Enrolling Windows Devices using Command-Line

Overview

Note: This content was created for Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.

Omnissa provides this operational tutorial to help you with your Omnissa Workspace ONE® environment. This tutorial introduces you to command-line provisioning, one of a variety of Windows Desktop onboarding methods supported by Workspace ONE UEM.

The Workspace ONE Intelligent Hub for Windows allows you to onboard devices using command-line enrollment. This allows the ability for staged provisioning, and onboarding with a PC Lifecycle Management (PCLM) solution such as Microsoft Endpoint Configuration Manager.

All these options have one thing in common: using the command-line parameters supported with the Omnissa Workspace ONE^® Intelligent Hub, which streamlines enrollment.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration, Omnissa Workspace ONE® Intelligence and Omnissa Workspace ONE® UEM is also helpful.

Enrolling Windows Desktops using Command-Line Enrollment

Command-Line Enrollment Overview

The Workspace ONE Intelligent Hub for Windows allows you to onboard devices using command-line enrollment. This allows the ability for staged provisioning, and onboarding with a PC Lifecycle Management (PCLM) solution such as Microsoft Endpoint Configuration Manager.

All these options have one thing in common: using the command-line parameters supported with the Omnissa Workspace ONE^® Intelligent Hub, which streamlines enrollment.

Important: Although command-line enrollment is a supported onboarding method, you are responsible for ensuring the delivery mechanism used (e.g. GPO) is functioning as expected. The delivery mechanism varies with every use case and is out of the scope of Omnissa support.

Prerequisites

Before you can perform the procedures in this tutorial, verify that your system meets the following prerequisites:

Workspace ONE UEM 2302 or later
Workspace ONE UEM admin account
Credentials for a staging user account (this account has permission to stage the device on behalf of the user)
Active user session: on the device a user needs to be logged on during enrollment with the staging account
Uses login scripts
A domain-joined device

For more information, see the Omnissa Workspace ONE Access documentation and Omnissa Workspace ONE UEM Documentation.

Command-Line Enrollment Scenarios

The procedures and requirements for enabling command-line enrollment depend on the following variables:

Client Type – Domain-joined clients have different requirements from Workgroup (non-domain-joined) devices.
Enrollment Scenario – Bare metal imaging and in-place upgrade are staging workflows that have distinct enrollment requirements.

These variables lead to three primary command-line enrollment workflows:

Command-Line Enrollment for Domain-Joined Devices With or Without Admin Rights (Shown in Operational Tutorial) – For domain joined devices, you deploy the Workspace ONE Intelligent Hub with the proper command-line parameters to the device to enroll the current logged-on domain user (silently). If end users do not have admin rights, make sure you are executing the Hub install in System Context.
Command-Line Enrollment for Workgroup Devices With or Without Admin Rights – Previously, administrators had to pre-register device serial numbers in the Workspace ONE UEM Console to enable device auto-reassignment. But now with the support of the ASSIGNTOLOGGEDINUSER parameter, you can enable this parameter (=Y) and the end user receives a credential prompt from the Hub to complete enrollment. This eliminates the administrative overhead of having to pre-register devices. End users require admin rights unless the Hub install is executed using system context which requires admin rights.
Command-Line Enrollment During Imaging/In-Place Upgrades – For the imaging use case, you set the IMAGE parameter to Y. The Omnissa Workspace ONE Intelligent Hub is pre-installed on the image and waits for a valid enrollment. This decreases the time after enrollment to wait for the Hub to be installed on the device. For In-Place Upgrades, you can set up the Hub using the staging command-line parameters so that enrollment automatically flips to the user account for the next domain user who logs onto the device.

Command-Line Enrollment Requirements

The following table compares the requirements (left column) of each of the onboarding options (top row).

In this table, Yes indicates that the workflow must meet the listed requirement. Following the same logic, No indicates the workflow does not need to meet the listed requirement. Footnotes provide additional details about the requirements.

	Domain-joined devices	Workgroup Devices	Imaging / In-place upgrades
Requirements
Workspace ONE UEM Console 2302 and later Workspace ONE Intelligent Hub for Windows	Yes	Yes	Yes
Domain-joined client	Yes	No¹	N/A
Workspace ONE Intelligent Hub for Windows deployed using System Context in your PCLM solution (such as SCCM)	Yes	Yes	Yes²
Staging Account, with Standard Single User Devices Enabled	Yes	Yes	Yes
Staging Organization Group	Yes³	Yes³	Yes
PowerShell Execution Policy Set to Bypass	No	Yes⁴	No
User Group Mapping Enabled at highest Organization Group⁵	Yes	Yes	Yes
Additional Resources
Production Sample			Blog
The mismatch between the local account and the domain users in the Workspace ONE UEM Console causes auto-reassignment to fail for Workgroup devices. After auto-reassignment fails, the system prompts for a username and password. Your PCLM solution (such as SCCM) only — this requirement does not apply to MDT. Required only if SAML is enabled in your Workspace ONE UEM environment. No longer required starting in Workspace ONE UEM 2302. In the SCCM Console, navigate to Administration > Client Settings > Default Settings > Computer Agent. Scroll down to PowerShell execution policy and set it to Bypass. User Group Organization Group or Fixed Organization Group enabled so that end users are not prompted for a Group ID. To configure this setting, navigate to Settings > Devices & Users > General > Shared Device.

Command Line Enrollment Parameters

The following figure shows the command-line options that you can use to append the required base command:

The following figure shows examples of command lines:

The available parameters are also listed here:

Enrollment Parameters	Values to Add to Parameter
All MSI parameters	These parameters control the app installation behavior. `/quiet` - Completely silent `/q` - Controls the UI levels for installation passive - Minimal controls for the user to guide the application `/L` - Log levels and log paths. For more information, see https://docs.microsoft.com/en-us/windows/win32/msi/command-line-options.
ASSIGNTOLOGGEDINUSER	Select `Y` to assign the device to the domain user that is logged in. Enter this parameter as the last argument in the command line.
DEVICEOWNERSHIPTYPE^	Select `CD` for Corporate Dedicated. Select `CS` for Corporate Shared. Select `EO` for Employee Owned. Select `N` for None.
ENROLL	Select `Y` to enroll. Select `N` for image only. The agent tries to enroll in silent mode only if this parameter is set to `Y`.
IMAGE	This flag takes priority over everything, if this flag is set to `Y`, the agent is put into image mode. Select `Y` for image. Select `N` for enrollment.
INSTALLDIR^	Enter the directory path if you want to change the installation path. Note: If this parameter is not present, the Workspace ONE Intelligent Hub uses the default path: `C:\Program Files (x86)\AirWatch`.
LGName	Enter the organization group name.
PASSWORD	Enter the password for the user you are enrolling or the staging user password if staging the device on the behalf of a user.
SERVER	Enter the enrollment URL.
USERNAME	Enter the user name for the user you are enrolling or the staging user name if staging the device on the behalf of a user.

The documentation holds more information and samples on how to use the command line enrollment feature of the Intelligent Hub agent. Check Enroll Through Comman-Line Staging for more.

Troubleshooting Common Workspace ONE UEM Enrollment Issues

To address the most common enrollment-related issues, the following checks should be undertaken first.

Check Date and Time

Especially when virtual machines have been deployed, check whether the date and time on the device are correct, especially when using a virtual machine.

Check Internet Connection and Endpoints

Next, verify internet connectivity to all endpoints, including validation of the Omnissa-required ports and protocols.

Verify Network and Internet Settings

Ensure that the device has an active internet connection. If connected to a Proxy or VPN, make sure that access to Workspace ONE UEM endpoints or Microsoft endpoints is not affected.

Verify Endpoints

Ensure that you have a trusted connection to all Workspace ONE UEM and Microsoft endpoints. You must satisfy the following requirements:

Workspace ONE UEM Device Services URL over port 443
Windows Auto-Discovery URL (optional) over port 443; Cloud WADS: EnterpriseEnrollment.awmdm.com
Workspace ONE UEM Auto-Discovery over port 443; discovery.awmdm.com
Entra ID needs access to Microsoft Login Servers: https://login.microsoft.com and https://login.microsoftonline.com
Windows Notification Service (WNS) uses port 443: *.notify.windows.com for example, bn1 or bn2.notify.windows.com

Note: If you need to enable Telnet, add the Telnet Client using Turn Windows Features On or Off.

A few more uncommon endpoints to check for are:

Device Health Attestation
- Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity, and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. If you filter Internet access from your client devices, you must authorize the following URLs:
  - For Intel firmware TPM: https://ekop.intel.com/ekcertservice
  - For Qualcomm firmware TPM: https://ekcert.spserv.microsoft.com/ more specifically https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
  - For AMD firmware TPM: https://ftpm.amd.com/pki/aia
- To provision AIK certificates and filter Internet access, you must authorize the following wildcard URL: https://*.microsoftaik.azure.net
- Both device and Workspace ONE UEM servers must have access to has.spserv.microsoft.com using the TCP protocol on port 443 (HTTPS).
Microsoft License Activation: For more information, see Windows activation or validation fails with error code 0x8004FE33.
Windows Notification Service: For more information, see Microsoft Download Center.
Windows Autopilot: Windows Autopilot depends on a variety of internet-based services. For more information, see Windows Autopilot networking requirements.

Troubleshooting Console Settings and Enrollment for Windows

Navigate to System > Advanced > Device Root Certiﬁcate and verify a PFX Device Root Certiﬁcate generated (NOT a CER).
Conﬁrm that the Hub app is published Devices & Users > Windows > Windows Desktop > Intelligent Hub Application.
Staging workﬂows (command-line, PPKG, and so on.) where the device is auto-reassigned to the end user need to have "Fixed Organization Group" or "User Group Organization Group" set at Devices & Users > General > Shared Devices.
For Azure-based enrollment, ensure Immutable ID Mapping Attribute is correctly set. Most commonly objectGUID or mS-DS- ConsistencyGuid. Ensure that Binary is used for objectGUID and String for any non-GUID value.

Check Accounts

For Access Work or any end-user-driven enrollment, verify you are using an account with administrator access. Ensure you are not using the built-in administrator account as this account cannot enroll into MDM. For more details, refer to Enrollment Scenarios Not Supported.

Check Staging Accounts

When using any of the command-line options or any other staging workflow, you must use a staging account to enroll first before the device gets reassigned. You can either use the built-in staging account that Workspace ONE UEM creates when you first navigate to Settings > Devices & Users > Windows > Windows Desktop > Staging & Provisioning, or you can create a new staging account. Ensure your staging account's staging options match the settings in the screenshot.

Note: The staging account that Workspace ONE UEM creates will always be in the following format: staging@{GroupID}.com for the UPN and staging{GroupID} for the username. You must have a Group ID assigned to the organization group you plan to enroll and stage devices.

Check Device Root Certificate and Application Certificate

After successful enrollment, you should have two certificates from Workspace ONE UEM. The Enrollment certificate is located in Certificates - (Local Computer) > Personal > Certificates and the Application certificate is located in Certificates - Current User > Personal > Certificates, as shown in the screenshots. Verify that these certificates are not present before enrolling or your enrollment will fail (delete all certificates then re-enroll). Previously, we confirmed that the Device Root Certificate was generated.

Enrollment Certificate:

Subject Name Format - AW::{Token}::{Device Services URL}::{Token}
Issued by AwDeviceRoot
Workspace ONE Intelligent Hub will not successfully check-in without the Enrollment Certificate

Application Certificate:

Subject Name Format - {Device UUID}:{Enrollment UPN}:{Device Services URL}:{One Time Token}:{Group ID}
Used by Workspace ONE applications to retrieve device and environment information.
Ensure that the Device ID, Enrollment UPN, Device Services URL, and Group ID are correct or you will receive errors when attempting to use any of the Workspace ONE applications.

Check OS Activation and Build

Inconsistent behavior has been noted on non-activated Windows devices and developer editions of Windows devices, therefore ensure you are running an activated version of Windows. Also, ensure you are using the latest general release build of Windows for the best results. Knowing which Windows edition is being used is helpful as not all editions support all features such as deploying apps and installing several profiles. For example, you cannot deploy software to Windows 10 Home.

Important: Workspace ONE UEM cannot guarantee 100 percent functionality on Windows Insider or TAP program builds which are not general release builds.

Check Required Services

If you enroll the device or configure the device to communicate with Workspace ONE UEM, then ensure the following services are running; DmEnrollmentSvc and dmwappushservice. These services do not run if there is no active attempt to enroll or sync the device. However, they should not be deactivated.

Note: By default, Device Management Enrollment Service (DmEnrollmentSvc) should be set to Manual and the WAP Push Message Routing Service (dmwappushservice) should be set to Auto. The services run by default as LocalSystem and only start on-demand from a request by the user, an app, or another service. Attempting to enroll or sync the device automatically starts both services.

Note: Both DmEnrollmentSvc & dmwappushservice are dependent on Remote Procedure Call (RPC) service, therefore ensure that the PRC service is not deactivated.

Also, DiagTrack (Connected User Experiences and Telemetry) and Schedule (Task Scheduler) must be running on the device to ensure enrollment and other management features properly function. BITS (Background Intelligent Transfer Service) should not be deactivated as this is used to download various packages.

You can leverage the local log collection using Workspace ONE Intelligent Hub to quickly obtain troubleshooting logs. On the Windows device, click Troubleshooting, then Hub Status to see the status of the above services after the device is enrolled.

Summary and Additional Resources

This tutorial introduces you to the command-line enrollment functionality of Workspace ONE UEM and explains how to use this functionality to enroll Windows 10 devices before delivery. A set of exercises describe how to configure this workflow method on your system. The result is your ability to manage the Windows 10 device enrollment before the device ever reaches the end user, or to enroll a Windows 10 device silently to devices already out in the field being managed by the domain, SCCM, or another PLCM solution.

Additional Resources

For more information about Windows Modern Management with Workspace ONE, you can explore the following resources:

Getting Started with Windows Modern Management

Planning Your Windows Deployment

Windows Onboarding

Windows Security and Policy Management

Windows Application Management

Deploying Traditional Win32 Applications to Windows Devices

Windows OS Patching

Managing Updates for Windows Devices

Windows Troubleshooting

Troubleshooting Windows Devices

Changelog

The following updates were made to this guide:

Date	Description of Changes
2024/10/21	Rebranded and updated.
2021/08/12	Removed deprecated install parameters. Updated batch script example. Removed section, "Configuring Command-Line Enrollment for Non-Admin AD Users" as this is no longer officially supported.
2020/08/12	Guide was published.

About the Author and Contributors

This tutorial was written by:

Sascha Warno, Staff Solutions Architect, Technical Marketing, Omnissa

Considerable contributions were made by the following subject matter experts:

Saurabh Jhunjhunwala, EUC Customer Success Architect, Omnissa
Pim van de Vis, Sr. Solutions Architect, Omnissa
Rob Kelley, Sr. Solutions Architect, Omnissa

Feedback

Your feedback is valuable.

To comment on this paper, contact Omnissa Technical Marketing at tech_content_feedback@omnissa.com.