Changing the primary user of Windows devices

This week is all about the primary user of a Windows device. More specifically about the recently introduced functionality to change or remove the primary user of a Windows device. The primary user is used within Microsoft Intune to map a licensed user to a device. Changing the primary user enables the administrator to switch the primary user of a device from one user to another user, or to switch a device without an assigned primary user (shared device) to a specific user. Besides that, removing the primary user enables the administrator to switch a device from a specific user to a shared device. In this post I’ll start with a short introduction about the primary user (and shared devices), followed by actually changing the primary user. The steps for changing the primary user manually and the places to look at in the Microsoft Graph API for automating the steps.

Introduction to the primary user

Before looking at the possibilities of changing or removing a primary user, it’s good to understand the usage and default configuration of the primary user of a Windows device. That’s why it’s good to start with a short introduction. The primary user is used within Microsoft Intune to map a licensed user to a device. That enables the user to see the device in the Company Portal app and the Company Portal website, and also enables the user to perform self-service actions on that device. Besides that, it helps the administrator when troubleshooting and supporting users.

When a device has no primary user assigned, the Company Portal app detects it as a shared device. Shared devices can be identified with a “shared” label appearing on the device tile in the Company Portal app. On a shared device, the Company Portal app can still be used to request and install available apps. However, self-service actions aren’t available. By removing the primary user of a device, the device is configured to operate in shared mode.

Microsoft Intune automatically adds the primary user to the Windows device during, or soon after, the enrollment of the device. The table below, based on the table in my post about Windows 10 enrollment methods, provides an overview of the user that is added as primary user to the device. When the user performs the enrollment, the primary user is added during enrollment, and when the device is automatically enrolled, the primary user is added during sign in.

Enrollment methodOwnershipPrimary user
Bring Your Own DevicePersonalUser that performs enrollment
Azure AD joinCorporateUser that performs enrollment
Windows AutopilotCorporateUser that performs enrollment
Device Enrollment ManagerCorporateNone
Provisioning packageCorporateNone
Co-managementCorporateFirst user that signs in
Group PolicyCorporateFirst user that signs in

Note: Keep in mind that Windows Autopilot contains multiple scenarios, including a scenario without user interaction. In that case no primary user is assigned.

Changing the primary user

Just before looking at the actual steps of changing the primary user of a Windows device, it’s good to go through a few notes about changing the primary user.

  1. Changing the primary user can take up to 10 minutes to be reflected.
  2. Changing the primary user is currently not possible on co-managed devices.
  3. Changing the primary user does not make any changes on the local device (the local group membership are not adjusted).
  4. Changing the primary user doesn’t change the “Enrolled by” user.
  5. Changing the primary user doesn’t affect the assigned user in Windows Autopilot.

Now let’s have a look at the steps for changing the primary user of a Windows device in the Microsoft Endpoint Manager admin center portal. After looking at the manual steps, I’ll also have a quick look at the Graph API for automating these steps. The steps for removing the primary user are similar and just one click away. When following the four steps below for changing the primary user of the Windows device, the steps for removing the primary user will also become clear (during step 2).

Note: To change the primary user of a Windows device, the administrators should be at least Intune Administrator, Help Desk Operator, School Administrator, or Endpoint Security Manager.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows devices > {DeviceName} > Properties to open the {DeviceName}|Properties blade
  2. On the {DeviceName}|Properties blade, select Change primary user to open the Select primary user blade
  1. On the Select primary user blade, select a user and click Select to return to the {DeviceName}|Properties blade
  2. On the {DeviceName}|Properties blade, click Save

For automation purposes, it might be better to know how to automate the primary user configuration. That can be achieved by using the managedDevices object in the Graph API.

https://graph.microsoft.com/beta/deviceManagement/managedDevices('{managedDeviceId}')/users/$ref

Below is an example of a JSON that should be used for adding a primary user. To create the relationship between the mangedDeviceId and the userId, the JSON contains OData data.

@odata.id: "https://graph.microsoft.com/beta/users/{userId}"

Keep in mind that at the moment of writing this article the required properties are only available in the BETA version of the API and production use is not supported.

More information

For more information about primary users of Windows devices, refer to the following articles:

38 thoughts on “Changing the primary user of Windows devices”

  1. Hi,
    Thank you so much for a very good article! I am following your blog, which I find very good. I have learned a lot from it. Thank you so much!
    I do have a question for this actual article. I hope it’s OK I am asking it here:
    Right now, our users are enrolling the machines (we are a bit old tenant and have not begun using AutoPilot yet…). That is, Primary user = Enrolled by user
    It’s a school tenant and in many cases it is the school IT helper (which does not have any admin roll assigned) which is actually enrolling for the students (many which are young children).
    I think that this is a concerning security issue which I would like to avoid. As I understand it, the ability to change the primary user can act as a solution. In this way, the IT helper can enroll the machine and then assign a primary user to it. I will need to assign the IT helpers a local administrator roll of course. Something, which I am considering.
    In that case, what user rights will the primary user have on the machine? Will the user have ability to install applications for example? Will the primary user have the same user rights on the machine as the enrolling user?
    Regards,
    Ido Yavin

    Reply
    • Hi Ido,
      That’s one of the remarks before the actual configuration steps. This configuration will not make any adjustments to the local group memberships (which includes adjusting the local administrators).
      Regards, Peter

      Reply
  2. Hi Peter,

    This is a fantastic article which is very useful.

    For devices that are Hybrid Azure AD joined where auto MDM enrolment has been set by Group Policy the Change Primary user option is available and I can change the user.

    However, where a W10 device is Hybrid Azure AD joined but enrolment has been manual (Settings > Accounts > Access work or school). The device will appear in Endpoint manager but the option to Change Primary user is greyed out.

    I cannot see any Microsoft Article that says it will not work under these conditions. Have you come across this?

    Reply
  3. Hello Peter,

    We are new to Azure-joined machines and I am testing all of this functionality. Sorry if this is a dumb question but is the “change primary user” function meant for occasions when you are taking a laptop from one member of staff and giving it to another member of staff?

    Thank you,

    Brian

    Reply
  4. Great article thanks.

    We have many devices on Intune (hybrid joined to Azure AD) where the Primary user is currently set to the IT user who originally setup and configured the PC. If we clear those primary users, will they be re-set automatically to the next user who signs on?

    Reply
    • Did you ever test this scenario? I had the same question. Autopilot White Glove has been giving too many TPM attestation issues so I had to fully enroll an entire site using my credentials (Azure Joined). I want to remove myself as the Primary user but wasn’t sure if Primary User would update on it’s own.

      Reply
  5. hey there

    my setup is local ad domain joined with dem to enroll the devices. Dont want to use GPO to auto enroll devices as we plan on moving away from the servers.
    My question is as im using DEM to enroll a pc the primary user is showing the dem account. i was told i can then change the primary user to match the actual user but the change primary user is greyed out?

    DEM account has an intune device license

    Reply
  6. Hi Peter, change primary user is greyed out for the devices we have in EPM. For example, one device was registered by logging in which seems to be your co-management model and/or via Company Portal. I performed an autopilot reset (or wipe) which persevered laptop name, policies, and apps installed (although company portal isn’t). I verified it is Azure AD joined as well. Thoughts?

    Also, is there workaround for this? I.e. retire device then re-join to AZAD?

    Reply
      • Hi Peter,
        Here are more details:
        Main laptop – Azure AD joined – MDM is listed as Microsoft InTune – enrolled via company portal
        Another laptop – Azure AD joined – MDM is listed as Office 365 Mobile – enrolled via company portal
        Last one – Azure AD registered (not joined) – MDM is also listed as InTune – enrolled via company portal

        Thanks.

        Reply
        • Hi Derek,
          Apologies for the late reply, as I was enjoying my vacation. When those devices are enrolled via Company Portal app and registered as personal device, you won’t be able to adjust the primary user.
          Regards, Peter

          Reply
  7. Hi Peter,

    Quick question….we have Enterprise and Mobility and Security E5 licenses assigned to users in our tenant. THis is to enable higher level of Defender for Endpoint security functionality. If a user isn’t set as the primary user of a device, but has an EMS license assigned, does the advanced Defender for Endpoint functions work on that device? In other words, is it the fact that that user is logged into the device the deciding factor on if the EMS Defender functionality “works” or does the user need to be assigned as primary user in order for EMS to function at the higher level?

    Regards,

    Ted

    Reply
  8. Well this may branch off into two different conversations, as I could have swore Enterprise and Mobility E5 included Defender, because I have full access to security.microsoft.com and endpoint.microsoft.com and all my systems are in there and assigned to users. I don’t have WIndows 10/11 Enterprise E5 licenses in our tenant, not do I have any individual Defender for Endpoint licenses. But I do see the microsoft docs that indicate WIndows 10/11 Enterprise licensing is required. Odd indeed.

    But let’s leave that question for now, because my primary concern is understanding (inside security.microsoft.com) how Windows Defender for Endpoint is activated on an endpoint. Is it by assigning a primary user to a device (that is licensed properly for it) that activates Defender for Endpoint capabilities, or is simply activated on a Windows 10/11 PC anytime a user that is assigned a license, signed into the device? That’s what I’m trying to figure out.

    Thanks for your reply!!

    Reply
  9. Hi Peter great article to! to automate the change of primary user the one given sample in github. Are we going to assign that one in intune under script?

    Reply
  10. I can’t seem to figure out how to change / update the “enrolled by” field? I have a small group of machines that show this field as blank and it is causing issues with other software being used? How can this field be populated?

    Reply
      • That’s what I am also trying to figure out.

        Prior to arriving at company a small IT firm handled this and I am still trying to figure out what “script” or method they used.

        The issue is still the same, how do I fix it?

        Do I have to un-enroll and re-enroll manually?

        I was under impression that the field should / could never be blank to begin with?

        Is there a way to change / update the “enrolled by” field?

        Reply
  11. Hi Peter,

    We are using Autopilot and Azure AD joined devices. The primary user who enrolled the device will be local Admin.
    If a change the primary user in MEM, is it then possible to make the new primary user local Admin on that device?

    Regards
    Thomas

    Reply
  12. Hi,

    I managed it with the examples to change the primary user via
    Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType “application/json”

    I could also read the data via Invoke-MSGraphRequest -HttpMethod GET -Url $uri

    $uri = https://graph.microsoft.com/Beta/deviceManagement/managedDevices/%DeviceID%/users

    But I have also to write the primary user with Invoke-MSGraphRequest instead Invoke-RestMethod:

    $userUri = “https://graph.microsoft.com/$graphApiVersion/users/” + $userId
    $JSON = @{ $id=”$userUri” } | ConvertTo-Json -Compress
    Invoke-MSGraphRequest -HttpMethod PATCH -Url $uri -Content $JSON -Verbose

    But this is not working. I get the error: 400 Bad Request

    I think somethink with the json or the uri is wrong. Did you have an idea?

    Thank you very much
    Marcus

    Reply
  13. Hi Peter,

    This is a fantastic article which is very useful.

    For devices that are Hybrid Azure AD joined with Hybrid Autopilot enrollment method we are successfully able to change the primary user however am concerned is there any limitations while managing or using the user.
    and id enrolled by user left the Org. and that account got deleted what should be the complaint state where enrolled user does not exist.

    Reply
  14. Thank you, it took me several hours to find this out, but your article gave me the answer right away.
    Im just setting up pre provisiong with autopilot and i see the primary user and the enrolled users are none.
    I think its weird it will not be filled by the assigned user right? is there a way to do this automatically.
    I dont want to change it for every device manually.

    Thanks in advance, Nick

    Reply
    • Hi Nick,
      I would expect it to happen automatically, after going through the account setup. Regarding your question, you can script it, but that would still require some input about the user-device mapping.
      Regards, Peter

      Reply

Leave a Reply to Derek Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.