\Data\Files
  • Replace the existing Co-Management.ppkg with your previously created provisioning package

Ensure that your created provisioning package is named as Co-Management.ppkg

Review Installation steps

  • Navigate to  C:\temp\co-management\{85A66475-D3CE-437C-8AF6-5DF2AE2206F9}\Data\Install
  • Open Setup.inf with any Text Editor, e.g. Notepad or Notepad++
  • Scroll down to the [Set:Product] section
  • Review the execution steps that will apply on your target machines: 
    • A new folder "C:\Co-Management" will be created and the Co-Management.ppkg will be copied to this folder
    • The Co-Management.ppkg will be installed via a hidden PowerShell cmd and will enroll the device silently
    • After successful installation a new folder C:\Co-Management\installed will be created, which indicates that the package is installed
    • After that another PowerShell cmd will be executed to write the output of the Get-ProvisioningPackage
    • The output folder is C:\Co-Management\get-provisioningpackage_log.txt
    • After that the C:\Co-Management\installed folder will be deleted
    • The next step is that the Co-Management.ppkg will be uninstalled as the device is already enrolled and the package is not needed anymore
    • The uninstallation process will be logged into C:\Co-Management\uninstall-provisioningpackage_log.txt
    • After that the Co-Management.ppkg will be deleted from the device and the C:\Co-Management folder will be set as hidden

Archive Package

After replacing the dummy package with your previously created one and after reviewing the installation steps perform the following:

  • Perform a righ-click on your {85A66475-D3CE-437C-8AF6-5DF2AE2206F9} folder
  • Select Send to 
  • Select Compressed (zipped) folder
  • Keep the Name as prefilled or adjust the name to e.g. Imagoverum Co-Management.zip

Upload Package

After you successfully replaced the Co-Management.ppkg inside the package, you are ready to upload the package either to Empirum or to the Unified User Experience. Uploading with Unified User Experience requires the configured File Upload Service Extension and when you distribute the package directly via Empirum, you will need to place and unzip the Imagoverum Co-Management.zip to a location which is accessible from your Empirum server.

With Unified User Experience

  • Login to your Unified User Experience
  • Navigate to Software Distribution
  • Select Software Packages
  • Click Add Package
  • Drag and drop your Imagoverum Co-Management.zip package
  • Click Upload Package
  • Wait until the upload process is finished and press close
  • Locate in the Software Packages view the Matrix42 Co-Management 1.0 package
  • Proceed with Assign and Distribute Package

With Empirum

  • Open your Matrix42 Management Console
  • Select Configuration
  • Select Software Management
  • Perform a right click on Registers
  • Select Import/Export
  • Click Import Package
  • Press Next
  • Select the location of your archived package
  • Press Next and ensure that Matrix42 Co-Management 1.0 is selected
  • Press Next and click finish
  • Locate the imported package under Registers > Matrix42 > Matrix42 Co-Management 1.0

Assign and Distribute Package

As well as with the uploading of the package, you can either use Empirum or the Unified User Experience to assign the package to your desired devices. We recommend to perform a test run with one or two devices, before you start your general roll-out. 

With Unified User Experience

  • Navigate to Endpoint Devices
  • Select at least one Windows 10 or Windows 11 device
  • Click Create Assignment
  • Enter a name of the Assignment, e.g. Windows Co-Management
  • Enter a Description (optional)
  • Change Status to Active
  • Click Devices
  • Review your selected devices
  • Click Objects
  • Click + and select Matrix42 Co-Management 1.0
  • Press Select
  • Click Summary and review your assigned devices and assigned objects
  • Press Save

With Empirum

  • Navigate to Administration
  • In the middle pane, right-click Assignment Groups
  • Click New Group
  • Enter a name and Description, e.g. Windows Co-Management
  • Press Finish
  • Drag and drop from the left pane your desired devices into the Co-Management group
  • Drag and drop from the right pane the Matrix42 Co-Management package
  • Right click your created Co-Management group
  • Select Activate
  • Press Next (2x) and Finish

Start and Review Enrollment

Depending on your configuration, the package will be installed when the agent the next time polls. Within this guide we will speed up the process and install the package manually for testing purposes. After that you can review the performed enrollment on the device or in the management consoles. 

Empirum Agent

  • Head over to your Windows 10 or Windows 11 device
  • Perform a double-click on your Empirum Agent icon
  • Locate the Matrix42 Co-Management 1.0 software package
  • Click on Matrix42 Co-Management 1.0 and press Install Program
  • During the installation, you can enable the hidden folders view in the Windows Explorer
  • The package will be downloaded to C:\EmpirumAgent\Packages\matrix42\Co-Management
  • The provisioning package execution can be review under C:\Co-Management
  • After installation and execution, navigate to Settings > Accounts > Access to Work or School
  • Locate the Connected to Silverback MDM information, click on it and press Info
  • You should see your applied profiles and the connection info with the device sync status

Unified User Experience

  • Navigate to Endpoint Devices
  • Locate your device and review the Management Type, it should be now shown as Co-Managed

Silverback

  • Login to your Silverback Management Console as an Administrator
  • Navigate to Devices
  • Locate your device