If you want to remove the primary user from an Intune device, the first thing to understand is when that primary user is assigned. If an Intune device is not enrolled as a shared device or kiosk device, it always has a primary user. This creates a relation between the device and the user. This user is also used to license the device. This user only has the possibility to see this device in the company portal / company portal website and trigger certain self service actions. Also, while troubleshooting, an Intune admin can select this user in the Troubleshooting + support menu in Intune and directly see their devices.
The primary user is automatically added after the enrollment of an Intune managed device. It is possible to change the user to an other or remove this user to switch the device to a shared device.
Table of contents
Where can I find the Primary User
- Open the Intune Portal
- Click Devices -> All Devices
- Select a Device
- Click Properties
In this overview you can find the primary user. You also have the possibility to change or remove the user. This is also the place where you can do it manually for a single device before you decide to automate the process at scale.
How can I remove the primary user to switch the device to a shared device?
When a device has no primary user assignment, it is categorized as a shared device. These shared devices are identifiable through a unique identification label displayed in the company portal. In this shared mode, all users have the capability to install apps on the device. However, self-service actions are not accessible when devices are operating in shared mode. So before you make this change, make sure your end users no longer need those self-service actions on that device.
In this section we will look at how you can delete the primary user of all devices / a list of devices automatically via a powershell script.
In the GitHub repository from Microsoft there is a script which shows how to change and delete the primary user for a single device. We have rewritten this script to loop through multiple devices as well to move this to the Graph SDK to make it easier to change. If you want to read more about the underlying API, the Microsoft Learn documentation for managed devices is a great reference.
I have uploaded the customized script to my Git repository. Before you run it, you should adjust the filter so that only the devices you want to change are touched.
Here is an example how to add a filter to only update Windows devices with a specific version:
$filter = "*10.0.19045*"
if(-not ($filter -eq '*')){
$allDevices = $allDevices | Where-Object {$_.osVersion -like $filter}
}
Best practices to remove the primary user at scale
When you run the script across many devices, always test the filter against a small pilot group first. Document which devices you converted to shared devices, and double check the licensing impact, because the primary user is also used to assign the device license. For more Intune automation tips, have a look at my other posts on jannikreinhard.com.
A common pitfall is forgetting that removing the primary user does not magically turn a device into a true multi-user kiosk. The device is simply flagged as shared, but any user-targeted apps and policies you assigned before are still in place. If you want a real shared experience, review your app and configuration assignments and move the relevant ones from user groups to device groups. Otherwise an app you expected on the device may silently disappear once the primary user is gone.
That is everything you need to switch your Intune devices into shared device mode. I hope I could help you with the blog.
Stay healthy, Cheers
Jannik
How could this be used to delete the primary user for devices within a specific group? im super new at managing intune with powershell. Thank you!
Hey Juan, this is only to remove the mapped user from an intone object. To delete the use from a Aad group you need an other graph call.
Script is giving multiple errors. Which modules are necessaire?
Can you try to install “Install-Module AzureAD”
How can I adjust the filter, or how can I get it to process more than 2000 computers?
You need here an loop for the paging or you can also use the powershell graph sdk with the parameter -all. If you need support here let me know then I will provide you the script to do this.
Hi. I am trying to run Get-Win10… but its not recognize the cmlets. Installed and imported ADAzure, ADAzurePreview and even Microsoft.Graph.Intune modules but still not joy. Any ideas?
Hi. I am trying to run the above script as well and i get an error “Delete-IntuneDevicePrimaryUser : The term ‘Delete-IntuneDevicePrimaryUser’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:8 char:5
+ Delete-IntuneDevicePrimaryUser -IntuneDeviceId $deviceEntry.id -E …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Delete-IntuneDevicePrimaryUser:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Did you execute the complete script? If you want we can have a look on this together
Hello! I was able to bypass 2 of the errors. One error was if a user did not have an Intune license (test account) and the other error I was able to bypass by commenting out a Break.
My issue now is, the script completed after going through all devices that Start with a “C”. Is there a limit or a timeout period?
Should we have a teams call to have an look together?