VMware Workspace ONE Community
SrITreebeard
Contributor
Contributor
‎03-14-2023 07:57 AM

Bulk enroll all Win10 devices to a single domain user

We currently deployed WS1 successfully using Airlift & SCCM to 80% if our company with no issues. However, we have around 150 Windows 10 devices we need to enroll with the same user (an admin user) silently due to production workflow. Through all my reading and testing, I have not found a reliable way to do this. Wanted to reach out to the community to see if anyone has done this or has a solution, before contacting support. 

Notes on troubleshooting and testing:
- The machines must be enrolled to a specific Org group due to applied profiles
- The machines have multiple users on a daily basis and no owner - these users are not in WSOne nor should they be. 
- They live in an extremely large warehouse that is 24/6 production, with power shut down the 7th day. 
- They are prod machines so there is next to 0 available time to access them to enroll manually. 

Default cmd using staging user: msiexec.exe /i AirWatchAgent.msi /qn ENROLL=Y IMAGE=N SERVER=<server> LGNAME="WHdesktops" USERNAME="wsoneadmin" PASSWORD="<password>"

EOBO test: msiexec.exe /i AirWatchAgent.msi /qn ENROLL=Y IMAGE=N SERVER=<server> LGNAME="WHdesktops" USERNAME="wsoneadmin" PASSWORD="<password>" STAGEUSERNAME="wsoneadmin" STAGEPASSWORD="<password>" /log %TEMP%\AWAgent.log

- User is configured as a staging user
- All certificates are current and working
- When using "Default cmd" the device enrolls, but the user is a staging user and still pops up asking for username/pw. 
- I have read all the VMWare KB information available on techzone and WorkspaceONE regarding this with no definite answer.

0 Kudos
5 Replies
Phil_Helmling
VMware Employee
VMware Employee
‎03-15-2023 04:49 PM

You should create a Directory user in UEM console, and disable staging (Accounts > edit the user > Advanced tab > expand Staging and click Disabled & Save.

then when building the device, use auto-admin logon process from the unattend.xml to login as the local administrator account, enrol using the default command line but specify the Directory user, eg:

msiexec.exe /i AirWatchAgent.msi /qn ENROLL=Y IMAGE=N SERVER=<server> LGNAME="WHdesktops" USERNAME="DIRUSER" PASSWORD="<password>"
we sometimes call this user a service account user.
 
Bear in mind that some things will not function properly with subsequent user logons.
I would assume these devices would be AD Domain joined also. If so and the device can connect to the DC when enrolling, the Hub should not pop up and ask for credentials.
0 Kudos
SrITreebeard
Contributor
Contributor
‎03-16-2023 06:37 AM

Hi Phil, thanks for the response. 

These are devices that already exist on the floor and are not being built from scratch. Would adding a line to a script we deploy for the enrollment for a runas localadmin function in a similar way?

Thank you!

0 Kudos
Phil_Helmling
VMware Employee
VMware Employee
‎03-16-2023 04:20 PM

The enrolment must be run with Admin privileges so yes using runas would help. Also bear in mind that our enrolment on Windows requires an active user session because it is an OMA-DM enrolment, which only runs in user context. So the install of the agent and services are in SYSTEM Context, and enrolment is USER but must be initiated from SYSTEM context or using local Admin account including runas. 

HTH

SrITreebeard
Contributor
Contributor
‎03-17-2023 06:42 AM

Ok, that really helps here. We can setup the account we plan to use for enrollment in our on-prem environment, give it local admin permissions on the machines via GPO, and sync it to WSOne UEM. Will try this and let you know the results! Thanks again! 

0 Kudos
SrITreebeard
Contributor
Contributor
‎03-23-2023 06:22 AM

I appreciate all of your help with this, we got approval to replace the machines instead! Therefore I'll be using the original advice you gave me.