We currently deployed WS1 successfully using Airlift & SCCM to 80% if our company with no issues. However, we have around 150 Windows 10 devices we need to enroll with the same user (an admin user) silently due to production workflow. Through all my reading and testing, I have not found a reliable way to do this. Wanted to reach out to the community to see if anyone has done this or has a solution, before contacting support.
Notes on troubleshooting and testing:
- The machines must be enrolled to a specific Org group due to applied profiles
- The machines have multiple users on a daily basis and no owner - these users are not in WSOne nor should they be.
- They live in an extremely large warehouse that is 24/6 production, with power shut down the 7th day.
- They are prod machines so there is next to 0 available time to access them to enroll manually.
Default cmd using staging user: msiexec.exe /i AirWatchAgent.msi /qn ENROLL=Y IMAGE=N SERVER=<server> LGNAME="WHdesktops" USERNAME="wsoneadmin" PASSWORD="<password>"
EOBO test: msiexec.exe /i AirWatchAgent.msi /qn ENROLL=Y IMAGE=N SERVER=<server> LGNAME="WHdesktops" USERNAME="wsoneadmin" PASSWORD="<password>" STAGEUSERNAME="wsoneadmin" STAGEPASSWORD="<password>" /log %TEMP%\AWAgent.log
- User is configured as a staging user
- All certificates are current and working
- When using "Default cmd" the device enrolls, but the user is a staging user and still pops up asking for username/pw.
- I have read all the VMWare KB information available on techzone and WorkspaceONE regarding this with no definite answer.
You should create a Directory user in UEM console, and disable staging (Accounts > edit the user > Advanced tab > expand Staging and click Disabled & Save.
then when building the device, use auto-admin logon process from the unattend.xml to login as the local administrator account, enrol using the default command line but specify the Directory user, eg:
Hi Phil, thanks for the response.
These are devices that already exist on the floor and are not being built from scratch. Would adding a line to a script we deploy for the enrollment for a runas localadmin function in a similar way?
Thank you!
The enrolment must be run with Admin privileges so yes using runas would help. Also bear in mind that our enrolment on Windows requires an active user session because it is an OMA-DM enrolment, which only runs in user context. So the install of the agent and services are in SYSTEM Context, and enrolment is USER but must be initiated from SYSTEM context or using local Admin account including runas.
HTH
Ok, that really helps here. We can setup the account we plan to use for enrollment in our on-prem environment, give it local admin permissions on the machines via GPO, and sync it to WSOne UEM. Will try this and let you know the results! Thanks again!
I appreciate all of your help with this, we got approval to replace the machines instead! Therefore I'll be using the original advice you gave me.