OK. I wanted to verify if that is indeed the case. Well that is really too bad--I was hoping otherwise. Thank you for clearing that up. Is there a better way to enroll an existing workstation when a user is not around to sign in themselves, that will enable applications to install before they have a chance to use it again? We are servicing AD-bound desktops that have been out of use by folks for over a year and we want to bring them into compliance. Our efforts so far have looked at a few methods: -Deep link enrollment(device management only) with a service account: results in the Intune Management Extension not being installed, so Powershell scripts and Win32 apps do not deploy. -Provisioning Package(Bulk Enrollment): results in the IME being installed, Powershell Scripts do run, but Win32 Apps do not deploy. The IME log states that the agent is looking for an AAD token at the user level and refuses to install any apps. I assume it will install the applications once an AAD-eligible user signs in, but we're again at the problem of requiring user presence. After all of this I am considering using a service account with Device Enrollment Manager permissions(to get around the enrollment limit) to sign into a mass number of HAADJ machines, that way at least the systems will get all of their apps/scripts run before people come back to work on site. Would this work?