Hello
I understand your frustration!
Let's break down the concept of "Device" and "User Credentials" in the context of group policies and device enrollment.
Device Credentials
In Windows, "Device Credentials" refers to the credentials used by a device to authenticate with a domain or Active Directory (AD) without requiring a user to log in. This is often used in scenarios where devices are automatically joined to the domain or AD without human intervention.
User Credentials
"User Credentials," on the other hand, requires a user to log in to the device before the device can be enrolled and joined to the domain or AD. This is the default behavior in most scenarios, where a user logs in and then their device is automatically enrolled.
Why Device Credentials don't work
When you set the group policy to use "Device Credentials," it's not possible to enroll devices without a user logging in. This is because the device is trying to authenticate with the domain or AD without a user present.
In your scenario, where you're trying to join devices added to AD, you're correct that they won't join until a licensed user logs in. This is because the device is trying to use "Device Credentials" to authenticate, which requires a user to be present.
Why User Credentials work
When you set the group policy to use "User Credentials," it allows the device to be enrolled only after a user has logged in. This means that the device can authenticate with the domain or AD using the user's credentials, which is why you see devices joining after a licensed user logs in.
What's Device for?
In summary, "Device Credentials" is intended for scenarios where devices are automatically joined to the domain or AD without human intervention. However, this approach doesn't work when you're trying to enroll devices added to AD, as it requires a user to be present.
Admin-based installs
Regarding admin-based installs, you're correct that they require an enrolled device. In your scenario, since devices are not enrolled until a licensed user logs in, you can't perform an admin-based install until then.
Conclusion
To summarize:
- "Device Credentials" is used for automatic device enrollment without human intervention.
- "User Credentials" requires a user to log in before the device can be enrolled.
- In your scenario, using "User Credentials" means that devices will join only after a licensed user logs in.
- You can't perform an admin-based install until the device is enrolled, which requires a licensed user to log in first.
I hope this explanation helps clarify things for you!