Enrolling on Behalf of Others Method for Windows 8/RT

Enrolling on Behalf of Others

AirWatch allows you to pre-enroll devices for users before distributing the device. This method of enrollment ensures devices are configured to your specifications and there is less work for the end user. Through the Enroll on Behalf of Others method, low rights users are created for the device. This adds extra capability to your MDM solution (in the form of passcode reset for end users), as well as preventing end users from unenrolling their devices.

Note: This is a legacy enrollment method for Windows 8.1 or Windows 8.1 RT. Windows 10 does not use this functionality to enroll standard users. You will need to use Bulk Provisioning to enroll a device with only a standard user on a Windows 10 device. See Enrolling Devices with Bulk Provisioning in the Windows Desktop Platform Guide for more information.

To enroll on behalf of end users, follow the steps detailed below:

  1. Remove the Windows 8.1 device from its packaging and turn it on.
  2. Configure the initial setup settings, including:
    1. Select the desired Country or Region, App Language, Keyboard Layout, and Time Zone on the Region and Language screen.
    2. Select I Accept to accept the License Terms.
    3. Enter the PC Name (Computer Name).
    4. Skip the Get Online step.
    5. Select Use Express Settings.
    6. Enter the your (the administrator) Username, Password, and Password Hint.
  3. Select Finish to finalize the OOBE settings and wait for the administrator account to log on automatically.
  4. Create a standard (local) user account(s) with a temporary password:
    1. Navigate to the Charms menu, select the Apps menu, and select Desktop,
    2. Right-click the Start Icon and select Computer Management.
    3. Expand Local Users and Groups.
    4. Right-click Users and select New User.
    5. Enter the end user's Username, Full Name, and temporary Password.
    6. Select Create.
  5. Install the December 2013 Windows Update for OMADM online using Windows Update:
    1. Navigate to the Charms menu, select settings then select Change PC Settings.
    2. Select Update and Recovery.
    3. Select Check Now.

    Note: This method will list all available updates for your device.

  6. Configure the device to enable management enroll-on-behalf:
    1. Launch the Command prompt (right-click the Start icon and select Command Prompt) and run the following command:

      C:\Users\localadmin>wmic useraccount where name='username' get sid

      Replace username in the command with the local account username created previously. This command will give you the local Security ID or SID for the user.

    2. Launch the Registry Editor (regedit) and create the following key:

      HKEY_LOCAL_Machine\SOFTWARE\Policies\Microsoft\Windows \CurrentVersion\MDM
    3. Add the following values to the key above:

      Name Type Data
      MachineMDMEnrollment DWORD 1
      MachineMDMEnrollmentUserUPN String userUPN
      MachineMDMEnrollmentUserSID String userSID
  7. Enable Management:
    1. Navigate to the Charms menu, select settings then select Change PC Settings.
    2. Select Network.
    3. Select Workplace.
    4. Enter the administrator's UPN and select Turn on.
    5. Enter the administrator's credentials.
    6. Accept the consent dialog.

    Note: If you intend to use the Windows Protection Agent, download and install the agent at this point. For sideloading the Windows Protection Agent, download the agent from the Resource Portal.

  8. Log off as the local administrator user.
  9. Log on as the local low rights user.

The device is now ready for EOBO end user use.

Have more questions? Submit a request

0 Comments

Article is closed for comments.