VMware Workspace ONE Community
FredericLOUKA
Contributor
Contributor
Jump to solution

Onboarding Windows 10 using CLI with staging account

Hello,

I'm trying to enroll my Windows 10 domain joined using the CLI with a staging account.

The staging account is configured in advanced mode (of behalf of).

I use this Command Line:

msiexec /i "C:\Users\*****\Downloads\AirwatchAgent.msi" /quiet ENROLL=Y IMAGE=N SERVER=https://ds*****.awmdm.com LGName=**** USERNAME=*** PASSWORD=***** ASSIGNTOLOGGEDINUSER=Y

The device never enrolls in my Saas UEM tenant. The DeviceEnrollementLog shows me this error message:

VMware.Hub.Win32Agent.Enrollment.Business.Execution.Implementation.ValidateLoginCredentialsStep+<Execute>d__2.MoveNext ValidateLoginCredentials: STARTED Executing 

2020/10/11 22:33:08.144 FR-PORT-18-172 406b0040-970f-47c4-b71c-5b4297d11d72 [0000000-0000000]   (5)  Info VMware.Hub.Win32Agent.Enrollment.Business.Execution.Implementation.ValidateLoginCredentialsStep+<Execute>d__2.MoveNext ValidateLoginCredentials: ENDED Executing 

2020/10/11 22:33:08.151 FR-PORT-18-172 406b0040-970f-47c4-b71c-5b4297d11d72 [0000000-0000000]   (5)  Info VMware.Hub.Win32Agent.Enrollment.Business.Execution.Implementation.ValidateOnBehalfOfUsernameStep+<Execute>d__2.MoveNext ValidateOnBehalfOfUsername: STARTED Executing 

2020/10/11 22:33:08.251 FR-PORT-18-172 406b0040-970f-47c4-b71c-5b4297d11d72 [0000000-0000000]   (7)  Error VMware.Hub.Win32Agent.Enrollment.Business.Execution.Abstract.EnrollmentStepHandler.PrepareNextStep SOURCE: [PrepareNextStep], ERROR_CODE: [1011], ERROR_MESSAGE: Le serveur a renvoyé l'enrôlement échoué avec l'état Fail et le message Le nom d'utilisateur est obligatoire., ERROR_RESPONSE:  Method: VMware.Hub.Win32Agent.Enrollment.Business.Execution.Abstract.EnrollmentStepHandler.PrepareNextStep; 

2020/10/11 22:33:08.251 FR-PORT-18-172 406b0040-970f-47c4-b71c-5b4297d11d72 [0000000-0000000]   (7)  Info VMware.Hub.Win32Agent.Enrollment.Business.Execution.Implementation.ValidateOnBehalfOfUsernameStep+<Execute>d__2.MoveNext ValidateOnBehalfOfUsername: ENDED Executing 

2020/10/11 22:33:08.251 FR-PORT-18-172 406b0040-970f-47c4-b71c-5b4297d11d72 [0000000-0000000]   (10) Error VMware.Hub.Win32Agent.Enrollment.Business.EnrollmentHandler.LaunchHubRegistration_$_ Device Registration Failed :  Method: VMware.Hub.Win32Agent.Enrollment.Business.EnrollmentHandler.LaunchHubRegistration_$_; 

Le nom d'utilisateur est obligatoire = The userame is mandatory or necessary....


When I use this staging account using a manuel enrollment, it works ! I also tried to create a mst file entering the settings I used in the command line and I had the same error.....

Using an AD staging account give me the same result.

Last thing, when I use the standard mode of the staging account with the CLI, i'm unable to enroll my device (the hub opens asking me to enter the org id and then it enrolls the device).

Another last thing that could have an importance: i'm using group's enrollment to automatically assign the users in the righ Org ID depending on its Active Directory Group's belonging....

Thank you all for your help 😉

Fred

Labels (1)
1 Solution

Accepted Solutions
JosueNegron
VMware Employee
VMware Employee
Jump to solution

Yes, please ignore the terrible naming when selecting the staging options. For Windows 10, you will always want to use the Standard option. This option will do what you want since you are also using the auto re-assign parameter in the command-line.

View solution in original post

10 Replies
AaronWhittaker
Enthusiast
Enthusiast
Jump to solution

We use a very similar command line for ours however we use the inbuilt staging account instead of one that is created e.g. we use 'staging@og.com' and it will enrol directly into that OG. We use this method because we used to use the staging account as you have described but around 6-8 months ago stopped working. We contacted support and they told us to use the inbuilt and it started working again. The only issue we have with it is that it wont change OG until after the user logs in and it switches into their name.

So it could be the same issue we had, or it could be something different. Are you able to test the command line using the inbuilt account? You can find by going to the OG you want to enroll to, Groups and Settings > All Settings > Devices & Users > Windows > Windows Desktop > Staging & Provisioning. The Username is the 'UPN' and the password is the 'Password' or 'Secret' depending on which version of WS1 you have installed.

Reply
0 Kudos
JosueNegron
VMware Employee
VMware Employee
Jump to solution

Everything you need to know to get this working is here: Onboarding Windows 10 Using Command-Line Enrollment: VMware Workspace ONE Operational Tutorial | VMw...

More specifically, you need to follow this step: User Group Organization Group or Fixed Organization Group enabled so that end users are not prompted for a Group ID. To configure this setting, navigate to Settings > Devices & Users > General > Shared Device.

For a quick and helpful video on the topic, I would suggest checking out this new series: Episode 4: Even Easier Windows 10 Enrollment! | Video

If you want to stay updated on the latest Windows content feel free to connect with me: Josué Negrón's posts on VMware Digital Workspace Tech Zone

Reply
0 Kudos
FredericLOUKA
Contributor
Contributor
Jump to solution

Thank you Aaron. I already tried with the inbuilt account (I tried lots of possibilities: inbuilt account, local account, active directory account)....

The thing is that I'm using the Active Directory Groups to automatically assign a user to an Organisation Group.

So I created a local group, put my inbuilt staging account into this, and then create a rule that automatically assign the user in the right OG....

Maybe the problem comes from here....

The weird thing is that I'm able to enroll manually my device using this staging account (even if a windows from the hub appears asking me to enter the name of my group id)......

Another thing I found is that when I use the UPN in the command line, the logs tell me that the the staging account is not marked as a staging account so it enrolls the device with the staging account.......

When I use the username, the logs tell me that a "username is necessary"......Strange behaviour !!!!

Reply
0 Kudos
FredericLOUKA
Contributor
Contributor
Jump to solution

Hi JosueNegron,

I've just tried setting the option to User Group Organization Group and same thing: with the UPN, the logs tells this: "Error VMware.Hub.Win32Agent.Enrollment.Business.Execution.Implementation.FinalEnrollmentStep+<Execute>d__11.MoveNext Checkout request failed. User should be marked for staging for checkout."

Reply
0 Kudos
JosueNegron
VMware Employee
VMware Employee
Jump to solution

For this error, make sure you do not use advanced staging. See below. Reference: Troubleshooting Windows 10: VMware Workspace ONE Operational Tutorial | VMware

244280f7-27aa-48fe-902b-da11ec085872.png

When using any of the command-line options or any other staging workflow, you must use a staging account to enroll first before the device gets reassigned. You can either use the built-in staging account that Workspace ONE UEM creates when you first navigate to Settings > Devices & Users > Windows > Windows Desktop > Staging & Provisioning, or you can create a new staging account. Ensure your staging account's staging options match the settings in the screenshot.

Note: The staging account that Workspace ONE UEM creates will always be in the following format: staging@{GroupID}.com for the UPN and staging{GroupID} for the username. You must have a Group ID assigned to the organization group you plan to enroll and stage devices.

Reply
0 Kudos
FredericLOUKA
Contributor
Contributor
Jump to solution

Josue,

If I understand, I have to use the standard option ?  But the thing is that I don't want the users to log in after the staging account enrollment.

That's why I'm using the advanced option, preventing us to reboot the computer and the user to log in in a second step.

Reply
0 Kudos
JosueNegron
VMware Employee
VMware Employee
Jump to solution

Yes, please ignore the terrible naming when selecting the staging options. For Windows 10, you will always want to use the Standard option. This option will do what you want since you are also using the auto re-assign parameter in the command-line.

FredericLOUKA
Contributor
Contributor
Jump to solution

Josue,

You rock ! I followed your indications and it works very well !

Effectively, the naming sounds wrong ! 

So for what purpose do we have to use the advanced mode ?

I really thank you for your support !

Fred

Reply
0 Kudos
JosueNegron
VMware Employee
VMware Employee
Jump to solution

Simple answer is never. It's one of those things where both of these options were created for all platforms. When implementing some older onboarding flows "standard" was used, then Windows 10 came into the picture and we stuck with using "standard" to not break any existing deployments. So it requires a history lesson to fully cover the why, but let's just agree that the wording is not the best.

Happy to hear you got it working!

Reply
0 Kudos
______________
Contributor
Contributor
Jump to solution

In a Windows staged account enrollment scenario, is there a log file that shows when the staging account gets replaced with the end user account?  Occasionally we encounter Windows machines when signed in to Intelligent Hub as the end user intended for enrollment immediately after staging enrollment completion, the device stays "stuck" as enrolled with the staging account instead of switching enrollment to the end user despite checking in the console. When this happens, we would re-enroll the device without staging as a workaround to fix the issue (to avoid an enterprise wipe/reset & re-stage enrollment)

Checking the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\{GUID} this was observed:

ProviderID = AirWatchMDM
EnrollmentState = 0x00000001
SID = <SID which translated to the end user's SID>
UPN = staging@domain.com

However, the WS1 UEM 2306 console still showed the staging@domain.com as the enrolled user and was checking in.

Looking at the DeviceEnrollment.log and searching for the end user's username, I could not find where this switch from staging account to end user gets recorded.  Any other files in C:\ProgramData\Airwatch\UnifiedAgent\Logs, or Event Viewer, or anywhere else to check?

Reply
0 Kudos