Onboarding Windows Devices Using Command-Line Enrollment: Workspace ONE Operational Tutorial
VMware Workspace ONE UEM 1810 or laterOverview
Introduction
Note: This content was created for Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.
VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial introduces you to command-line provisioning, one of a variety of Windows 10 onboarding methods supported by Workspace ONE UEM.
You have several onboarding options when using command-line enrollment, including staged provisioning, onboarding with a PC Lifecycle Management (PCLM) solution such as SCCM using VMware Workspace ONE® AirLift™, or deploying a script via a group policy object (GPO), such as a logon script. All of these options have one thing in common: using the command-line parameters supported with the VMware Workspace ONE® Intelligent Hub, which streamlines enrollment.
Audience
This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.
Knowledge of additional technologies such as network, VPN configuration, VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.
Enrolling Windows 10 Using Command-Line Enrollment
Introduction
You have several options when using command-line enrollment. This includes staged provisioning, onboarding with a PC Lifecycle Management (PCLM) solution such as SCCM using Workspace ONE AirLift, and deploying a script via a group policy object (GPO), such as a login script. All of these options have one thing in common: using the command-line parameters supported with the Workspace ONE Intelligent Hub, which streamlines enrollment.
Please note that although command-line enrollment is a supported onboarding method, you are responsible for ensuring the delivery mechanism used (e.g. GPO) is functioning as expected. The delivery mechanism varies with every use-case and is out of scope of VMware support.
The following figure shows the command-line options that you can use to append the required base command:
The following figure shows examples of command lines:
For more information, see Migrating Devices and Users from SCCM in Operational Tutorial for VMware Workspace ONE: Moving Windows 10 to Modern Management.
Additional Command-Line Enrollment Workflows
The procedures and requirements for enabling command-line enrollment depend on the following variables:
- Client Type – Domain-joined clients have different requirements from Workgroup (non-domain-joined) devices.
- Enrollment Scenario – Bare metal imaging and in-place upgrade are staging workflows that have distinct enrollment requirements.
These variables lead to three primary command-line enrollment workflows:
- Command-Line Enrollment for Domain-Joined Devices With or Without Admin Rights (Shown in Operational Tutorial) – You can leverage VMware Workspace ONE AirLift when devices are currently managed by SCCM, for a more streamlined experience. Overall for domain joined devices, you deploy the Workspace ONE Intelligent Hub with the proper command-line parameters to the device to enroll the current logged-on domain user (silently). If end users do not have admin rights, make sure you are executing the Hub install in System Context.
- Command-Line Enrollment for Workgroup Devices With or Without Admin Rights – Previously, administrators had to pre-register device serial numbers in the Workspace ONE UEM Console to enable device auto-reassignment. But now with the support of the
ASSIGNTOLOGGEDINUSERparameter, you can enable this parameter (=Y) and the end user receives a credential prompt from the Hub to complete enrollment. This eliminates the administrative overhead of having to pre-register devices. End users require admin rights unless the Hub install is executed using system context which requires admin rights. - Command-Line Enrollment During Imaging/In-Place Upgrades – For the imaging use case, you set the
IMAGEparameter toY. The VMware Workspace ONE Intelligent Hub is pre-installed on the image and waits for a valid enrollment. This decreases the time after enrollment to wait for the Hub to be installed on the device. For In-Place Upgrades, you can set up the Hub using the staging command-line parameters so that enrollment automatically flips to the user account for the next domain user who logs onto the device.
Command-Line Enrollment Requirements
The following table compares the requirements (left column) of each of the onboarding options (top row).
In this table, Yes indicates that the workflow must meet the listed requirement. Following the same logic, No indicates the workflow does not need to meet the listed requirement. Footnotes provide additional details about the requirements.
| Domain Joined Devices | Workgroup Devices | Imaging/ In-Place Upgrades | |
|---|---|---|---|
| Requirements | |||
| Workspace ONE UEM Console 1810 and later
Workspace ONE Intelligent Hub for Windows 1810 and later |
Yes | Yes | Yes |
| Domain-Joined Client | Yes | No1 | N/A |
| Workspace ONE Intelligent Hub for Windows deployed using System Context in your PCLM solution (such as SCCM) | Yes | Yes | Yes2 |
| Staging Account, with Standard Single User Devices Enabled | Yes | Yes | Yes |
| Staging Organization Group | Yes3 | Yes3 |
Yes |
| PowerShell Execution Policy Set to Bypass | No | Yes4 | No |
| User Group Mapping Enabled at highest Organization Group5 | Yes | Yes | Yes |
| Additional Resources | |||
| Production Sample | Blog |
||
|
|||
Prerequisites
Before you can perform the procedures in this tutorial, verify that your system meets the following prerequisites:
- Workspace ONE UEM 1810 or later
- Workspace ONE UEM admin account
- Credentials for a staging user account (this account has permission to stage the device on behalf of the user)
- Active user session: on the device a user needs to be logged on during enrollment with the staging account
- Uses login scripts
- A domain-joined device
For more information, see the VMware Workspace ONE Access documentation and VMware Workspace ONE UEM Documentation.
Configuring Command-Line Enrollment: Basic Sample Using GPO
This activity guides you through a basic command-line enrollment using GPO. The provided files are samples. Your parameter values will differ.
1. Download the Workspace ONE Intelligent Hub
- On the Windows 10 device to enroll and provision, navigate to
https://getwsone.com. - Download the latest VMware Workspace ONE Intelligent Hub.
2. Create a *.BAT File
Create a script to check for enrollment and if not already enrolled, perform the enrollment with the parameters for your given use case. The following batch script is a sample script. Although command-line enrollment is supported, the delivery mechanism for executing the command-line is not supported. Therefore, please test and validate that your delivery mechanism is fully functional before using it in a production environment. Again, the below batch script is solely a sample and can be improved upon.
@ECHO off
VERIFY OTHER 2>nul
SETLOCAL ENABLEEXTENSIONS
IF ERRORLEVEL 1 ECHO Unable to enable extensions
FOR /f "delims=" %%i IN ('reg query HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts /s') DO SET status=%%i
REM Run the Workspace ONE Intelligent Hub Installer to Register Device with Staging Account REM msiexec /i "<PATH>\AirwatchAgent.msi" /quiet ENROLL=Y SERVER=<DS URL> LGName=<GROUP ID> USERNAME=<STAGING USERNAME> PASSWORD=<STAGING PASSWORD> ASSIGNTOLOGGEDINUSER=Y /log <PATH TO LOG>
IF NOT DEFINED status (msiexec /i "\\NetworkShare\AirWatchAgent.msi" /q ENROLL=Y SERVER=ds135.awmdm.com LGName=techzone USERNAME=stagingtechzone PASSWORD=P@ssw0rd ASSIGNTOLOGGEDINUSER=Y /LOG %temp%\WorkspaceONE.log) ELSE (ECHO Device is already enrolled.)
ENDLOCAL3. Revise the Script
Revise the script command example so that it uses the correct information for your deployment. The REM portion of the script explains the syntax, as follows:
- For
<PATH>, enter the path to the Hub that you downloaded to the device. - For
<DS URL>, enter the enrollment (Device Services) URL. - For
<GROUP ID>, enter the short name (Group ID) of the organization group. - For
<STAGING USERNAME>and<STAGING PASSWORD>, enter the credentials of the staging user account that has permission to stage the device on behalf of the user.
4. Create a Group Policy Object
On the domain controller, open Group Policy Management, create a new Group Policy Object and link it to your devices and users.
Note: For domain-joined devices, you can do the following to deploy this script using a Group Policy Object (GPO):
- If you are using a PCLM tool, you can leverage your PCLM to push out the Workspace ONE Intelligent Hub with command parameters.
- If you are using Microsoft SCCM, use Workspace ONE AirLift.
6. Log In to Device
On the device, log in as the staging admin. (If using ASSIGNTOLOGGEDINUSER=Y, then you can simply log in to the device as the end-user. You can skip this step as the domain user with the assigned logon script will be enrolled.)
Workspace ONE UEM onboards and provisions the device profiles.
7. Ship the Device to the End User
- When provisioning is completed, shut down the device.
- Provide the device to the end user.
When the end user logs into the device, the Hub listener reads the User Principal Name (UPN) from the device registry and sends the information to the Workspace ONE UEM Console. The device registry is updated to register the device to the user.
Summary and Additional Resources
Conclusion
This tutorial introduces you to the command-line enrollment functionality of Workspace ONE UEM, and explains how to use this functionality to enroll Windows 10 devices before delivery. A set of exercises describe how to configure this workflow method on your system. The end result is your ability to manage the Windows 10 device enrollment before the device ever reaches the end user, or to enroll a Windows 10 device silently to devices already out in the field being managed by the domain, SCCM, or another PLCM solution.
Appendix: Deploying the Integration Client
To use Workspace ONE UEM to manage Windows devices managed by SCCM, you must download the VMware Workspace ONE SCCM Integration Client. Use this client to enroll SCCM-managed devices into Workspace ONE UEM. For more information, see the VMware Workspace ONE SCCM Integration Client Knowledge Base article.
1. Download the Integration Client
- From your browser navigate to the My Workspace ONE Resources portal and search for VMware Workspace ONE Integration Client.
2. Install the Client
- In a production environment, use your PCLM solution (such as SCCM) or domain group policies to push the MSI file to managed devices and install the client.
Note: For more information about SCCM, see Microsoft support and documentation. - After installation, end users can enroll Windows 10 devices using any onboarding method.
Additional Resources
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
For information about deployment, see Deploying Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:
Searching for More Information
When looking for more VMware documentation, you can focus the search using the Advanced Search option.
- In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
- Enter words or phrases to start the search.
Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name. - Narrow the results by selecting specific criteria.
Example: The search is limited to the specific product and version. - Click Advanced Search.
- In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.
Changelog
- 2021-08-12
- Removed deprecated install parameters.
- Updated batch script example.
- Removed section, "Configuring Command-Line Enrollment for Non-Admin AD Users" as this is no longer officially supported.
- 2020-08-12
- Published.
About the Authors
This tutorial was written by:
- Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware
- Hannah Jernigan, EUC Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
Considerable contributions were made by the following subject matter experts:
- Varun Murthy, Product Line Manager, VMware
- Brooks Peppin, Sr. Product Manager, VMware
- Darren Weatherly, Specialist Systems Engineer, VMware
- Mike Nelson, Sr. Solutions Architect, VMware
- Pim van de Vis, Sr. Solutions Architect, VMware
- Rob Kelley, Sr. Solutions Architect, VMware
Feedback
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.
Associated Content
From the action bar MORE button.