This article will describe how to change primary user of a device in Intune.
- Azure AD Joined & Hybrid AD Joined Intune managed devices
- Devices are being enrolled by a DEM
- We wanna assign the primary users correctly
DEM or Device Enrollment Manager is an account you can set up to enroll devices before you give them to your end users. What is the advantage of a DEM? Each DEM can enroll up to 1000 devices. You can find more info here.
When you onboard your Windows device in Intune, the device is automatically associated with the user registering the device; this user is called Primary User. Until now, it was not possible to change the primary user, unless unregistering and re registering the device using another user account.
1. What are the requirements?
- Devices must be Azure AD Joined or Hybrid Azure AD Joined.
- The “Primary User” must have an Intune license assigned.
- Co-management is not supported at this moment. (But will come eventually)
- You need to run a supported Windows 10 version
2. What are the scenario’s?
- Change the Primary user from User-A to User-B
- Change the Primary user from none (shared device) to a single user
- Change the Primary user from a single user to none (shared device)
In all the above cases, the Intune device (Primary User property) will be updated as well as the Azure AAD device object (DeviceRegisteredOwner and DeviceRegisteredUser). Remember that changing the Primary User doesn’t change anything on the local admin group on the device! If you want the new users to be part of that group, you’ll need some scripting powers or use the ‘Additional local administrators on Azure AD Joined devices’ functionality.
3. A couple of details
- Microsoft has added a new administrator privilege: “Managed Device/Set primary user” and it has been added to built-in roles including: Helpdesk Operator, School administrator, and Endpoint Security Manager. To use this new feature, you will need to have this privilege assigned.
- The new Device compliance report list includes columns for both Primary User and Enrolled-by user. This change will also be added to the “All devices” list soon.
- In addition to the Microsoft Endpoint Manager console, you can change the Primary User through graph API. You’ll see an example Powershell script appear on this Github repository shortly.
4. How to do?
Navigate to the Microsoft Endpoint Manager console. Click on Devices. Click on All Devices.
Click on the Device from where you want to change the Primary User. Click on Properties. Here you can click on ‘Change Primary User’ or ‘Remove Primary User’ depending on your scenario.
If you click on ‘Change Primary User’ all that is left to do is select the new Primary User and click on ‘Select’. Don’t forget to click on ‘Save’!
It will tell you: ‘Device properties saved successfully’. Now we can verify if it changed correctly. On your same device click on ‘Overview’ and verify that your Primary User has changed:
More articles on Intune:
- Get device hashes from HP for Autopilot pre-production testing
- Run as admin gives black screen in Quick Assist/TeamViewer – Intune fix
- Intune – change Primary User of a device
- Ransomware protection (Controlled Folder Access) setup with Intune
- Windows Hello for Business multi-factor unlock with Intune