How to configure staging enrollment for Windows 8 & 8.1 devices

This method allows a Windows Administrator Account (Staging User) to enroll Windows 8.1 devices on behalf of a Windows Local/Domain Non-Admin Account (End User).

Limitations:

AirWatch applications, including AirWatch Content Locker, AirWatch Browser, and AirWatch Inbox, are currently incompatible with devices enrolled through staging enrollment. Please consider these limitations before proceeding with this method of enrollment.

Pre-Requirements:

  1. Surface RT device(s) running Windows RT 8.1
  2. Type cover, touch cover, or USB keyboard and mouse
  3. User Information (full name, username, and UPN)
  4. Internet connection (if using windows update)

How to set up Staging Enrollment for Windows 8

1) Create staging and end-user account on the AirWatch Console:

  • AirWatch Staging Account: You will use this account to stage the device. The purpose of this account is to have an account trusted by AirWatch so that the administrator can enroll on behalf of the user. Create a Staging User with Enable Device StagingSingle User Devices and Advanced - Enroll on behalf of another user selected. 


96430398_-_AirWatch_Staging_Account.jpg

 

  • AirWatch End-User Account: This will be the account that you ultimately enroll the device with. If it is not yet created, add a new User Account to the AirWatch Console. Ensure that none of the staging options above are checked.

2) Create a Windows End-User account (can also use an existing account):

  1. On your Windows 8 device, log into your Windows Administrator Account. Create a Windows Non-Admin Local Account with a temporary password. This will be the account used by your end-user. Alternatively, this can be a Windows Non-Admin Domain Account. To create the local user account:
  2. Swipe left, click the arrow to the Apps menu, and select Desktop.
  3. Right-click the Start icon and select Computer Management.
  4. Expand Local Users and Groups, right-click Users and select New User
  5. Enter the user’s username in the User name field.
  6. Enter the user’s full name in the Full name field.
  7. Enter a temporary password in the Password and Confirm Password fields
  8. Do not modify any of the additional settings and click create.

96430398_-_New_User.png

3) Install Windows Update KB2955164:

To download all available updates for Windows 8:

  1. Open the Charms menu, select Settings and select Change PC Settings.
  2. Select Update and Recovery.
  3. Select Check now.

Alternatively, if this is a full Windows 8/8.1 device, you may download the standalone installer for this Windows Update (http://www.microsoft.com/en-us/download/details.aspx?id=42767)

4) Find the Windows end-user account SID:

Open Command Prompt (CMD) and run command 

wmic useraccount where name='{Local User}' get sid 

where {Local User} is the username of the Windows Non-Admin Local/Domain Account and note the SID shown on the prompt.

96430398_-_wmic.jpg

5) Find your Windows end-user account UPN (User Principal Name):

If the end-user account is local, your UPN is the email address of the account that you will enroll the device with. If your end-user account is a domain account, log into your Windows Command Prompt, open Command Prompt (CMD) and run command whoami /upn (remember to log off and log back into your Windows administrator account afterwards).

6) Create necessary registry entries:

In your Windows administrator account, open Registry Editor (regedit) and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\ and create a new key named MDM. Within MDM key, create the following values:

  1. DWORD (32-bit) with name MachineMDMEnrollment and set Data to 1
  2. String with name MachineMDMEnrollmentUserUPN and set Data to the UPN value found in Step 5
  3. String with name MachineMDMEnrollmentUserSID and set Data to the SID value found in Step 4

96430398_-_registry_editor.png

7) Switch accounts to effect registry changes:

  1. Log out of your Windows Administrator Account
  2. Log into to your Windows Non-Admin Account
  3. Log out of your Windows Non-Admin Account
  4. Log into your Windows Administrator Account

8) Enroll the device:

96430398_-_enroll_the_device.png

  • The exception is that, when first prompted for a user and password, input the credentials for the AirWatch Staging User created in Step 1-a, and then input the username for the AirWatch End User created in Step 1-b.

96430398_-_enter_credentials.png

96430398_-_staged_enrollment.png

9) Download AirWatch Protection Agent (optional):

  1. See Pg. 14-15 of the Windows Desktop Platform Guide (“Requiring the Windows Protection Agent”) for more information.
  2. For sideloading the Windows Protection Agent, download the agent from the Resource Portal.

10) Switch to Windows Non-Admin End-User Account:

  1. Log off Windows Administrator Account
  2. Log on Windows Non-Admin Local/Domain Account

Conclusion

Congratulations! You have completed staging enrollment. The device should show as “Enrolled” in the AirWatch Console now, and should be enrolled with the AirWatch End-User Account you created in Step 1-b.

Have more questions? Submit a request

0 Comments

Article is closed for comments.