Onboarding Windows Devices Using Command-Line Enrollment: Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 1810 or later

Overview

Introduction

Note: This content was created for Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial introduces you to command-line provisioning, one of a variety of Windows 10 onboarding methods supported by Workspace ONE UEM.

You have several onboarding options when using command-line enrollment, including staged provisioning, onboarding with a PC Lifecycle Management (PCLM) solution such as SCCM using VMware Workspace ONE^® AirLift™, or deploying a script via a group policy object (GPO), such as a logon script. All of these options have one thing in common: using the command-line parameters supported with the VMware Workspace ONE^® Intelligent Hub, which streamlines enrollment.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration, VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Enrolling Windows 10 Using Command-Line Enrollment

Introduction

You have several options when using command-line enrollment. This includes staged provisioning, onboarding with a PC Lifecycle Management (PCLM) solution such as SCCM using Workspace ONE AirLift, and deploying a script via a group policy object (GPO), such as a login script. All of these options have one thing in common: using the command-line parameters supported with the Workspace ONE Intelligent Hub, which streamlines enrollment.

Please note that although command-line enrollment is a supported onboarding method, you are responsible for ensuring the delivery mechanism used (e.g. GPO) is functioning as expected. The delivery mechanism varies with every use-case and is out of scope of VMware support.

The following figure shows the command-line options that you can use to append the required base command:

(airwatch windows 10 enrollment, one command, line in windows 10)

The following figure shows examples of command lines:

For more information, see Migrating Devices and Users from SCCM in Operational Tutorial for VMware Workspace ONE: Moving Windows 10 to Modern Management.

Additional Command-Line Enrollment Workflows

The procedures and requirements for enabling command-line enrollment depend on the following variables:

Client Type – Domain-joined clients have different requirements from Workgroup (non-domain-joined) devices.
Enrollment Scenario – Bare metal imaging and in-place upgrade are staging workflows that have distinct enrollment requirements.

These variables lead to three primary command-line enrollment workflows:

Command-Line Enrollment for Domain-Joined Devices With or Without Admin Rights (Shown in Operational Tutorial) – You can leverage VMware Workspace ONE AirLift when devices are currently managed by SCCM, for a more streamlined experience. Overall for domain joined devices, you deploy the Workspace ONE Intelligent Hub with the proper command-line parameters to the device to enroll the current logged-on domain user (silently). If end users do not have admin rights, make sure you are executing the Hub install in System Context.
Command-Line Enrollment for Workgroup Devices With or Without Admin Rights – Previously, administrators had to pre-register device serial numbers in the Workspace ONE UEM Console to enable device auto-reassignment. But now with the support of the ASSIGNTOLOGGEDINUSER parameter, you can enable this parameter (=Y) and the end user receives a credential prompt from the Hub to complete enrollment. This eliminates the administrative overhead of having to pre-register devices. End users require admin rights unless the Hub install is executed using system context which requires admin rights.
Command-Line Enrollment During Imaging/In-Place Upgrades – For the imaging use case, you set the IMAGE parameter to Y. The VMware Workspace ONE Intelligent Hub is pre-installed on the image and waits for a valid enrollment. This decreases the time after enrollment to wait for the Hub to be installed on the device. For In-Place Upgrades, you can set up the Hub using the staging command-line parameters so that enrollment automatically flips to the user account for the next domain user who logs onto the device.

Command-Line Enrollment Requirements

The following table compares the requirements (left column) of each of the onboarding options (top row).

In this table, Yes indicates that the workflow must meet the listed requirement. Following the same logic, No indicates the workflow does not need to meet the listed requirement. Footnotes provide additional details about the requirements.

	Domain Joined Devices	Workgroup Devices	Imaging/ In-Place Upgrades
Requirements
Workspace ONE UEM Console 1810 and later Workspace ONE Intelligent Hub for Windows 1810 and later	Yes	Yes	Yes
Domain-Joined Client	Yes	No¹	N/A
Workspace ONE Intelligent Hub for Windows deployed using System Context in your PCLM solution (such as SCCM)	Yes	Yes	Yes²
Staging Account, with Standard Single User Devices Enabled	Yes	Yes	Yes
Staging Organization Group	Yes³	Yes³	Yes
PowerShell Execution Policy Set to Bypass	No	Yes⁴	No
User Group Mapping Enabled at highest Organization Group⁵	Yes	Yes	Yes
Additional Resources
Production Sample			Blog
The mismatch between the local account and the domain users in the Workspace ONE UEM Console causes auto-reassignment to fail for Workgroup devices. After auto-reassignment fails, the system prompts for a username and password. Your PCLM solution (such as SCCM) only — this requirement does not apply to MDT. Required only if SAML is enabled in your Workspace ONE UEM environment. No longer required starting in Workspace ONE UEM 1811. In the SCCM Console, navigate to Administration > Client Settings > Default Settings > Computer Agent. Scroll down to Powershell execution policy and set it to Bypass. User Group Organization Group or Fixed Organization Group enabled so that end users are not prompted for a Group ID. To configure this setting, navigate to Settings > Devices & Users > General > Shared Device.

Prerequisites

Before you can perform the procedures in this tutorial, verify that your system meets the following prerequisites:

Workspace ONE UEM 1810 or later
Workspace ONE UEM admin account
Credentials for a staging user account (this account has permission to stage the device on behalf of the user)
Active user session: on the device a user needs to be logged on during enrollment with the staging account
Uses login scripts
A domain-joined device

For more information, see the VMware Workspace ONE Access documentation and VMware Workspace ONE UEM Documentation.

Configuring Command-Line Enrollment: Basic Sample Using GPO

This activity guides you through a basic command-line enrollment using GPO. The provided files are samples. Your parameter values will differ.

1. Download the Workspace ONE Intelligent Hub

On the Windows 10 device to enroll and provision, navigate to https://getwsone.com.
Download the latest VMware Workspace ONE Intelligent Hub.

2. Create a *.BAT File

Create a script to check for enrollment and if not already enrolled, perform the enrollment with the parameters for your given use case. The following batch script is a sample script. Although command-line enrollment is supported, the delivery mechanism for executing the command-line is not supported. Therefore, please test and validate that your delivery mechanism is fully functional before using it in a production environment. Again, the below batch script is solely a sample and can be improved upon.

@ECHO off
VERIFY OTHER 2>nul
SETLOCAL ENABLEEXTENSIONS
IF ERRORLEVEL 1 ECHO Unable to enable extensions
FOR /f "delims=" %%i IN ('reg query HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts /s') DO SET status=%%i
REM Run the Workspace ONE Intelligent Hub Installer to Register Device with Staging Account REM msiexec /i "<PATH>\AirwatchAgent.msi" /quiet ENROLL=Y SERVER=<DS URL> LGName=<GROUP ID> USERNAME=<STAGING USERNAME> PASSWORD=<STAGING PASSWORD> ASSIGNTOLOGGEDINUSER=Y /log <PATH TO LOG>
IF NOT DEFINED status (msiexec /i "\\NetworkShare\AirWatchAgent.msi" /q ENROLL=Y SERVER=ds135.awmdm.com LGName=techzone USERNAME=stagingtechzone PASSWORD=P@ssw0rd ASSIGNTOLOGGEDINUSER=Y /LOG %temp%\WorkspaceONE.log) ELSE (ECHO Device is already enrolled.)
ENDLOCAL

3. Revise the Script

Revise the script command example so that it uses the correct information for your deployment. The REM portion of the script explains the syntax, as follows:

For <PATH>, enter the path to the Hub that you downloaded to the device.
For <DS URL>, enter the enrollment (Device Services) URL.
For <GROUP ID>, enter the short name (Group ID) of the organization group.
For <STAGING USERNAME> and <STAGING PASSWORD>, enter the credentials of the staging user account that has permission to stage the device on behalf of the user.

4. Create a Group Policy Object

On the domain controller, open Group Policy Management, create a new Group Policy Object and link it to your devices and users.

Note: For domain-joined devices, you can do the following to deploy this script using a Group Policy Object (GPO):

If you are using a PCLM tool, you can leverage your PCLM to push out the Workspace ONE Intelligent Hub with command parameters.
If you are using Microsoft SCCM, use Workspace ONE AirLift.

5. Navigate to Scripts

In the Group Policy Management Editor, navigate to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
Click Show Files.
Transfer the DeployWorkspaceONE.bat script to the location which opens.
Click Add and select the DeployWorkspaceONE.bat script.
Confirm that the Group Policy Object is assigned to the domain user account that logs in to each device; that is, the staging account.

6. Log In to Device

On the device, log in as the staging admin. (If using ASSIGNTOLOGGEDINUSER=Y, then you can simply log in to the device as the end-user. You can skip this step as the domain user with the assigned logon script will be enrolled.)
Workspace ONE UEM onboards and provisions the device profiles.

7. Ship the Device to the End User

When provisioning is completed, shut down the device.
Provide the device to the end user.

When the end user logs into the device, the Hub listener reads the User Principal Name (UPN) from the device registry and sends the information to the Workspace ONE UEM Console. The device registry is updated to register the device to the user.

Summary and Additional Resources

Conclusion

This tutorial introduces you to the command-line enrollment functionality of Workspace ONE UEM, and explains how to use this functionality to enroll Windows 10 devices before delivery. A set of exercises describe how to configure this workflow method on your system. The end result is your ability to manage the Windows 10 device enrollment before the device ever reaches the end user, or to enroll a Windows 10 device silently to devices already out in the field being managed by the domain, SCCM, or another PLCM solution.

Appendix: Deploying the Integration Client

To use Workspace ONE UEM to manage Windows devices managed by SCCM, you must download the VMware Workspace ONE SCCM Integration Client. Use this client to enroll SCCM-managed devices into Workspace ONE UEM. For more information, see the VMware Workspace ONE SCCM Integration Client Knowledge Base article.

1. Download the Integration Client

From your browser navigate to the My Workspace ONE Resources portal and search for VMware Workspace ONE Integration Client.

2. Install the Client

In a production environment, use your PCLM solution (such as SCCM) or domain group policies to push the MSI file to managed devices and install the client.
Note: For more information about SCCM, see Microsoft support and documentation.
After installation, end users can enroll Windows 10 devices using any onboarding method.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

For information about deployment, see Deploying Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
Enter words or phrases to start the search.
Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
Narrow the results by selecting specific criteria.
Example: The search is limited to the specific product and version.
Click Advanced Search.
In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

Changelog

2021-08-12
- Removed deprecated install parameters.
- Updated batch script example.
- Removed section, "Configuring Command-Line Enrollment for Non-Admin AD Users" as this is no longer officially supported.
2020-08-12
- Published.

About the Authors

This tutorial was written by:

Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware
Hannah Jernigan, EUC Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Considerable contributions were made by the following subject matter experts:

Varun Murthy, Product Line Manager, VMware
Brooks Peppin, Sr. Product Manager, VMware
Darren Weatherly, Specialist Systems Engineer, VMware
Mike Nelson, Sr. Solutions Architect, VMware
Pim van de Vis, Sr. Solutions Architect, VMware
Rob Kelley, Sr. Solutions Architect, VMware

Feedback

Your feedback is valuable.

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced Windows 10 Deploy Modern Management