This week is all about the primary user of a Windows device. More specifically about the recently introduced functionality to change or remove the primary user of a Windows device. The primary user is used within Microsoft Intune to map a licensed user to a device. Changing the primary user enables the administrator to switch the primary user of a device from one user to another user, or to switch a device without an assigned primary user (shared device) to a specific user. Besides that, removing the primary user enables the administrator to switch a device from a specific user to a shared device. In this post I’ll start with a short introduction about the primary user (and shared devices), followed by actually changing the primary user. The steps for changing the primary user manually and the places to look at in the Microsoft Graph API for automating the steps.
Introduction to the primary user
Before looking at the possibilities of changing or removing a primary user, it’s good to understand the usage and default configuration of the primary user of a Windows device. That’s why it’s good to start with a short introduction. The primary user is used within Microsoft Intune to map a licensed user to a device. That enables the user to see the device in the Company Portal app and the Company Portal website, and also enables the user to perform self-service actions on that device. Besides that, it helps the administrator when troubleshooting and supporting users.
When a device has no primary user assigned, the Company Portal app detects it as a shared device. Shared devices can be identified with a “shared” label appearing on the device tile in the Company Portal app. On a shared device, the Company Portal app can still be used to request and install available apps. However, self-service actions aren’t available. By removing the primary user of a device, the device is configured to operate in shared mode.
Microsoft Intune automatically adds the primary user to the Windows device during, or soon after, the enrollment of the device. The table below, based on the table in my post about Windows 10 enrollment methods, provides an overview of the user that is added as primary user to the device. When the user performs the enrollment, the primary user is added during enrollment, and when the device is automatically enrolled, the primary user is added during sign in.
| Enrollment method | Ownership | Primary user |
| Bring Your Own Device | Personal | User that performs enrollment |
| Azure AD join | Corporate | User that performs enrollment |
| Windows Autopilot | Corporate | User that performs enrollment |
| Device Enrollment Manager | Corporate | None |
| Provisioning package | Corporate | None |
| Co-management | Corporate | First user that signs in |
| Group Policy | Corporate | First user that signs in |
Note: Keep in mind that Windows Autopilot contains multiple scenarios, including a scenario without user interaction. In that case no primary user is assigned.
Changing the primary user
Just before looking at the actual steps of changing the primary user of a Windows device, it’s good to go through a few notes about changing the primary user.
- Changing the primary user can take up to 10 minutes to be reflected.
- Changing the primary user is currently not possible on co-managed devices.
- Changing the primary user does not make any changes on the local device (the local group membership are not adjusted).
- Changing the primary user doesn’t change the “Enrolled by” user.
- Changing the primary user doesn’t affect the assigned user in Windows Autopilot.
Now let’s have a look at the steps for changing the primary user of a Windows device in the Microsoft Endpoint Manager admin center portal. After looking at the manual steps, I’ll also have a quick look at the Graph API for automating these steps. The steps for removing the primary user are similar and just one click away. When following the four steps below for changing the primary user of the Windows device, the steps for removing the primary user will also become clear (during step 2).
Note: To change the primary user of a Windows device, the administrators should be at least Intune Administrator, Help Desk Operator, School Administrator, or Endpoint Security Manager.
- Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows devices > {DeviceName} > Properties to open the {DeviceName}|Properties blade
- On the {DeviceName}|Properties blade, select Change primary user to open the Select primary user blade
Figure 1: Device properties
- On the Select primary user blade, select a user and click Select to return to the {DeviceName}|Properties blade
- On the {DeviceName}|Properties blade, click Save
For automation purposes, it might be better to know how to automate the primary user configuration. That can be achieved by using the managedDevices object in the Graph API.
https://graph.microsoft.com/beta/deviceManagement/managedDevices('{managedDeviceId}')/users/$refBelow is an example of a JSON that should be used for adding a primary user. To create the relationship between the mangedDeviceId and the userId, the JSON contains OData data.
@odata.id: "https://graph.microsoft.com/beta/users/{userId}"Keep in mind that at the moment of writing this article the required properties are only available in the BETA version of the API and production use is not supported.
More information
For more information about primary users of Windows devices, refer to the following articles:
- Support Tip: How User Device Affinity works in Intune – https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-how-user-device-affinity-works-in-intune/ba-p/708196
- Change the Intune Primary User – Public Preview Now Available – https://techcommunity.microsoft.com/t5/intune-customer-success/change-the-intune-primary-user-public-preview-now-available/ba-p/1221264
- powershell-intune-samples/ManagedDevices/ – https://github.com/microsoftgraph/powershell-intune-samples/tree/master/ManagedDevices
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi,
Thank you so much for a very good article! I am following your blog, which I find very good. I have learned a lot from it. Thank you so much!
I do have a question for this actual article. I hope it’s OK I am asking it here:
Right now, our users are enrolling the machines (we are a bit old tenant and have not begun using AutoPilot yet…). That is, Primary user = Enrolled by user
It’s a school tenant and in many cases it is the school IT helper (which does not have any admin roll assigned) which is actually enrolling for the students (many which are young children).
I think that this is a concerning security issue which I would like to avoid. As I understand it, the ability to change the primary user can act as a solution. In this way, the IT helper can enroll the machine and then assign a primary user to it. I will need to assign the IT helpers a local administrator roll of course. Something, which I am considering.
In that case, what user rights will the primary user have on the machine? Will the user have ability to install applications for example? Will the primary user have the same user rights on the machine as the enrolling user?
Regards,
Ido Yavin
Hi Ido,
That’s one of the remarks before the actual configuration steps. This configuration will not make any adjustments to the local group memberships (which includes adjusting the local administrators).
Regards, Peter
Thank you for the post, but this is not available anymore. Right now you can’t modify de primary user. Any idea about?
Thanks
Hi Cachi,
Can you provide some more details? The possibility is still available for (hybrid) Azure AD joined devices that are either Intune-managed or co-managed.
Regards, Peter
Hi Peter,
This is a fantastic article which is very useful.
For devices that are Hybrid Azure AD joined where auto MDM enrolment has been set by Group Policy the Change Primary user option is available and I can change the user.
However, where a W10 device is Hybrid Azure AD joined but enrolment has been manual (Settings > Accounts > Access work or school). The device will appear in Endpoint manager but the option to Change Primary user is greyed out.
I cannot see any Microsoft Article that says it will not work under these conditions. Have you come across this?
Hi Chris,
I can’t find any article explaining those details. The only thing that I can imagine is that it’s related to that scenario being “user driven”.
Regards, Peter
Hi,
I don’t really get it how to automate this by using the managedDevices object in the Graph API.
I guess use -Method Post
https://graph.microsoft.com/beta/deviceManagement/managedDevices(‘{managedDeviceId}’)/users/$ref
But how do I use the JSON?
@odata.id: “https://graph.microsoft.com/beta/users/{userId}”
I only get syntax error, when trying to use it.
Hi Johan,
For an example have a look here: https://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/Win10_PrimaryUser_Set.ps1
Regards, Peter
Hello Peter,
We are new to Azure-joined machines and I am testing all of this functionality. Sorry if this is a dumb question but is the “change primary user” function meant for occasions when you are taking a laptop from one member of staff and giving it to another member of staff?
Thank you,
Brian
Hi Brian,
Yes, that’s an option, but it can also be useful when switching from a shared device (or bulk enrolled device).
Regards, Peter
Great article thanks.
We have many devices on Intune (hybrid joined to Azure AD) where the Primary user is currently set to the IT user who originally setup and configured the PC. If we clear those primary users, will they be re-set automatically to the next user who signs on?
Hi Ryan,
I haven’t tested that specific scenario, but I don’t think so. Please do test and let me know!
Regards, Peter
Did you ever test this scenario? I had the same question. Autopilot White Glove has been giving too many TPM attestation issues so I had to fully enroll an entire site using my credentials (Azure Joined). I want to remove myself as the Primary user but wasn’t sure if Primary User would update on it’s own.
Primary user does not update on its own. It stays blank, as a “shared device”
hey there
my setup is local ad domain joined with dem to enroll the devices. Dont want to use GPO to auto enroll devices as we plan on moving away from the servers.
My question is as im using DEM to enroll a pc the primary user is showing the dem account. i was told i can then change the primary user to match the actual user but the change primary user is greyed out?
DEM account has an intune device license
Hi Si,
Is the button to change the primary user greyed out, or just the user?
Regards, Peter
Hi Peter, change primary user is greyed out for the devices we have in EPM. For example, one device was registered by logging in which seems to be your co-management model and/or via Company Portal. I performed an autopilot reset (or wipe) which persevered laptop name, policies, and apps installed (although company portal isn’t). I verified it is Azure AD joined as well. Thoughts?
Also, is there workaround for this? I.e. retire device then re-join to AZAD?
Hi Derek,
Nowadays you should be able to also adjust the primary user of co-managed devices. How are those devices enrolled and what is their join type?
Regards, Peter
Hi Peter,
Here are more details:
Main laptop – Azure AD joined – MDM is listed as Microsoft InTune – enrolled via company portal
Another laptop – Azure AD joined – MDM is listed as Office 365 Mobile – enrolled via company portal
Last one – Azure AD registered (not joined) – MDM is also listed as InTune – enrolled via company portal
Thanks.
Hi Derek,
Apologies for the late reply, as I was enjoying my vacation. When those devices are enrolled via Company Portal app and registered as personal device, you won’t be able to adjust the primary user.
Regards, Peter
Hi Peter,
Quick question….we have Enterprise and Mobility and Security E5 licenses assigned to users in our tenant. THis is to enable higher level of Defender for Endpoint security functionality. If a user isn’t set as the primary user of a device, but has an EMS license assigned, does the advanced Defender for Endpoint functions work on that device? In other words, is it the fact that that user is logged into the device the deciding factor on if the EMS Defender functionality “works” or does the user need to be assigned as primary user in order for EMS to function at the higher level?
Regards,
Ted
Hi Ted,
I know what scenario you’re looking for, I just don’t know if you have the required license. Microsoft Defender for Endpoint requires Windows 10/11 Enterprise E5: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide#licensing-requirements
Regards, Peter
Well this may branch off into two different conversations, as I could have swore Enterprise and Mobility E5 included Defender, because I have full access to security.microsoft.com and endpoint.microsoft.com and all my systems are in there and assigned to users. I don’t have WIndows 10/11 Enterprise E5 licenses in our tenant, not do I have any individual Defender for Endpoint licenses. But I do see the microsoft docs that indicate WIndows 10/11 Enterprise licensing is required. Odd indeed.
But let’s leave that question for now, because my primary concern is understanding (inside security.microsoft.com) how Windows Defender for Endpoint is activated on an endpoint. Is it by assigning a primary user to a device (that is licensed properly for it) that activates Defender for Endpoint capabilities, or is simply activated on a Windows 10/11 PC anytime a user that is assigned a license, signed into the device? That’s what I’m trying to figure out.
Thanks for your reply!!
Hi Ted,
On Windows devices you can use the onboarding package to get devices in MDE.
Regards, Peter
Hi Peter great article to! to automate the change of primary user the one given sample in github. Are we going to assign that one in intune under script?
Hi Ian,
To automate it, you need to run a script against the Microsoft Graph. That’s nothing something to deploy via Intune.
Regards, Peter
I can’t seem to figure out how to change / update the “enrolled by” field? I have a small group of machines that show this field as blank and it is causing issues with other software being used? How can this field be populated?
Hi Sherman,
How are those devices enrolled?
Regards, Peter
That’s what I am also trying to figure out.
Prior to arriving at company a small IT firm handled this and I am still trying to figure out what “script” or method they used.
The issue is still the same, how do I fix it?
Do I have to un-enroll and re-enroll manually?
I was under impression that the field should / could never be blank to begin with?
Is there a way to change / update the “enrolled by” field?
I can’t provide any suggestions when I don’t know how those devices are enrolled into Intune. Was it an enrollment by a user or a bulk enrollment method?
Regards, Peter
Hi Peter,
We are using Autopilot and Azure AD joined devices. The primary user who enrolled the device will be local Admin.
If a change the primary user in MEM, is it then possible to make the new primary user local Admin on that device?
Regards
Thomas
Hi Thomas,
That won’t happen automatically.
Regards, Peter
Hi,
I managed it with the examples to change the primary user via
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType “application/json”
I could also read the data via Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$uri = https://graph.microsoft.com/Beta/deviceManagement/managedDevices/%DeviceID%/users
But I have also to write the primary user with Invoke-MSGraphRequest instead Invoke-RestMethod:
$userUri = “https://graph.microsoft.com/$graphApiVersion/users/” + $userId
$JSON = @{ $id=”$userUri” } | ConvertTo-Json -Compress
Invoke-MSGraphRequest -HttpMethod PATCH -Url $uri -Content $JSON -Verbose
But this is not working. I get the error: 400 Bad Request
I think somethink with the json or the uri is wrong. Did you have an idea?
Thank you very much
Marcus
Hi Marcus,
If I’m not mistaken, your JSON should contain OData data.
Regards, Peter
Hi Peter,
This is a fantastic article which is very useful.
For devices that are Hybrid Azure AD joined with Hybrid Autopilot enrollment method we are successfully able to change the primary user however am concerned is there any limitations while managing or using the user.
and id enrolled by user left the Org. and that account got deleted what should be the complaint state where enrolled user does not exist.
Hi Aman,
What’s the use case?
Regards, Peter
Thank you, it took me several hours to find this out, but your article gave me the answer right away.
Im just setting up pre provisiong with autopilot and i see the primary user and the enrolled users are none.
I think its weird it will not be filled by the assigned user right? is there a way to do this automatically.
I dont want to change it for every device manually.
Thanks in advance, Nick
Hi Nick,
I would expect it to happen automatically, after going through the account setup. Regarding your question, you can script it, but that would still require some input about the user-device mapping.
Regards, Peter
Hi Peter,
We have use the WCD PPKG for Migration SCCM to Intune. in that case owner of multiple device showing the PPKG but we want to change it by Current log in user. is there any script or suggestion
Hi Pradeep,
As mentioned in the post, you can achieve that by using Microsoft Graph.
Regards, Peter