How to Fix Bulk Token Retrieval Failed With Windows Configuration Designer (WCD)

Bulk Token Retrieval Failed in Windows Configuration Designer

Windows Configuration Designer is a tool used to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.

In this case, it was used to create a provisioning package containing a Bulk Primary Refresh Token (BPRT) for enrolling Windows clients to Intune, instead of doing it manually.

But the tool has its issues…The Microsoft Store version of the tool was installed, the credentials for the tenant were entered and authenticated, and then this error “The operation returned and empty response“.

The ICD.log file, located in C:\Users\Username\Documents\Windows Imaging and Configuration Designer (WICD), weren’t of much help, but gave a different description of the error, “AADSTS90092: Non-retryable error has occurred“.

1/24/2024 9:07:26 AM Error Bulk token retrieval failed: {“error”:”server_error”,”error_description”:”AADSTS90092: Non-retryable error has occurred. Trace ID: 8e044b95-346d-4a67-94c2-619a37fa7000 Correlation ID: becf39dc-51df-4030-a7ba-2e0ea9c4b2a2 Timestamp: 2024-01-24 02:07:27Z”,”error_codes”:[90092],”timestamp”:”2024-01-24 02:07:27Z”,”trace_id”:”8e044b95-346d-4a67-94c2-619a37fa7000″,”correlation_id”:”becf39dc-51df-4030-a7ba-2e0ea9c4b2a2″}

A quick internet search later, and the WCD from the Windows Assessment and Deployment Kit (ADK) was installed and tested. The result was a different error, “Bad request”, but the bottom line was that it also failed.

Note Note: The ADK version of WCD doesn't have the "Refresh AAD credentials" option.

You got this because there was a Service Principal missing in the tenant, Microsoft.Azure.SyncFabric (AppID 00000014-0000-0000-c000-000000000000). So, we need to creat tje Service Principal manually:

1. Open PowerShell as administrator then run the below command to install the AzureAD module.

Install-Module AzureAD -Scope CurrentUser

2. Connect to Azure AD using an administrative account.

Connect-AzureAD

3. Create the Service Principal.

New-AzureADServicePrincipal `
    -AccountEnabled $true `
    -AppId 00000014-0000-0000-c000-000000000000 `
    -AppRoleAssignmentRequired $False `
    -DisplayName Microsoft.Azure.SyncFabric `
    -Tags {WindowsAzureActiveDirectoryIntegratedApp}

4. Verify the Service Principal has been created successfully in Azure AD.

Get-AzureADServicePrincipal | Where-Object {$_.AppId -eq "00000014-0000-0000-c000-000000000000"}

ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
17fddd56-711a-4f80-97f1-f067f4a38ab6 00000014-0000-0000-c000-000000000000 Microsoft.Azure.SyncFabric

5. After creating the Service Principal manually, the token was successfully retrieved by WCD.

So, it turns out the tool doesn’t have issues after all. Some tenants have similar issues even though the Service Principal is present, the recommended fix for that is to delete and recreate the Service Principal.

Regardless, I spent many frustrating hours troubleshooting this, and if you are having issues similar to the above, I hope this helps. Until next time, happy enrolling!