I recently found myself working with a customer who had some help-desk technicians enroll new Windows 10 machines into AirWatch but applications were not pushing down. Upon investigation I found the help-desk technician process had a critical mistake. They followed as such:

Log into machine as Local Administrator Enroll using AirWatch Agent and a 'shared' but non-staging basic AirWatch account. Log out of local Administrator Have the user log in with a domain account without Admin privileges.

The issue with this process is that AirWatch thinks the 'enrolled' user is the local Administrator on the machine. AirWatch did not have any idea that the Local Administrator wasnt the normal expected user.





If the help-desk technician had used a 'Single-User Staging' AirWatch account then AirWatch would of listened for the next domain user login. It would of switched that device in the AirWatch console from the 'Single-User Staging' account to the end users domain account.





Challenge

I was left with a state of a few hundred devices that were enrolled, on the domain, but were not receiving certain commands because of the 'enrolled user' mismatch. There was no built in way to fix this so I knew a re-enroll was a must but it must be painless to the end user. It must be painless to the help-desk technician so we dont need to physically touch each device.





Solution

Enterprise Wipe & Remote PowerShell!

Warning.... ensure your Enterprise Wipe if currently enrolled or run the following command on a fresh device. The below commands can only be run on a not enrolled device.





$Session = New-PSSession -ComputerName targetmachinename -Credential domain\adminusername Copy-Item -Path C:\temp\AirwatchAgent.msi -Destination C:\Temp\AirwatchAgent.msi -ToSession $session

Invoke-Command -Session $session -ScriptBlock { Start-Process -verb RunAs "msiexec.exe" -ArgumentList "/i c:\temp\airwatchagent.msi /quiet ENROLL=Y IMAGE=N SERVER= DeviceServicesFQDN LGName= OGID USERNAME= SingleUserStagingUser PASSWORD= password DEVICEOWNERSHIPTYPE=CD ASSIGNTOLOGGEDINUSER=Y" -Wait }



Let's break this down. We need to re-enroll the device so before we can enroll it correctly to the logged in unprivileged user we must Enterprise Wipe from the AirWatch Console (Workspace ONE UEM)





The first command is creating a new session between the local PowerShell window and the remote computer using the WinRM service. The remote computer must have Windows Remoting turned on . It is very important to supply the -credential flag with a domain user which has Administrator permissions on the remote computer. A Domain Admin user will usually take care of this.





The second command is copying the AirWatch agent from a local copy to the destination machine. You may change the source and destination as required. You may download the latest version of the AirWatch Agent from awagent.com





The last command is sort of inception based. This was done to pass in the remote Administrator credentials and allow us to run msiexec as that user rather than the current logged in unprivileged user. The highlights in red need to be changed such as the Device Services URL for enrollment, the Organization Group ID, and the Single User Staging AirWatch User and Password. I've marked in italics where I set the ownership type to Corporate Dedicated because the Organization Group default was BYOD. That is optional for the use case.



Lastly the bold flag is very important, it is the 9.3 AirWatch Agent that allows it to immediately flip from the 'Single User Staging' AirWatch user to the Domain User currently logged into the PC. It also required AirWatch Console 9.2+ for this flip feature to work. Another important setting related to this automatic flip is in the AirWatch Console under All Settings -> Devices -> General -> Shared Settings "Group Assignment Mode" must be set to 'Fixed' otherwise the user may get a prompt.





Once all of this is run in the AirWatch Console (Workspace ONE UEM) you will see the device enroll as the 'Single-User Staging' AirWatch user, and within 30 seconds flip to the actual unprivileged Domain User.





What is nice is this process, minus the Enterprise Wipe, is another way to enroll, silently, to a user that doesn't have Admin privileges.



