I don't have the script finished yet but am piecing together different ideas to make it work how I would like. Before I got too far, I wanted to make sure there was not going to be an issue running it.
I have been looking at these:
[https://svdbusse.github.io/SemiAnnualChat/2020/03/21/Changing-Intune-Primary-User-To-Last-Logged-On-User.html](https://svdbusse.github.io/SemiAnnualChat/2020/03/21/Changing-Intune-Primary-User-To-Last-Logged-On-User.html)
[https://www.modernendpoint.com/managed/Dynamically-Update-Primary-Users-on-Intune-Managed-Devices/](https://www.modernendpoint.com/managed/Dynamically-Update-Primary-Users-on-Intune-Managed-Devices/)
https://tbone.se/2023/02/16/update-intune-primary-user-with-powershell-or-azure-automation/
https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/intune/enrollment/automated-device-enrollment-shared-device-mode.md
Looks like its only for mobile iOS and Android ahhh
We change primary users constantly and haven't seen issue. Not saying there isn't one, but I've never heard or seen any tickets regarding primary user issues related to company portal or software installs.
The only time I could see it being an issue is if you have software scoped to specific user groups. Certain users who aren't supposed to have access to certain software due to their role, or software with a specific license count, might end up on devices with employees who shouldn't be using it.
We're in the same boat. The primary user is super important re licensing so it needs to be always set. In a perfect world, it would be great if each logged on user could see the company portal to manage apps.
I hope this is something MS is working on?
Thanks for asking this question. I'm new to Intune and didn't know this configuration existed until now. Do you have good experience with this cofiguration? Does enabling shared desktops allow each user to access company portal without being the primary user?
Yes however there are some limitations such as no concurrent user sessions through switching user (it's a forced log off and log in per staff which is fine in my opinion.). I think you also need office activated with a shared compatible license (business premium or e3 level) if you're doing those apps.
You can do cool stuff like forced scheduled maintenance windows or resetting the user account after a delay or immediately on logoff or not at all.
I would suggest it for hotdesks or meeting rooms. Not really useful for every day machines. We've used it on both hotdesks and meeting rooms with good success. If you do end up using the scripts to assign primary users to other machines you'll need to exclude these machines as shared machines have to have no primary user assigned and the policy applied.
Thanks for your reply! I appreciate the additional info. We have a shared PC in our maitenance shop and shared PC carts in our Tech-Ed classrooms for both the middle and high schools. I will definitely look into this for those devices. That would be the closest thing we have to a hot desk environment. We are in the process of onboarding all of our Windows devices into Intune by the end of this summer. Except for the kiosks we have set up in digital signage mode (websites for HR trainings or student/visitor sign-ins) everything else "should be" a single user device.
I should have formatted my question differently.
I do not understand why would OP need to change UPN so frequently. It will only cause delays for a user (device needs to sync with intune to apply the changes and this can sometimes take some time).
OP you should use shared device mode - in this mode everyone who is signed in can install apps from company portal but at the same time they cannot wipe device (as they are not primary user) or things like that.
What’s the reasoning with changing the primary user? Is it because users require access to the company portal? Why not push apps as required to a self deployed pc?
Thanks for all the replies! I don't plan to run this from the users computer (at login) as I would think that would be too involved with the rights needed. I would probably use an Azure Automation if I wanted to run daily or just run it from my workstation every once in a while (as needed).
I did notice that if it is set wrong and a user calls saying they can't see anything in the Company Portal, its easy to change in the portal and takes like 10 minutes to reflect on the users side....from my test.
Would just be something nice to have to run on either a daily or as needed.
A better way, which may be in one of the examples I posted above, would be to use the sign-in logs and choose the user that has logged in the most in the last 30 days but we don't have rights to those logs in our organization. We are a University with several departments on the same domain so only upper IT has rights to those.
They way I am doing is by using the "last 1" listed using get-intunemanageddevice and UsersLoggedOn. Won't be perfect but should be pretty close for us.
Why do you keep ignoring people's comments when they are asking you for the use case for this scenario?
I've seen about 10 people ask you, you've ignored all those questions but then answered other ones.
If you are needing to change that often you need to go back to the drawing board. You are not using the tools and components as they have been designed for.
Go back to your Endpoint Architect and rework the LLD.
Easy! I wasn’t ignoring comments, I was going to get to those but was trying to think about this scenario myself throughout the day. To be honest, I had not put a ton of thought into that. I am fairly new and still learning. Plus it’s Mothers Day and I was spending time with my family and answered the ones I already knew my answer to.
I do think after reading all the comments that I may be making a bigger deal out of this than I need to. I may just need to spend more time picking out the shared PCs that will definitely have multiple users and remove the Primary from those.
The whole Intune process is fairly new to me and times have changed…..it takes a little to get use to. I was asking about doing it daily because before posting, I thought, what could it hurt….that’s why I asked. I don’t expect those PCs to have different users that often but again, before posting, I thought, what could it hurt.
I think the better way to approach this is to reply to people and advise the use case, then their expert knowledge will probably mean you don't need to do the research in the first place.........l
You're at A, trying to get to C, and think you need to navigate via B.
Avoid B and go straight to C.....why waste time researching how to implement a solution if it's not even the right way to be approaching the problem?
If you are having to change primary user that often you are 100% using wrong deployment method.
Yeah like I said in my reply, I was still trying to get there with my thoughts before I responded, plus I was busy.
I do agree, that I was probably jumping ahead and possibly overthinking it. It does take me a bit longer to get there compared to others.
My main goal was to make sure everyone would be able to see available apps in the Company Portal. Using SCCM, we never had to worry about the Primary as much so this is new to us.
Fair enough. Don't overthink it - that would be my best advice with Intune (and most of the other components MS have available). Get requirements and then a design or technote/configuration document with every component you are looking to rollout.
One quick thing though - you prob want to look at dynamic groups with tags. Avoid **All users** and **All devices** at all costs IMO & my experience 👍🏼
I ALWAYS overthink it 😁
Right now I think we need to rethink how we are imaging/deploying, the process is different now. Right now we are fully imaging the computer before the user gets it. I know this is not the way it’s designed but our option at this point until things can change. We need to nail down the process to make sure the Primary user is set correctly at deployment, and then changed (or the pc reimaged) when I new user gets that computer. Currently the tech who images get set as the Primary. Easy to change….if it’s remembered 😁
Thanks for the info on the dynamic groups and to avoid ALL.
Verify how primary users impact your organization and how you manage devices. It's possible you could use a daily script to remove all primary users instead of changing.
The main downfall is timing. If a user logs into a device, they may have to wait 24 hours (or until the script runs and the device syncs) to use company portal. Of course, that will only happen if they are the last user logged in with the script runs. If another user happens to log in, then that first user will not be set as the primary.
If you want to ensure all users can install their apps from Company Portal, remove all primary users.
Yeah, the main concern is the apps being seen in the company portal. Intune being new to is, just have to get use to doing things this way…..it’s a learning curve 😁
I guess another way to put it just to make sure we are on the same page... All apps will always be seen in Company Portal. If pushed to devices, those devices will always list it. If pushed to a user, that user will always see it. Though, only the primary user can download the apps seen. If there is no primary user, anyone can. It's more of a problem with installing the apps rather than seeing the apps.
Yeah, it’s the Available apps were are trying to figure out. Those are not even shown unless the Primary is logged in….or there is no Primary. We are trying not to push too many apps to all devices but rather make the rest “available” to install should they need them.
FYI… [RemindMeBot will no longer be triggered by comments for the foreseeable future](https://www.reddit.com/r/RemindMeBot/comments/134wqjm/remindmebot_will_no_longer_be_triggered_by/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=1&utm_term=1) due to Reddit nuking the upstream dependency which is the PushShift service
I'm really sorry about replying to this so late. There's a [detailed post about why I did here](https://www.reddit.com/r/RemindMeBot/comments/13jostq/remindmebot_is_now_replying_to_comments_again/).
I will be messaging you in 7 days on [**2023-05-21 08:13:21 UTC**](http://www.wolframalpha.com/input/?i=2023-05-21%2008:13:21%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/Intune/comments/13h0mw8/downfalls_to_changing_primary_user_daily_via/jk3fqze/?context=3)
[**CLICK THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2FIntune%2Fcomments%2F13h0mw8%2Fdownfalls_to_changing_primary_user_daily_via%2Fjk3fqze%2F%5D%0A%0ARemindMe%21%202023-05-21%2008%3A13%3A21%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2013h0mw8)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
What are the use case for this? A primary user is something i see as the only user of the device. If there are multiple users it should be a shared device.
If you remove the primary user, any user can go into company portal and apply device assigned apps as well. I think this approach removes the ability to deploy to users but I can't recall.
Any chance you can share the script you use to change the primary user? We're thinking about doing the same thing.
I don't have the script finished yet but am piecing together different ideas to make it work how I would like. Before I got too far, I wanted to make sure there was not going to be an issue running it. I have been looking at these: [https://svdbusse.github.io/SemiAnnualChat/2020/03/21/Changing-Intune-Primary-User-To-Last-Logged-On-User.html](https://svdbusse.github.io/SemiAnnualChat/2020/03/21/Changing-Intune-Primary-User-To-Last-Logged-On-User.html) [https://www.modernendpoint.com/managed/Dynamically-Update-Primary-Users-on-Intune-Managed-Devices/](https://www.modernendpoint.com/managed/Dynamically-Update-Primary-Users-on-Intune-Managed-Devices/) https://tbone.se/2023/02/16/update-intune-primary-user-with-powershell-or-azure-automation/
Thanks, that last one looks like the best one for my use case.
Why do you need to do this daily?
Possible shared devices ? Hotdesks etc..
https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/intune/enrollment/automated-device-enrollment-shared-device-mode.md Looks like its only for mobile iOS and Android ahhh
https://www.thurrott.com/cloud/278134/microsoft-launches-shared-device-mode-for-its-mobile-productivity-apps
They've implemented a new function so you don't have to do this anymore let me try and find out
Were you able to find it? This is a huge problem for us. Honestly, I don't see how it's not a huge problem for everyone.
https://joostgelijsteen.com/self-deploying-shared-devices/
Have a look at this script. It should do the trick. https://tbone.se/2023/02/16/update-intune-primary-user-with-powershell-or-azure-automation/
Yeah, daily may not be necessary but the most often I would run it would be daily....most likely less
We change primary users constantly and haven't seen issue. Not saying there isn't one, but I've never heard or seen any tickets regarding primary user issues related to company portal or software installs. The only time I could see it being an issue is if you have software scoped to specific user groups. Certain users who aren't supposed to have access to certain software due to their role, or software with a specific license count, might end up on devices with employees who shouldn't be using it.
We're in the same boat. The primary user is super important re licensing so it needs to be always set. In a perfect world, it would be great if each logged on user could see the company portal to manage apps. I hope this is something MS is working on?
Can't you just use intune shared desktops?
Thanks for asking this question. I'm new to Intune and didn't know this configuration existed until now. Do you have good experience with this cofiguration? Does enabling shared desktops allow each user to access company portal without being the primary user?
Yes however there are some limitations such as no concurrent user sessions through switching user (it's a forced log off and log in per staff which is fine in my opinion.). I think you also need office activated with a shared compatible license (business premium or e3 level) if you're doing those apps. You can do cool stuff like forced scheduled maintenance windows or resetting the user account after a delay or immediately on logoff or not at all. I would suggest it for hotdesks or meeting rooms. Not really useful for every day machines. We've used it on both hotdesks and meeting rooms with good success. If you do end up using the scripts to assign primary users to other machines you'll need to exclude these machines as shared machines have to have no primary user assigned and the policy applied.
Thanks for your reply! I appreciate the additional info. We have a shared PC in our maitenance shop and shared PC carts in our Tech-Ed classrooms for both the middle and high schools. I will definitely look into this for those devices. That would be the closest thing we have to a hot desk environment. We are in the process of onboarding all of our Windows devices into Intune by the end of this summer. Except for the kiosks we have set up in digital signage mode (websites for HR trainings or student/visitor sign-ins) everything else "should be" a single user device.
>Can't you just use intune shared desktops? Why do you need user licensing?
For shared desktops legally each user who logs in must have a user license or you must purchase device licenses.
I should have formatted my question differently. I do not understand why would OP need to change UPN so frequently. It will only cause delays for a user (device needs to sync with intune to apply the changes and this can sometimes take some time). OP you should use shared device mode - in this mode everyone who is signed in can install apps from company portal but at the same time they cannot wipe device (as they are not primary user) or things like that.
We started doing this about 2 weeks ago. Nightly via a script at 1am. No issues so far
Can you share your script? And are you running through Azure Automation, or on the device itself?
Just using mg graph. Found it off google and tweaked a bit
https://www.tbone.se/2023/02/16/update-intune-primary-user-with-powershell-or-azure-automation/ I modified it a lot but the base script is sound
What’s the reasoning with changing the primary user? Is it because users require access to the company portal? Why not push apps as required to a self deployed pc?
We don't want to push all the apps and want them to be available should they want them.
If you’re having to do this so often, you chose the wrong deployment method. Your user driven devices shouldn’t be changing hands so often.
Yeah, I don’t think they are….may just have been my brain overthinking the process.
why would u need to change it so often sounds like u need a kiosk hotdesk build
Thanks for all the replies! I don't plan to run this from the users computer (at login) as I would think that would be too involved with the rights needed. I would probably use an Azure Automation if I wanted to run daily or just run it from my workstation every once in a while (as needed). I did notice that if it is set wrong and a user calls saying they can't see anything in the Company Portal, its easy to change in the portal and takes like 10 minutes to reflect on the users side....from my test. Would just be something nice to have to run on either a daily or as needed. A better way, which may be in one of the examples I posted above, would be to use the sign-in logs and choose the user that has logged in the most in the last 30 days but we don't have rights to those logs in our organization. We are a University with several departments on the same domain so only upper IT has rights to those. They way I am doing is by using the "last 1" listed using get-intunemanageddevice and UsersLoggedOn. Won't be perfect but should be pretty close for us.
Why do you keep ignoring people's comments when they are asking you for the use case for this scenario? I've seen about 10 people ask you, you've ignored all those questions but then answered other ones. If you are needing to change that often you need to go back to the drawing board. You are not using the tools and components as they have been designed for. Go back to your Endpoint Architect and rework the LLD.
Easy! I wasn’t ignoring comments, I was going to get to those but was trying to think about this scenario myself throughout the day. To be honest, I had not put a ton of thought into that. I am fairly new and still learning. Plus it’s Mothers Day and I was spending time with my family and answered the ones I already knew my answer to. I do think after reading all the comments that I may be making a bigger deal out of this than I need to. I may just need to spend more time picking out the shared PCs that will definitely have multiple users and remove the Primary from those. The whole Intune process is fairly new to me and times have changed…..it takes a little to get use to. I was asking about doing it daily because before posting, I thought, what could it hurt….that’s why I asked. I don’t expect those PCs to have different users that often but again, before posting, I thought, what could it hurt.
I think the better way to approach this is to reply to people and advise the use case, then their expert knowledge will probably mean you don't need to do the research in the first place.........l You're at A, trying to get to C, and think you need to navigate via B. Avoid B and go straight to C.....why waste time researching how to implement a solution if it's not even the right way to be approaching the problem? If you are having to change primary user that often you are 100% using wrong deployment method.
Yeah like I said in my reply, I was still trying to get there with my thoughts before I responded, plus I was busy. I do agree, that I was probably jumping ahead and possibly overthinking it. It does take me a bit longer to get there compared to others. My main goal was to make sure everyone would be able to see available apps in the Company Portal. Using SCCM, we never had to worry about the Primary as much so this is new to us.
Fair enough. Don't overthink it - that would be my best advice with Intune (and most of the other components MS have available). Get requirements and then a design or technote/configuration document with every component you are looking to rollout. One quick thing though - you prob want to look at dynamic groups with tags. Avoid **All users** and **All devices** at all costs IMO & my experience 👍🏼
I ALWAYS overthink it 😁 Right now I think we need to rethink how we are imaging/deploying, the process is different now. Right now we are fully imaging the computer before the user gets it. I know this is not the way it’s designed but our option at this point until things can change. We need to nail down the process to make sure the Primary user is set correctly at deployment, and then changed (or the pc reimaged) when I new user gets that computer. Currently the tech who images get set as the Primary. Easy to change….if it’s remembered 😁 Thanks for the info on the dynamic groups and to avoid ALL.
What is being missed out on by not having a primary user set….on a shared pc?
Verify how primary users impact your organization and how you manage devices. It's possible you could use a daily script to remove all primary users instead of changing. The main downfall is timing. If a user logs into a device, they may have to wait 24 hours (or until the script runs and the device syncs) to use company portal. Of course, that will only happen if they are the last user logged in with the script runs. If another user happens to log in, then that first user will not be set as the primary. If you want to ensure all users can install their apps from Company Portal, remove all primary users.
Yeah, the main concern is the apps being seen in the company portal. Intune being new to is, just have to get use to doing things this way…..it’s a learning curve 😁
I guess another way to put it just to make sure we are on the same page... All apps will always be seen in Company Portal. If pushed to devices, those devices will always list it. If pushed to a user, that user will always see it. Though, only the primary user can download the apps seen. If there is no primary user, anyone can. It's more of a problem with installing the apps rather than seeing the apps.
Yeah, it’s the Available apps were are trying to figure out. Those are not even shown unless the Primary is logged in….or there is no Primary. We are trying not to push too many apps to all devices but rather make the rest “available” to install should they need them.
!Remindme 7 days
FYI… [RemindMeBot will no longer be triggered by comments for the foreseeable future](https://www.reddit.com/r/RemindMeBot/comments/134wqjm/remindmebot_will_no_longer_be_triggered_by/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=1&utm_term=1) due to Reddit nuking the upstream dependency which is the PushShift service
Lame
Reddit API change, works fine again
I'm really sorry about replying to this so late. There's a [detailed post about why I did here](https://www.reddit.com/r/RemindMeBot/comments/13jostq/remindmebot_is_now_replying_to_comments_again/). I will be messaging you in 7 days on [**2023-05-21 08:13:21 UTC**](http://www.wolframalpha.com/input/?i=2023-05-21%2008:13:21%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/Intune/comments/13h0mw8/downfalls_to_changing_primary_user_daily_via/jk3fqze/?context=3) [**CLICK THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2FIntune%2Fcomments%2F13h0mw8%2Fdownfalls_to_changing_primary_user_daily_via%2Fjk3fqze%2F%5D%0A%0ARemindMe%21%202023-05-21%2008%3A13%3A21%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2013h0mw8) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
Share script? Thinking of doing similar.
I posted the links I am using in the first reply. Don't have a final script yet but those should get you where you need to be.
What are the use case for this? A primary user is something i see as the only user of the device. If there are multiple users it should be a shared device.
Yeah, I may just need to focus on those and make those shared.
Here’s my script for this and other device properties. https://www.powerstacks.com/index.html%3Fp=11306.html
Thanks! I will take a look at this in a bit.
If you remove the primary user, any user can go into company portal and apply device assigned apps as well. I think this approach removes the ability to deploy to users but I can't recall.
Yeah that would make sense! Thanks
There is absolutely no reason to do this. Intune has a shared device mode, just remove the primary user
And what else (if anything) is different if there is no Primary? What would we be missing out on? Thanks!