%3CLINGO-SUB%20id%3D%22lingo-sub-1221264%22%20slang%3D%22en-US%22%3EChange%20the%20Intune%20Primary%20User%20%E2%80%93%20Public%20Preview%20Now%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221264%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EBy%20Scott%20Duffey%20%7C%20Senior%20Program%20Manager%2C%20Microsoft%20Endpoint%20Manager%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%E2%80%99m%20excited%20to%20announce%20that%20today%20we%20started%20rolling%20out%20a%20feature%20giving%20you%20the%20ability%20to%20change%20a%20device%E2%80%99s%20primary%20user.%20We%20have%20had%20this%20item%20on%20our%20product%20backlog%20for%20a%20long%20time%2C%20being%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F31356574-change-registereed-owner-for-corporate-owned-devic%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethe%20highest%20voted%20item%3C%2FA%3E%20on%20UserVoice%20and%20also%20attracting%20a%20lot%20of%20comments%20on%20the%20previous%20support%20post%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-how-user-device-affinity-works-in-intune%2Fba-p%2F708196%22%20target%3D%22_self%22%3EHow%20User%20Device%20Affinity%20Works%20in%20Intune%3C%2FA%3E.%20Read%20below%20for%20more%20information%20on%20Primary%20User.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOver%20the%20next%20two%20weeks%2C%20you%E2%80%99ll%20see%20this%20feature%20show%20up%20under%20the%20%E2%80%9Cdevices%E2%80%9D%20area%20of%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%20(at%20either%20%3CA%20href%3D%22https%3A%2F%2Fdevicemanagement.microsoft.com%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdevicemanagement.microsoft.com%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%3C%2FA%3E)%20and%20you%E2%80%99ll%20also%20see%20some%20updates%20to%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fremote-actions%2Ffind-primary-user%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPrimary%20User%20docs%20page%3C%2FA%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere%E2%80%99s%20the%20brief%20overview%20of%20what%20you%20can%20do%20with%20this%20new%20feature%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EChange%20the%20Primary%20user%20from%20User-A%20to%20User-B%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EChange%20the%20Primary%20user%20from%20none%20(shared)%20to%20a%20single%20user%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EChange%20the%20Primary%20user%20from%20a%20single%20user%20to%20none%20(shared)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MemAdmin_Scott1.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176281iEBDB3008CA3F95ED%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22MemAdmin_Scott1.png%22%20alt%3D%22MemAdmin_Scott1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20all%20the%20above%20cases%2C%20the%20Intune%20device%20(Primary%20User%20property)%20will%20be%20updated%20as%20well%20as%20the%20Azure%20AAD%20device%20object%20(DeviceRegisteredOwner%20and%20DeviceRegisteredUser).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere's%20what%20you'll%20see%20in%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22memadmin_scott2.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176283i198D2F7A40392547%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22memadmin_scott2.png%22%20alt%3D%22memadmin_scott2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAnd%20here's%20what%20you'll%20see%20in%20Azure%20AD%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22memadmin_scott3.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176286i25D92C7F087917B3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22memadmin_scott3.png%22%20alt%3D%22memadmin_scott3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENote%3A%20It%20may%20take%20up%20to%2010%20minutes%20to%20reflect%20in%20the%20Azure%20AD%20portal.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EA%20couple%20more%20details%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EDevices%20must%20be%20a%20supported%20version%20of%20Windows%2010.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EDevices%20can%20be%20either%20Azure%20AD%20Joined%20or%20Hybrid%20Azure%20AD%20Joined.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIf%20a%20device%20is%20co-managed%20then%20you%20can%E2%80%99t%20change%20the%20Primary%20User%20(but%20this%20is%20a%20scenario%20we%20are%20working%20on).%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWe%20have%20added%20a%20new%20administrator%20privilege%3A%20%E2%80%9CManaged%20Device%2FSet%20primary%20user%E2%80%9D%20and%20it%20has%20been%20added%20to%20built-in%20roles%20including%3A%20%3C%2FSPAN%3EHelpdesk%20Operator%2C%20School%20administrator%2C%20and%20Endpoint%20Security%20Manager.%20To%20use%20this%20feature%2C%20you%20will%20need%20to%20have%20this%20privilege%20assigned.%3C%2FLI%3E%0A%3CLI%3EA%20user%20must%20have%20an%20Intune%20license%20to%20be%20assigned%20as%20a%20Primary%20user.%3C%2FLI%3E%0A%3CLI%3EThe%20new%20Device%20compliance%20report%20list%20includes%20columns%20for%20both%20Primary%20User%20and%20Enrolled-by%20user.%20This%20change%20will%20also%20be%20added%20to%20the%20%E2%80%9CAll%20devices%E2%80%9D%20list%20soon.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20addition%20to%20the%20Microsoft%20Endpoint%20Manager%20console%2C%20you%20can%20change%20the%20Primary%20User%20through%20graph%20API.%20You%E2%80%99ll%20see%20an%20example%20Powershell%20script%20appear%20on%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fpowershell-intune-samples%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20Github%20repository%3C%2FA%3E%20shortly.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1221264%22%20slang%3D%22en-US%22%3E%3CP%3EIntune%20now%20has%20public%20preview%20ready%20for%20changing%20your%20primary%20user%20on%20a%20device.%20This%20is%20one%20of%20the%20most%20requested%20Intune%20UserVoice%20items%20and%20we're%20excited%20to%20deliver%20this%20feature%20in%20public%20preview.%20The%20feature%20is%20rolling%20out.%20Once%20you%20have%20it%2C%20give%20us%20your%20feedback%20on%20the%20feature!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1221264%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENew%20feature%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221549%22%20slang%3D%22en-US%22%3ERe%3A%20Change%20the%20Intune%20Primary%20User%20%E2%80%93%20Public%20Preview%20Now%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221549%22%20slang%3D%22en-US%22%3E%3CP%3Edoes%20the%20new%20primary%20user%20also%20become%20a%20local%20admin%20on%20the%20device%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221515%22%20slang%3D%22en-US%22%3ERe%3A%20Change%20the%20Intune%20Primary%20User%20%E2%80%93%20Public%20Preview%20Now%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221515%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20is%20it%20possible%20or%20supported%20to%20change%20the%20primary%20user%20on%20a%20device%20that%20was%20enrolled%20using%20a%20%E2%80%9Cdevice%20enrollment%20manager%E2%80%9D%20account%20to%20a%20normal%20user%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E

By Scott Duffey | Senior Program Manager, Microsoft Endpoint Manager

 

I’m excited to announce that today we started rolling out a feature giving you the ability to change a device’s primary user. We have had this item on our product backlog for a long time, being the highest voted item on UserVoice and also attracting a lot of comments on the previous support post How User Device Affinity Works in Intune. Read below for more information on Primary User.

 

Over the next two weeks, you’ll see this feature show up under the “devices” area of the Microsoft Endpoint Manager admin center (at either https://devicemanagement.microsoft.com or https://portal.azure.com) and you’ll also see some updates to our Primary User docs page.

 

Here’s the brief overview of what you can do with this new feature:

  • Change the Primary user from User-A to User-B
  • Change the Primary user from none (shared) to a single user
  • Change the Primary user from a single user to none (shared)

MemAdmin_Scott1.png

 

In all the above cases, the Intune device (Primary User property) will be updated as well as the Azure AAD device object (DeviceRegisteredOwner and DeviceRegisteredUser).

 

Here's what you'll see in the Microsoft Endpoint Manager admin center:

memadmin_scott2.png

 

And here's what you'll see in Azure AD:

memadmin_scott3.png

Note: It may take up to 10 minutes to reflect in the Azure AD portal.

 

A couple more details:

  • Devices must be a supported version of Windows 10.
  • Devices can be either Azure AD Joined or Hybrid Azure AD Joined.
  • If a device is co-managed then you can’t change the Primary User (but this is a scenario we are working on). With the June (2006) Intune service release, you can now change a device's primary user for co-managed Windows devices. Learn more here: Change a device's primary user.
  • We have added a new administrator privilege: “Managed Device/Set primary user” and it has been added to built-in roles including: Helpdesk Operator, School administrator, and Endpoint Security Manager. To use this feature, you will need to have this privilege assigned.
  • A user must have an Intune license to be assigned as a Primary user.
  • The new Device compliance report list includes columns for both Primary User and Enrolled-by user. This change will also be added to the “All devices” list soon.
  • In addition to the Microsoft Endpoint Manager console, you can change the Primary User through graph API. Here's the Powershell script from Github: https://github.com/microsoftgraph/powershell-intune-samples/tree/master/ManagedDevices#1-invoke_devi....

 

Post Updated:

  • 4/6/2020: With the known issues info. 
  • 4/7/2020: Updated with the link to a Powershell script for use. 
  • 6/19/20: Updated to include that you can now change the primary user on co-managed devices
  • 7/13/20: Previously known issues are now resolved!
41 Comments
Senior Member

Hello, is it possible or supported to change the primary user on a device that was enrolled using a “device enrollment manager” account to a normal user account?

New Contributor

does the new primary user also become a local admin on the device?

New Contributor

Firstly... Congrats!

 

“If a device is co-managed then you can’t change the Primary User“

 

Drat, that’s all of our devices, which makes the feature unusable for us right now. Any more info on when it might be supported?

New Contributor

@jurajt No, local admin can added at once to all AAD joined devices under AAD > devices, using CSP configuration or during Autopilot. 

New Contributor

@giladke i know that, but that adds the local admin to *all* devices.

New Contributor

@jurajt that's why I mentioned 2 other options to have user as local admin for a specific device (i.e CSP, autopilot, you can script it as well) :smile:

Occasional Contributor

Hello, 

 

Is it possible to  automatically set or replace user device affinities depending on the number of hours of connection on the Worksation like Configuration Manager?

 

Regards, 

Julien

Senior Member

Is it supported to have an autopilot device where the autopilot “assigned user” is a device enrollment manager account, but then after the machine runs through autopilot and joins AAD you set the primary user to another account but leave the DEM as the “assigned user”?

Microsoft

@ForumUser - Yes. DEM enrolled can have Primary user changed.

Microsoft

@jurajt - No. This change occurs in the Intune service-side. There are no changes to local group memberships.

Microsoft

@Steve Prentice - Thankyou! We are excited to light-up more scenarios including co-managed ones. No dates to share yet though..

Microsoft

@julien_Gfi - No that is not part of this feature. If this is something you would find helpful in your environment, please go ahead and add a UserVoice item.

Microsoft

@ForumUser. Its not a scenario we've specifically designed for or tested. Can you add some detail about why you'd want to do this instead of the documented AP configuration? 

New Contributor

Thanks Scott. :) If I had a particularly annoying machine which was co-managed and was correct in MECM but not in Intune... could the primary user be changed via a service request while we wait for the other scenarios you mention?

Senior Member

Hi Scott Duffey, we love the autopilot feature (both self deploying and user driven) and the integration with configmgr task sequences to easily image a device using our standard build,  and then also have the added benefits of auto join to AAD, auto enrollment into Intune, automatic encryption with keys stored in AAD etc.  However it’s a burden for our helpdesk to have to wait for the end user to be available to log into the computer to finish the autopilot sequence.  We like to make sure everything is all set for the user (like drivers get installed properly, updates done, encryption finished) and OOBE finished before handing the computer over to the user.  So setting up the device at first  with no primary user with self deploying mode or a DEM account, and then changing the primary user after everything is confirmed would be a much better process for us.

Occasional Contributor

Thank you! That was a much needed change BUT we are co-managed.

 

"If a device is co-managed then you can’t change the Primary User (but this is a scenario we are working on)." 

 

Is there an actual plan on this? Currently we can't take advantage of this...

 

Senior Member

Brilliant!

 

It would be great to also get the option to add the new user to be a local administrator on the device as we're changing the primary user.

Senior Member

@Intune Support Team @Scott Duffey 

I've created a custom role with below priviliges and still can't change Primary User.

  • ManagedDevices Delete
  • ManagedDevices Read
  • ManagedDevices SetPrimaryUser
  • ManagedDevices Update

No button appearing except for notification error 'User is not authorized to perform this operation'

 

Microsoft

@Pawel Korpisz - Try adding Organizational Access / Read to the set of privileges. LMK how you go.

Microsoft

@cloud_compadre Thanks for the feedback! Feel free to add an item on Uservoice too. https://microsoftintune.uservoice.com/forums/291681-ideas

Senior Member
Frequent Visitor

Excellent job on getting this feature done.  

 

Request: Please add the option to add column "Primary user" to the "Microsoft Endpoint Manager admin center" in the "Devices | All devices" window.  Currently that field/column is not present in that blade/window.  I'd like to be able to easily see who the primary user is of a machine at a glance without drilling into each device.

 

Thanks! 

Frequent Visitor

Please disregard my request above.  I found that the "Enrolled by user UPN" field in the "Microsoft Endpoint Manager admin center" in the "Devices | All devices" window seems to contain the "Primary user" info.  If I'm mistaken, please advise.

 

Thanks!

Regular Visitor

Is this able to be done for other types of devices ? like IOS or MacOS ?

 

Thanks !

 

Hi @esmith7cns, the current preview is for AAD joined or Hybrid AAD joined devices and are excited to light-up more scenarios including iOS/macOS as well as co-management as Scott previously mentioned. Though we don't have an ETA to share at this time, keep an eye out on our Customer Success Blog or In development page for any new updates regarding this feature.

Occasional Visitor

Has there been a change in this feature? until 2 days ago we were able to edit the primary user on our clients tenants, now suddenly the option is greyed out. We still have the permission and licenses etc needed as described in the article

Senior Member

Why are people doing this? Itˋs such an easy step to factory reset a device and enroll it to a new user — why going through these never ever perfect technical nightmare of lost zombie entries somewhere, incorrect machine certificate user attributes and staled machine history in connected systems?

Occasional Visitor

Hi, how can i change primary users in a bulk? We want to rollout more than 300 new computers via autopilot and DEM user, hybrid joined. After that i need to set on every PC the correct primary user. I have a list (.csv-file) and i have the powershell command. Is there a default ps script that i can use for that? 

Hi @JoGa1, you can change the Primary User through GraphAPI. Here are the available Powershell samples from Github: Intune Managed Device script samples. Hope this helps!

@Scott Duffey I have a new Hybrid join machine. This device was hybrid joined by an admin from work network. Now, we want to give this device to an actual standard user, who is working from home. As its hybrid, our assumption is the end user should be able to login to the machine with his own account (similar to AAD joined machine). Now if i change primary user of the device to be the new standard user (keeping enrolled by, still in the name of admin), the standard user from home is not NOT able to login to the device., from home. Device shows error-cannot recognize the user. 

Please suggest what are advantages of changing primary user feature - Is it just for inventory purpose, or really we are making end user to be able to login to the device, after admin enrolls it ?

Hi @SUBHASH VINJAMURI, the primary user property is used to map a licensed Intune user to the targeted device within the Company Portal app, End-user website, and IT pro experiences (like the troubleshooting pages within the Intune admin console). We'll be reaching out to you via message for further assistance.

Visitor

This has been a great feature BUT I am finding that the option to Change the Primary User is greyed out for us for some devices but not others. They are all Company managed owned via InTune MDM and enrolled via Company Portal. What should we do in this situation? 

 

Contributor

@Violette 

 

I am seeing this too across my tenants.  Would be useful to get some info on what would cause this, so it's not obvious. 

Visitor

@Intune Support Team  @Ruairidh Campbell - Did you just notice this happening recently?

 

I noticed this starting maybe a week ago. I have since setup a few other PCs in the standard way we always do, but the option to change Primary User is now greyed out. PCs are Company-owned in InTune and Azure AD registered. 

 
Occasional Contributor

Still trying to find an answer to what I assume should be a top question. How does this impact a device after the Enrollment user is removed from the directory. Classically, if you remove the Enrollment User from the directory then the device becomes unmanaged. Now if I have two users UserA and UserB, and UserA enrolled a device, but is now leaving the company, if I change the Primary User to UserB will the device become unmanaged when UserA is removed? There is a big note in the Documentation about how changing the Primary User does not change the Enrolled By user, but says nothing about how this impacts manageability in this common scenario.  Any information regarding this is appreciated. 

Hi @Violette, @Ruairidh Campbell, thanks for the feedback. We’ve followed up with the both of you directly to talk through the scenario, but also noting that the Primary User feature will be enabled for Windows 10 devices that are Azure AD Joined, Hybrid Azure AD Joined, or co-managed Windows devices. ^MS

Hi @Andrew Allston, thank you for the feedback. If the targeted devices are corporate owned, you may want to consider initiating a Wipe/Retire or Autopilot Reset prior to issuing it to a new employee. If these scenarios do not meet your organization’s current needs, happy to provide additional feedback to the team. Could you expand on your scenario more over direct message? Thanks! ^MS

Visitor

@Intune Support Team It would be a huge benefit to have Primary User Field be able to be modified on either AD registered OR joined devices, as long as they are Company-owned and Managed. Our devices are a mix of the two, and there is no difference is us being able to manage registered devices in InTune vs. Joined. We can still wipe, rename, etc. 

Contributor

@Ruairidh Campbell 

‎2020-06-22 02:47 PM

 

@Violette 

 

I am seeing this too across my tenants.  Would be useful to get some info on what would cause this, so it's not obvious. 


Providing an update on this.  In my case, it was user error.  :flushed:

 

On a device's properties page, although Primary user (preview) is greyed out, which makes it look "locked", you can click Change primary user beneath it, which opens a pane with your users to choose from.  Worked a treat.

 

Thanks to @Intune Support Team for helping out on this one.

New Contributor

I too am seeing the grayed-out option:

OrionJason_0-1595983343502.png

I saw a message above indicating that even grayed they found it worked when clicked on but I am not seeing this to be the case. Our desired workflow is enrolling systems with our Helpdesk admin user and then, once the new user is set up on their system, to assign the device to the actual primary user. Our environment is O365 Business + Intune Device for these users -no AD systems or services -only AAD. Additionally we are GSuite-primary and Azure is federated to GSuite via SAML if that is a factor in this.

Hi @OrionJason, thank you for the comment. We’ve followed up with you over direct message to talk through the scenario.