3 ways to optimize any Windows Autopilot scenario

I learned that every Windows Autopilot scenario has its own differences and has its own goals and solutions for the deployment scenario needed. However, most Windows Autopilot scenarios can be improved and enhanced by some small, yet very effective, optimizations.

In numerous Windows Autopilot scenarios, we have successfully optimized and achieved more reliable deployments with fewer errors, ensuring an optimal user experience.

About Windows Autopilot

Windows Autopilot  is a cloud-based service that simplifies the provisioning of Windows devices. It allows you to configure devices remotely, without the need for physical access or imaging. You can also customize the out-of-box experience (OOBE) for end users and enroll devices into your preferred management solution.

However, to get the most out of Windows Autopilot, you need to optimize your scenarios and workflows. In this blog series, I will share the most effective ways to do so, based on experience and Best Practices.

To use Windows Autopilot, you need the following:

• Microsoft Entra ID (Azure AD) Premium subscription, or a Microsoft 365 subscription that includes Microsoft Entra ID Premium.
• Microsoft Intune subscription, or another mobile device management (MDM) service that supports Windows Autopilot.
• Windows device that meets the minimum hardware specifications and has a valid Windows Pro, Enterprise, or Education license.

Microsoft Intune  is a cloud-based service that helps organizations manage and secure their mobile devices, apps, and data. An important feature of Microsoft Intune is device configuration policies, which allow administrators to set and enforce settings on devices enrolled in Microsoft Intune.

3 ways to optimize any Windows Autopilot scenario.

The purpose of these 3 ways to optimize any Windows Autopilot scenario, is to ensure a unified user experience, to ensure Windows configurations will be how you would expect, safeguarding the user will experience similarity moving from one device to another, and ensure non-business applications are removed, however not blocked, minimizing Windows Autopilot failures and reducing support calls.

1. Enable Windows Enrollment Status Page (ESP) and add five or less applications assigned to devices to the ESP block list.
2. Assign a Desired State Configuration (DSC) package to all devices.
3. Disable the Account Setup phase of the Windows Enrollment Status Page (ESP)

Enable Windows Enrollment Status Page (ESP) and add five or less applications assigned to devices to the ESP block list.

The Windows Enrollment Status Page (ESP)  displays the provisioning status to people enrolling Windows devices and signing in for the first time. You can configure the ESP to block device use until all required policies and applications are installed.

Device users can follow the Windows Enrollment Status Page (ESP) process to track how far their device is in the setup process.

My recommended list consists of these few applications:

• Microsoft 365 Apps including the New Microsoft Teams client.
• Windows Desired State Configuration (DSC) application package(s).
• Microsoft Company Portal.

You might need more apps for your scenario, but please keep as many apps as possible out of the Windows Enrollment Status Page (ESP) block list, and let the user get to the Desktop and be productive.

Limiting the applications in the Windows Enrollment Status Page (ESP) block list can help you reduce the Windows Enrollment Status Page (ESP) duration, avoid the pesky timeouts, and improve the user experience and satisfaction during the Windows Autopilot provisioning process. You should only include the applications that are essential for the user to perform their work tasks, and exclude the applications that are not critical, optional, or personal.

If you want to know more about enabling Windows Enrollment Status Page (ESP) to you Windows Autopilot deployment, please see the How to configure Microsoft Intune Enrollment Status Page post.

Assign a Desired State Configuration (DSC) package to all devices

Adding a Desired State Configuration (DSC) package to your Windows devices allows you to define and apply a consistent configuration to your Windows devices. You can use DSC to configure settings such as registry values, files and folders, services, roles, and features, and more.

There as several ways to achieve a Windows desired state configuration baseline and several approaches.

A DSC should be built upon the requirement to provide a default configuration baseline, or a desired state configuration, and is not stop the end user to install a previously removed app or circumvent a desired setting. The DSC should be purely to allow device administrators to provide a default baseline, or corporate baseline, to the end user as part of Windows Autopilot scenarios.

Why You Should Add a DSC Package to Your Devices

By adding a DSC package to your devices, you can leverage the benefits of both DSC and Microsoft Intune to manage and configure your devices more efficiently and consistently.

The mindset of the solution should aim to baseline the device, ensuring that devices are configured according to your organization’s standards and Best Practices, regardless of where they are located or who is using them.

• You can enhance the user experience and satisfaction, as you can provide a consistent and optimized configuration for your devices.
• You will improve the security and compliance of your devices, as you can enforce the desired configuration. If you want to prevent unauthorized or unwanted changes, I highly recommend you enforce any desired settings by leverage Microsoft Intune configuration settings and not add policy settings within your DSC package.

I am maintaining the Windows gecko  project, so if you need some inspiration or just want the Desired State Configuration (DSC) package I am using on every Windows Autopilot implementations, please head over to my Windows gecko  repository on GitHub.

This repository contains the source code for Windows gecko, a multifunctional script designed to adapt to various Windows management tasks, however built with Windows Autopilot provisioning in mind.

Current features:

• Windows Apps: Remove Windows In-box Apps and Store Apps.
• Windows Branding: Configure OEM information and Registration (Coming soon)
• Windows Features:
  • Enable and/or disable Windows features.
  • Enable and/or disable Windows optional features.
• Windows Groups: Add accounts to local groups (Coming soon).
• Windows Files: Copy file(s) to device from payload package.
• Windows Registry: Modifying Windows registry entries (add, change, and remove).
• Windows Run: Run local executables and/or download and run executables.
• Windows Services: Configure/re-configure Windows Services.
• Windows TCR: Windows Time zone, Culture and Regional settings manager (PREVIEW).

If you want to know more about adding a Desired State Configuration (DSC) package to you Windows Autopilot deployment, or any other deployment, please see the How to apply a Windows Desired State Configuration package post.

Disable the Account Setup phase of the Windows Enrollment Status Page (ESP).

The Windows Enrollment Status Page (ESP)  is a feature that shows the progress of device configuration during the Windows out-of-box experience (OOBE).

The Windows Enrollment Status Page (ESP) has three phases:

• Device Preparation
• Device Setup
• Account Setup

In most Windows Autopilot implementations, I have been engaged in, applications and device configuration profiles needed are for the most assigned to device groups. When assigning to device groups, settings and applications will be applied during the Device Setup phase of the Windows Enrollment Status Page (ESP). With the updated Windows Store App experience, Store App can be applied (provisioning) during the Device Setup phase as well.

This is all great, so why do I recommend to disable the Account Setup phase?

Even though no user configuration profiles, or user assigned applications are applied, the Account Setup phase often takes time to complete. However, in most cases, user configuration profiles, and user assigned applications will be used (and it is not wrong), and this is where it gets a bit tricky. When the Windows Autopilot enrollment fails, 9 of 10 enrollments are failing in the Account Setup phase.

So why not just skip the Account Setup phase of enrollment and save time and enhance the user experience?

What happens when the Windows Enrollment Status Page (ESP) Account Setup phase is disabled?

When the Windows Enrollment Status Page (ESP) Account Setup phase is disabled, the user will not see the Windows Enrollment Status Page (ESP) after signing in. Instead, they will see the desktop and can start using the device. However, this does not mean that the device configuration is complete. Depending on the network bandwidth and the number of policies and applications assigned to the user, the configuration process may take minutes or hours to finish in the background.

Disabling the Windows Enrollment Status Page (ESP) Account Setup phase may have the following negative impacts and risks:

• The user may not have access to all applications, as they may not be fully applied or installed on the device.
• The user may not be able to use all features, as they may depend on the configuration policies and settings.

Disabling the Windows Enrollment Status Page (ESP) Account Setup phase

Disabling the ESP Account Setup phase is currently achieved using a Microsoft Intune custom configuration profile with just one OMA-URI setting.

Name: SkipUserStatusPage

Description: Disable User ESP Account setup phase

OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage

Data type: Boolean

Value: True

Assign the configuration profile to the device group(s) you assign the Windows Autopilot enrollment profile(s), or any other device group you use for device in scope.

If you want to know more about disabling the Account Setup phase, please see the How to disable the Autopilot ESP Account Setup phase post.

Conclusion

By following these 3 ways to optimize any Windows Autopilot scenario, end users are ensured an optimized and robust Windows Autopilot enrollment experience. However, there are more configurations you could receive help from, like perfecting the way applications are configured when created and assigned in Microsoft Intune, how you configure your Windows Autopilot profiles and how to configure and perfect the settings in your ESP configuration to fit your needs.

Best Practice for assigning configuration policies and applications for users.

• Ensure all required applications blocked apps list in the ESP, is Windows app (Win32) only – well, always use Windows app (Win32) if possible.
• Deploying VPN client, third party Endpoint Security and/or Firewall software or similar applications as part of the Windows ESP will most likely cause the Windows ESP to fail, as these applications tend to hook into the network stack, breaking the network connectivity, resulting in the Windows enrollment failing.
• Consider your level of Self-Service accepted by users and reduce the number of required applications.
• Optimize the user configuration policies and user assigned applications, by minimizing the number, size, and complexity of the policies and applications.

And finally, ensure to enable and configure Microsoft Intune enrollment notification  .

–Jesper

Header image attribution: Created using Adobe Firefly