Change the Intune Primary User – Public Preview Now Available

Hello, is it possible or supported to change the primary user on a device that was enrolled using a “device enrollment manager” account to a normal user account?

does the new primary user also become a local admin on the device?

Firstly... Congrats!

“If a device is co-managed then you can’t change the Primary User“

Drat, that’s all of our devices, which makes the feature unusable for us right now. Any more info on when it might be supported?

@jurajt No, local admin can added at once to all AAD joined devices under AAD > devices, using CSP configuration or during Autopilot. 

@giladke i know that, but that adds the local admin to *all* devices.

@jurajt that's why I mentioned 2 other options to have user as local admin for a specific device (i.e CSP, autopilot, you can script it as well) 

Hello, 

Is it possible to  automatically set or replace user device affinities depending on the number of hours of connection on the Worksation like Configuration Manager?

Regards, 

Julien

Is it supported to have an autopilot device where the autopilot “assigned user” is a device enrollment manager account, but then after the machine runs through autopilot and joins AAD you set the primary user to another account but leave the DEM as the “assigned user”?

@ForumUser - Yes. DEM enrolled can have Primary user changed.

@jurajt - No. This change occurs in the Intune service-side. There are no changes to local group memberships.

@Steve Prentice - Thankyou! We are excited to light-up more scenarios including co-managed ones. No dates to share yet though..

@julien_Gfi - No that is not part of this feature. If this is something you would find helpful in your environment, please go ahead and add a UserVoice item.

@ForumUser. Its not a scenario we've specifically designed for or tested. Can you add some detail about why you'd want to do this instead of the documented AP configuration? 

Thanks Scott. :) If I had a particularly annoying machine which was co-managed and was correct in MECM but not in Intune... could the primary user be changed via a service request while we wait for the other scenarios you mention?

Hi Scott Duffey, we love the autopilot feature (both self deploying and user driven) and the integration with configmgr task sequences to easily image a device using our standard build,  and then also have the added benefits of auto join to AAD, auto enrollment into Intune, automatic encryption with keys stored in AAD etc.  However it’s a burden for our helpdesk to have to wait for the end user to be available to log into the computer to finish the autopilot sequence.  We like to make sure everything is all set for the user (like drivers get installed properly, updates done, encryption finished) and OOBE finished before handing the computer over to the user.  So setting up the device at first  with no primary user with self deploying mode or a DEM account, and then changing the primary user after everything is confirmed would be a much better process for us.

Thank you! That was a much needed change BUT we are co-managed.

"If a device is co-managed then you can’t change the Primary User (but this is a scenario we are working on)." 

Is there an actual plan on this? Currently we can't take advantage of this...

Brilliant!

It would be great to also get the option to add the new user to be a local administrator on the device as we're changing the primary user.

@Intune_Support_Team @Scott Duffey 

I've created a custom role with below priviliges and still can't change Primary User.

• ManagedDevices Delete
• ManagedDevices Read
• ManagedDevices SetPrimaryUser
• ManagedDevices Update

No button appearing except for notification error 'User is not authorized to perform this operation'

@Pawel Korpisz - Try adding Organizational Access / Read to the set of privileges. LMK how you go.

@cloud_compadre Thanks for the feedback! Feel free to add an item on Uservoice too. https://microsoftintune.uservoice.com/forums/291681-ideas

@Scott Duffey 

Can you please take a look at by bug report @ https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-configuration-policy-show...

Cheers!

Excellent job on getting this feature done.  

Request: Please add the option to add column "Primary user" to the "Microsoft Endpoint Manager admin center" in the "Devices | All devices" window.  Currently that field/column is not present in that blade/window.  I'd like to be able to easily see who the primary user is of a machine at a glance without drilling into each device.

Thanks! 

Please disregard my request above.  I found that the "Enrolled by user UPN" field in the "Microsoft Endpoint Manager admin center" in the "Devices | All devices" window seems to contain the "Primary user" info.  If I'm mistaken, please advise.

Thanks!

Is this able to be done for other types of devices ? like IOS or MacOS ?

Thanks !

Hi @esmith7cns, the current preview is for AAD joined or Hybrid AAD joined devices and are excited to light-up more scenarios including iOS/macOS as well as co-management as Scott previously mentioned. Though we don't have an ETA to share at this time, keep an eye out on our Customer Success Blog or In development page for any new updates regarding this feature.

Has there been a change in this feature? until 2 days ago we were able to edit the primary user on our clients tenants, now suddenly the option is greyed out. We still have the permission and licenses etc needed as described in the article

Why are people doing this? Itˋs such an easy step to factory reset a device and enroll it to a new user — why going through these never ever perfect technical nightmare of lost zombie entries somewhere, incorrect machine certificate user attributes and staled machine history in connected systems?

Hi, how can i change primary users in a bulk? We want to rollout more than 300 new computers via autopilot and DEM user, hybrid joined. After that i need to set on every PC the correct primary user. I have a list (.csv-file) and i have the powershell command. Is there a default ps script that i can use for that? 

Hi @JoGa1, you can change the Primary User through GraphAPI. Here are the available Powershell samples from Github: Intune Managed Device script samples. Hope this helps!

@Scott Duffey I have a new Hybrid join machine. This device was hybrid joined by an admin from work network. Now, we want to give this device to an actual standard user, who is working from home. As its hybrid, our assumption is the end user should be able to login to the machine with his own account (similar to AAD joined machine). Now if i change primary user of the device to be the new standard user (keeping enrolled by, still in the name of admin), the standard user from home is not NOT able to login to the device., from home. Device shows error-cannot recognize the user. 

Please suggest what are advantages of changing primary user feature - Is it just for inventory purpose, or really we are making end user to be able to login to the device, after admin enrolls it ?

Hi @SUBHASH VINJAMURI, the primary user property is used to map a licensed Intune user to the targeted device within the Company Portal app, End-user website, and IT pro experiences (like the troubleshooting pages within the Intune admin console). We'll be reaching out to you via message for further assistance.

This has been a great feature BUT I am finding that the option to Change the Primary User is greyed out for us for some devices but not others. They are all Company managed owned via InTune MDM and enrolled via Company Portal. What should we do in this situation? 

@Violette 

I am seeing this too across my tenants.  Would be useful to get some info on what would cause this, so it's not obvious. 

@Intune_Support_Team  @Ru - Did you just notice this happening recently?

I noticed this starting maybe a week ago. I have since setup a few other PCs in the standard way we always do, but the option to change Primary User is now greyed out. PCs are Company-owned in InTune and Azure AD registered. 

Still trying to find an answer to what I assume should be a top question. How does this impact a device after the Enrollment user is removed from the directory. Classically, if you remove the Enrollment User from the directory then the device becomes unmanaged. Now if I have two users UserA and UserB, and UserA enrolled a device, but is now leaving the company, if I change the Primary User to UserB will the device become unmanaged when UserA is removed? There is a big note in the Documentation about how changing the Primary User does not change the Enrolled By user, but says nothing about how this impacts manageability in this common scenario.  Any information regarding this is appreciated. 

Hi @Violette, @Ru, thanks for the feedback. We’ve followed up with the both of you directly to talk through the scenario, but also noting that the Primary User feature will be enabled for Windows 10 devices that are Azure AD Joined, Hybrid Azure AD Joined, or co-managed Windows devices. ^MS

Hi @Andrew Allston, thank you for the feedback. If the targeted devices are corporate owned, you may want to consider initiating a Wipe/Retire or Autopilot Reset prior to issuing it to a new employee. If these scenarios do not meet your organization’s current needs, happy to provide additional feedback to the team. Could you expand on your scenario more over direct message? Thanks! ^MS

@Intune_Support_Team It would be a huge benefit to have Primary User Field be able to be modified on either AD registered OR joined devices, as long as they are Company-owned and Managed. Our devices are a mix of the two, and there is no difference is us being able to manage registered devices in InTune vs. Joined. We can still wipe, rename, etc. 

@Ru 

‎2020-06-22 02:47 PM

 

@Violette 

 

I am seeing this too across my tenants.  Would be useful to get some info on what would cause this, so it's not obvious. 

---

Providing an update on this.  In my case, it was user error.  

On a device's properties page, although Primary user (preview) is greyed out, which makes it look "locked", you can click Change primary user beneath it, which opens a pane with your users to choose from.  Worked a treat.

Thanks to @Intune_Support_Team for helping out on this one.

I too am seeing the grayed-out option:

I saw a message above indicating that even grayed they found it worked when clicked on but I am not seeing this to be the case. Our desired workflow is enrolling systems with our Helpdesk admin user and then, once the new user is set up on their system, to assign the device to the actual primary user. Our environment is O365 Business + Intune Device for these users -no AD systems or services -only AAD. Additionally we are GSuite-primary and Azure is federated to GSuite via SAML if that is a factor in this.

Hi @OrionJason, thank you for the comment. We’ve followed up with you over direct message to talk through the scenario.

Hello @Intune_Support_Team , any news about the possibility to change the Primary User of an iOS device (Iphone) ? This would be a great feature for our organisation !

Thanks !

Hi Scott, in a co-managed mode, is the primary user synchronized from Intune to SCCM ?

Hi @Guillaume, we are excited to light-up more scenarios including iOS/macOS. Though we don't have an ETA to share at this time, keep an eye out on this blog and out In development doc for any new updates regarding this feature.

Hi @ChristophePa No, the Intune primary user is not synced from ConfigMgr for co-managed devices.

I too am seeing the Change Primary user greyed out as well.

Clicking on the button does not do anything and I can confirm that the devices are all Hybrid Azure AD Joined.

Can anyone advise?

Hello all,

As far as I am aware, the Change Primary user option is only available for devices that have been Joined (not registered) to Azure AD or Hybrid Joined devices. Currently, Co-Managed devices are not supported for this feature but Microsoft is known to be working on it.

So, if your device was registered to Azure AD you will most likely need to un-enroll it completely, do the clean up on Azure AD / Intune management portal side of things to make sure no records are left behind, and then Join the device in question to Azure AD.

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join

I can confirm that switching primary user works. And it worked for me as in some cases where I did not want to enroll a device that is occasionally being used by more than one user, under DEM or as a Shared Device.

Hope it helps.

Thank you.

Thanks for the response. 

My Windows 10 devices are on premise Active Directory joined so I used Group Policy to Hybrid Azure AD join them.

Not sure what else I could do to get the Change primary user function to work.

According to Microsoft the Hybrid AD Joined devices are in supported scenario.

I would suggest looking into the device state at this point, to validate that device(s) in question are actually considered as Hybrid Joined devices by Azure.

Try the dsregcmd /status

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-cur...

It will get you started. Also, try remote connecting to the MS Tenant via PowerShell and check the devices state from that end.

https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0

Thank you.

Our environment is cloud-only. We have no hybrid devices and only use InTune. It doesn't make any sense that I can change the Primary User on AD Joined devices and NOT AD Registered devices. Both our AD-joined AND our AD-registered devices are all company owned, imaged, etc. If I can send a remote wipe to an AD Registered device (and have other management access), then it seems like I should also be able to change the primary user on that same device. It doesn't make any sense that this option is not available if the device is AD Registered - yet, this is what I was advised by Microsoft Support. I submitted a UserVoice for this and it got immediately closed with a comment not at all applicable to the request. Very frustrating. @Intune_Support_Team