Resolve Azure AD Bulk Token Retrieval Error in Windows Configuration Designer for Surface Hub

ByRyan Wold

The Surface Hub can be Azure AD joined during the out-of-box experience (OOBE) using a provisioning package. This method allows any user to enroll the device into Azure AD without entering administrative credentials, as the provisioning package contains the bulk token used to enroll. Provisioning packages are created using the Windows Configuration Designer and the built-in Surface Hub wizard.

When configuring the provisioning package, an IT administrator may experience an issue retrieving the bulk token used to Azure AD join. Here are a couple examples of common errors:

  • Bulk token retrieval failed – The maximum limit for the number of allowed bulk Azure AD join tokens has been reached.
  • Error: need user interaction to continue. -2146233088

Maximum limit for the number of allowed bulk Azure AD join tokens has been reached

If you experience this error, ensure the maximum number of devices the user is allowed to Azure AD join hasn’t been reached.

Navigate to Azure AD portal > Devices > Device settings > Maximum number of devices per user. This number may need to be increased.

If you are still experiencing this error after verifying the user isn’t hitting the device limit, follow the workaround below to retrieve the token using the Provision desktop devices wizard.

Provision desktop devices wizard workaround

If you experience an error retrieving the bulk token using the Surface Hub wizard, follow the workaround steps below to retrieve the token using the Provision desktop devices wizard.

Keep the Surface Hub wizard open, select Start page at the top and then Provision desktop devices.

After naming the new project select Account management > Enroll in Azure AD. Toggle Refresh AAD credentials to Yes and select Get Bulk Token. This should open a new window allowing the administrator to enter their credentials to retrieve the bulk token.

This should successfully retrieve the bulk token.

Navigate back to the Surface Hub wizard and select Get Bulk Token, which should now work.

Proceed with adding any additional OOBE capable configurations like installing certificates, network profiles, proxy settings, etc.

Similar Posts

Configure Homepage for Surface Hub Edge Chromium Browser using Endpoint Manager

ByRyan Wold

To begin we’ll use an Administrative Template to create a policy for Microsoft Edge. Then, we’ll use the search field to find and configure the below: After these two policies are configured we’ll add the Surface Hub device to a group and then assign the group to the configuration profile. After Endpoint Manager syncs with…

Miracast Over Infrastructure Network Bandwidth Testing

ByRyan Wold

If you’re experiencing Miracast performance or connection drop issues using Miracast Over Infrastructure it can be helpful to test the network’s bandwidth and throughput. To test this you’ll need the following: Connect both PCs to the network, in the same way they would be configured in production. For example, if you’re troubleshooting Miracast Over Infrastructure…

Identify Surface Hub Miracast Connection Method

Bywold@outlook.com

When troubleshooting Miracast between two Windows devices it’s important to first identify the method in which Miracast is connected.  By default Windows will attempt to use Miracast Over Infrastructure. If it can’t connect this way it will fall back to Wi-Fi Direct Miracast. You can determine which method you’re using by first establishing a connection…

Configure 802.1x Authentication on Surface Hub

ByRyan Wold

In order to connect a Surface Hub to an 802.1x authenticated network, you must configure the device with your organization’s settings. 802.1x networks typically require a network profile and necessary certificates to be installed on the device. In this article we’ll go over how to do this for a Surface Hub. Export network profile Add…

Leave a Reply

Your email address will not be published. Required fields are marked *