Onboarding Windows Devices Using Command-Line Enrollment: Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 1810 or later

Overview

Introduction

Note: This content was created for Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial introduces you to command-line provisioning, one of a variety of Windows Desktop onboarding methods supported by Workspace ONE UEM.

The Workspace ONE Intelligent Hub for Windows allows you to onboard devices using command-line enrollment. This allows the ability for staged provisioning, and onboarding with a PC Lifecycle Management (PCLM) solution such as Microsoft Endpoint Configuration Manager using VMware Workspace ONE® AirLift™. 

All of these options have one thing in common: using the command-line parameters supported with the VMware Workspace ONE® Intelligent Hub, which streamlines enrollment.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration,  VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Enrolling Windows Desktops Using Command-Line Enrollment

Command Line Enrollment Overview

The Workspace ONE Intelligent Hub for Windows allows you to onboard devices using command-line enrollment. This allows the ability for staged provisioning, and onboarding with a PC Lifecycle Management (PCLM) solution such as Microsoft Endpoint Configuration Manager using VMware Workspace ONE® AirLift™. 

All of these options have one thing in common: using the command-line parameters supported with the VMware Workspace ONE® Intelligent Hub, which streamlines enrollment.

Please note that although command-line enrollment is a supported onboarding method, you are responsible for ensuring the delivery mechanism used (e.g. GPO) is functioning as expected. The delivery mechanism varies with every use case and is out of the scope of VMware support.

Prerequisites

Before you can perform the procedures in this tutorial, verify that your system meets the following prerequisites:

  • Workspace ONE UEM 1810 or later
  • Workspace ONE UEM admin account
  • Credentials for a staging user account (this account has permission to stage the device on behalf of the user)
  • Active user session: on the device a user needs to be logged on during enrollment with the staging account
  • Uses login scripts
  • A domain-joined device

For more information, see the VMware Workspace ONE Access documentation and VMware Workspace ONE UEM Documentation.

Command-Line Enrollment Scenarios

REPLACE WITH IMAGE

The procedures and requirements for enabling command-line enrollment depend on the following variables:

  • Client Type – Domain-joined clients have different requirements from Workgroup (non-domain-joined) devices.
  • Enrollment Scenario – Bare metal imaging and in-place upgrade are staging workflows that have distinct enrollment requirements.

These variables lead to three primary command-line enrollment workflows:

  • Command-Line Enrollment for Domain-Joined Devices With or Without Admin Rights (Shown in Operational Tutorial) – You can leverage VMware Workspace ONE AirLift when devices are currently managed by SCCM, for a more streamlined experience. Overall for domain joined devices, you deploy the Workspace ONE Intelligent Hub with the proper command-line parameters to the device to enroll the current logged-on domain user (silently). If end users do not have admin rights, make sure you are executing the Hub install in System Context.
  • Command-Line Enrollment for Workgroup Devices With or Without Admin Rights – Previously, administrators had to pre-register device serial numbers in the Workspace ONE UEM Console to enable device auto-reassignment. But now with the support of the ASSIGNTOLOGGEDINUSER parameter, you can enable this parameter (=Y) and the end user receives a credential prompt from the Hub to complete enrollment. This eliminates the administrative overhead of having to pre-register devices. End users require admin rights unless the Hub install is executed using system context which requires admin rights.
  • Command-Line Enrollment During Imaging/In-Place Upgrades – For the imaging use case, you set the IMAGE parameter to Y. The VMware Workspace ONE Intelligent Hub is pre-installed on the image and waits for a valid enrollment. This decreases the time after enrollment to wait for the Hub to be installed on the device. For In-Place Upgrades, you can set up the Hub using the staging command-line parameters so that enrollment automatically flips to the user account for the next domain user who logs onto the device.   

Command-Line Enrollment Requirements

The following table compares the requirements (left column) of each of the onboarding options (top row).

In this table, Yes indicates that the workflow must meet the listed requirement. Following the same logic, No indicates the workflow does not need to meet the listed requirement. Footnotes provide additional details about the requirements.


 Domain Joined Devices 
 Workgroup Devices 
 Imaging/ In-Place Upgrades
Requirements
Workspace ONE UEM Console 1810 and later

Workspace ONE Intelligent Hub for Windows 		 Yes Yes Yes
Domain-Joined Client
 Yes
 No1
 N/A
Workspace ONE Intelligent Hub for Windows deployed using System Context in your PCLM solution (such as SCCM)
 Yes
 Yes
 Yes2
Staging Account, with Standard Single User Devices Enabled
 Yes
 Yes
 Yes
Staging Organization Group Yes3
 Yes3

 Yes
PowerShell Execution Policy Set to Bypass
 No
 Yes4
 No
User Group Mapping Enabled at highest Organization Group5
 Yes Yes Yes
Additional Resources
Production Sample



Blog
  1. The mismatch between the local account and the domain users in the Workspace ONE UEM Console causes auto-reassignment to fail for Workgroup devices. After auto-reassignment fails, the system prompts for a username and password.
  2. Your PCLM solution (such as SCCM) only — this requirement does not apply to MDT.
  3. Required only if SAML is enabled in your Workspace ONE UEM environment. No longer required starting in Workspace ONE UEM 1811.
  4. In the SCCM Console, navigate to Administration > Client Settings > Default Settings > Computer Agent. Scroll down to Powershell execution policy and set it to Bypass.
  5. User Group Organization Group or Fixed Organization Group enabled so that end users are not prompted for a Group ID. To configure this setting, navigate to Settings > Devices & Users > General > Shared Device.

Command Line Enrollment Parameters

The following figure shows the command-line options that you can use to append the required base command:

(airwatch windows 10 enrollment, one command, line in windows 10)

The following figure shows examples of command lines:

(airwatch windows 10 enrollment, one command, line in windows 10)

For more information, see Migrating Devices and Users from SCCM in Modernizing Windows Management: Workspace ONE AirLift Operational Tutorial .

Summary and Additional Resources

Conclusion

This tutorial introduces you to the command-line enrollment functionality of Workspace ONE UEM, and explains how to use this functionality to enroll Windows 10 devices before delivery. A set of exercises describe how to configure this workflow method on your system. The end result is your ability to manage the Windows 10 device enrollment before the device ever reaches the end user, or to enroll a Windows 10 device silently to devices already out in the field being managed by the domain, SCCM, or another PLCM solution.

Additional Resources

For more information about Windows Modern Management with Workspace ONE, you can explore the following resources:

Getting Started with Windows Modern Management 

 Windows Onboarding 

 Windows Security and Policy Management 

 Windows Application Management 

 Windows OS Patching 

 Windows Troubleshooting 

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

  1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
  2. Enter words or phrases to start the search.
    Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
  3. Narrow the results by selecting specific criteria.
    Example: The search is limited to the specific product and version.
  4. Click Advanced Search.
  5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

Changelog

  • 2021-08-12
    • Removed deprecated install parameters.
    • Updated batch script example.
    • Removed section, "Configuring Command-Line Enrollment for Non-Admin AD Users" as this is no longer officially supported.
  • 2020-08-12
    • Published.

About the Authors

This tutorial was written by:

  • Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware
  • Hannah Jernigan, EUC Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Considerable contributions were made by the following subject matter experts:

  • Varun Murthy, Product Line Manager, VMware
  • Brooks Peppin, Sr. Product Manager, VMware
  • Darren Weatherly, Sr. Technical Marketing Architect, End-User-Computing Technical Marketing, VMware
  • Saurabh Jhunjhunwala, EUC Customer Success Architect, VMware
  • Mike Nelson, Sr. Solutions Architect, VMware
  • Pim van de Vis, Sr. Solutions Architect, VMware
  • Rob Kelley, Sr. Solutions Architect, VMware

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced Win10 and Windows Desktop Deploy Modern Management