Change Enrolled by user to a different user!!!

Question

Change Enrolled by user to a different user!!!

Barzan M Hassan 6

I have a device with two different user:

Primary user is : X
Enrolled by: Y (the user is deleted)

I want to change the enrolled by user to x user in microsoft endpoint manager.

Does that possible by script or any other way to do it?

Best,
Barzan

Dan R 31 Reputation points

2022-12-01T12:14:01.667+00:00

They really need to fix this.

As an admin setting up devices, I'm always enrolling the devices using my admin account, I'm not taking a laptop out to the user, asking them to enroll the device only so I can take it back and finish configuring it before then bringing it back to them. What a stupid workflow which makes us look incompetent.

Why is there seemingly no way to remove the enrolment limit for the administrators? Why can we not change the person who has enrolled a device and why would it matter?

Yes, there are still some manual tasks that need carrying out for certain setups before a device is given to a user, it's not possible to automate every little thing all the time.

10 answers

Your answer

Dan R 31 Reputation points

2022-12-01T12:14:01.667+00:00

They really need to fix this.

As an admin setting up devices, I'm always enrolling the devices using my admin account, I'm not taking a laptop out to the user, asking them to enroll the device only so I can take it back and finish configuring it before then bringing it back to them. What a stupid workflow which makes us look incompetent.

Why is there seemingly no way to remove the enrolment limit for the administrators? Why can we not change the person who has enrolled a device and why would it matter?

Yes, there are still some manual tasks that need carrying out for certain setups before a device is given to a user, it's not possible to automate every little thing all the time.

Answer 1

SLE 1

That's not good that you HAVE TO wipe commputer before next user will use Device. Wiping should be an option as changing enrolled user.
What in case that we have 3 person team, everyone have ME3 license (intune included) but they need to work on 1 commputer (example shift work for 24h) ? If one of this person will be "Enroller" and that person suddenly chcange job (disabled account) we will have non-compliant Device for others - because "Enroller" quit a job.
In my case I want to change or delete owner of device that others maintain work without restoring device.

Jeff Strubberg 0 Reputation points

2024-11-08T14:20:45.0333333+00:00

Those of you saying "don't do it that way", do you have no staff turnover at all? An Infrastructure guy leaves and this bug hits hard. No, we do not let end users provision their own machines...that's a recipie for disaster.

Answer 2

@Dan R

As an admin setting up devices, I'm always enrolling the devices using my admin account, I'm not taking a laptop out to the user, asking them to enroll the device only so I can take it back and finish configuring it before then bringing it back to them

The entire point of modern management is not doing exactly this though. If you haven't automated the configuration and removed the need to actually perform configuration, you're effectively creating your own problems here. You, the IT admin, should simply not be doing this and our entire design assumes you aren't.

it's not possible to automate every little thing all the time.

I disagree with this statement -- it sometimes takes a little creativity, ingenuity, and/or research but I've never found anything in Windows where this is true -- there is always a code path because everything is ultimately code. Even if you disagree with this, it doesn't change the reality of how we've built process and mechanisms -- as noted, this is a core assumption about how devices should be provisioned (you may also disagree with this statement but it also doesn't change it). Thus, you more or less have two choices: Automate or give the end user instructions on how to complete the configurations. I guess you could also eliminate the configuration altogether as well which I often find is also valid as many orgs over configure and configure because they can and not because they should. What works best for your org from among these options is up to you but fighting against the core design assumption is the source of your friction and this should prompt you you to rethink your process.

Answer 3

Diego Silva 0

If the restriction that concerns is to enroll more devices one option to consider is to add the user as a "Device enrollment managers".

The documentation states that is possible to enroll up to 1,000 devices as a enrolment manager.

Add device enrollment managers

Answer 4

Chris Dunham 0

Has anybody ever found a solution to this? So scenario is we just took over from another IT company a few months ago. We deleted their accounts after a few weeks and now 5 weeks later we are starting to notice they setup the devices using those accounts and they are non compliant. This is around 90ish devices now non compliant.

Surely we cant have to wipe 90 devices? That would be a bad start to our IT.....

We cant restore the deleted accounts as past 30 days and clearly it would be bad practice to leave the old providers accounts in place anyway.

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2024-09-06T14:00:24.9966667+00:00

Unenroll and re-enroll the devices from/to Intune. Deleting the users that have been used to enroll devices has a negative impact on those devices. Ultimately, the enrolled by user is a mechanism for license tracking and any change of that user could allow for gaming the enforcement of licenses so today, we do not allow this.
Chris Dunham 0 Reputation points

2024-09-06T14:02:00.3233333+00:00

When we unenroll the devices is that not then going to stop the users logging in and remove corporate data? Its very easy for Microsoft employees to give a factual answer, but wiping 50% of a companies devices due to this is clearly a bit more of an issue than a one word answer!

In short an entire company could stop working tomorrow due to this as now most items are non compliant, with Microsoft employees clearly having no idea of the real world in business thinking its OK to just wipe every device....
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2024-09-06T16:10:43.2866667+00:00

What happens depends on your policies and the devices in question. As for not having any idea, quite the contrary. I merely provided the only possible path for changing the enrolled by user which is the subject of this thread. The fact that there is no other path to do this is unrelated to your assessment of what anyone does or does not understand. Ultimately, you have a scenario created by your org deleting the users (which were seemingly improperly used in the first place for enrollment) which cannot be changed and the only direct path out of this scenario is as suggested. Yes, this has implications and impact, but I cannot change those -- the product works as it works. You are free to open a support case if you wish to pursue other options.
Chris Dunham 0 Reputation points

2024-09-06T17:08:43.4133333+00:00

Crazy that anybody could consider deleting an old admin as improper, it is perfectly normal which is why it is so shocking that this happens when it is done. "What happens depends on your policies and the devices in question" would seem to indicate there is a policy which could change this.....
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2024-09-06T17:31:55.95+00:00

Deleting the admin wasn't/isn't improper, using it to enroll devices was. Intune is a user centric platform and in general, most things assume this. For scenarios where mass enrollment is required, a Device Enrollment Manager account should be used and this account should not be affiliated with an actual, individual user (whether they are an admin or not). The documentation on DEM accounts is at https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll.

I fully understand the scenario here and the impact and understand that you have a challenge here, but that doesn't change the nature and functionality of the product. I strongly suggest that you open a support case as there may (heavy emphasis on "may" here as I don't think this to be the case but I'm not omnipotent) be a way for our support engineers to change or update the enrolled by user for specific devices.
Chris Dunham 0 Reputation points

2024-09-06T17:45:08.66+00:00

Intune is user centric on the primary user, the enrolled user seems to have no place at all in anything.

So to clarify, no user account should ever ever be deleted again in an intune organization incase it was ever used to join a device? utterly ridiculous
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2024-09-06T17:58:15.6633333+00:00

What's the scenario where a user-assigned device is enrolled by a user where that device should still be usable as is after that user is no longer with the org? As noted, if the device isn't user-assigned, then a DEM account (or some other token-based enrollment method like ADE) should be used to enroll it.
Chris Dunham 0 Reputation points

2024-09-06T18:05:04.8166667+00:00

If users should not enrol devices, then why do Microsoft literally add the "for organization use" during the OOBE? Why on earth would you want to reset a device every time an employee leaves?

Microsoft should either stop users being able to enrol devices, or allow the enrollment user to be changed as this is utterly terrible design with no benefit to anybody. Why even allow other users to sign into laptops if the laptop should never be given to anybody else?

Clearly bad product management / design here, it seems AAD / Intune is inferior to Active Directory as that had no restriction of 1 user per laptop build

Answer 5

Felicia King 0

This device enrollment problem is causing conditional access security problems.

Conditional access is desired to be configured to allow logins only on compliant devices. A device can easily become non-compliant if it was enrolled in Intune using the end user account. There must be a way to change the enrollment account for a device remotely.

"Reset the device" is not viable. Microsoft needs to fix this issue.

Share via

Change Enrolled by user to a different user!!!

10 answers

Your answer