Remotely enroll unprivileged Windows 10 users into AirWatch using PowerShell

I recently found myself working with a customer who had some help-desk technicians enroll new Windows 10 machines into AirWatch but applications were not pushing down.  Upon investigation I found the help-desk technician process had a critical mistake. They followed as such:
  1. Log into machine as Local Administrator
  2. Enroll using AirWatch Agent and a 'shared' but non-staging basic AirWatch account.
  3. Log out of local Administrator
  4. Have the user log in with a domain account without Admin privileges.
The issue with this process is that AirWatch thinks the 'enrolled' user is the local Administrator on the machine.  AirWatch did not have any idea that the Local Administrator wasnt the normal expected user.

If the help-desk technician had used a 'Single-User Staging' AirWatch account then AirWatch would of listened for the next domain user login. It would of switched that device in the AirWatch console from the 'Single-User Staging' account to the end users domain account. 


Challenge

I was left with a state of a few hundred devices that were enrolled, on the domain, but were not receiving certain commands because of the 'enrolled user' mismatch.  There was no built in way to fix this so I knew a re-enroll was a must but it must be painless to the end user. It must be painless to the help-desk technician so we dont need to physically touch each device.

Solution

Enterprise Wipe & Remote PowerShell!
Warning.... ensure your Enterprise Wipe if currently enrolled or run the following command on a fresh device. The below commands can only be run on a not enrolled device.

$Session = New-PSSession -ComputerName targetmachinename -Credential domain\adminusername
Copy-Item -Path C:\temp\AirwatchAgent.msi -Destination C:\Temp\AirwatchAgent.msi -ToSession $session
Invoke-Command -Session $session -ScriptBlock { Start-Process -verb RunAs "msiexec.exe" -ArgumentList "/i c:\temp\airwatchagent.msi /quiet ENROLL=Y IMAGE=N SERVER=DeviceServicesFQDN LGName=OGID USERNAME=SingleUserStagingUser PASSWORD=password DEVICEOWNERSHIPTYPE=CD ASSIGNTOLOGGEDINUSER=Y" -Wait }

Let's break this down. We need to re-enroll the device so before we can enroll it correctly to the logged in unprivileged user we must Enterprise Wipe from the AirWatch Console (Workspace ONE UEM)

The first command is creating a new session between the local PowerShell window and the remote computer using the WinRM service. The remote computer must have Windows Remoting turned on. It is very important to supply the -credential flag with a domain user which has Administrator permissions on the remote computer. A Domain Admin user will usually take care of this. 

The second command is copying the AirWatch agent from a local copy to the destination machine. You may change the source and destination as required. You may download the latest version of the AirWatch Agent from awagent.com.

The last command is sort of inception based. This was done to pass in the remote Administrator credentials and allow us to run msiexec as that user rather than the current logged in unprivileged user. The highlights in red need to be changed such as the Device Services URL for enrollment, the Organization Group ID, and the Single User Staging AirWatch User and Password. I've marked in italics where I set the ownership type to Corporate Dedicated because the Organization Group default was BYOD. That is optional for the use case.  

Lastly the bold flag is very important, it is the 9.3 AirWatch Agent that allows it to immediately flip from the 'Single User Staging' AirWatch user to the Domain User currently logged into the PC. It also required AirWatch Console 9.2+ for this flip feature to work. Another important setting related to this automatic flip is in the AirWatch Console under All Settings -> Devices -> General ->  Shared Settings "Group Assignment Mode" must be set to 'Fixed' otherwise the user may get a prompt.

Once all of this is run in the AirWatch Console (Workspace ONE UEM) you will see the device enroll as the 'Single-User Staging' AirWatch user, and within 30 seconds flip to the actual unprivileged Domain User.

What is nice is this process, minus the Enterprise Wipe, is another way to enroll, silently, to a user that doesn't have Admin privileges.

*Note - Unenrolling will remove any applications and profiles that were pushed from AirWatch. In this situation there wasn't anything critical configured.



Comments

  1. what if your agent is not awagent.com and you need vmware airwatch app from windows 10 store?

    ReplyDelete
    Replies
    1. Hi Luis,

      What is your use case for using the Win10 store app over the Hub from the my.workspaceone.com or awagent.com?

      Delete
    2. I'd recommend switching to awagent..

      Delete
  2. Great article!
    It's good to know that we're not the only one who faced same problem while enrolling devices without end user admin rights.
    We're right now in the middle of deploying ZeroTouch MDT deployment and we are thinking - if there any way to properly install/enroll device without end-device-user session?

    ReplyDelete
    Replies
    1. Hi 'Unknown' yes if you know serial number mapping to existing user you dont need to perform the steps above with the ASSIGNTOLOGGEDINUSER=Y switch. You can just add the device into the LifeCycle page in Workspace ONE UEM serial number and user. Once you perform the enrollment without the ASSIGNTOLOGGEDINUSER=Y flag it will swap automatically no matter if they are logged on or not.

      Delete

Post a Comment