I learned that every Windows Autopilot scenario has it own differences and has its own goals and solutions for the deployment scenario needed. However, most Windows Autopilot scenario can be improved and enhanced by some small, yet very effective, optimizations.
Many, if not all Windows Autopilot scenarios I participated in, I have been able to and have helped achieve more reliable and successful Windows Autopilot deployment scenarios with fewer errors, ensuring as optimal user experience possible.
About Windows Autopilot
Windows Autopilot is a cloud-based service that simplifies the provisioning of Windows devices. It allows you to configure devices remotely, without the need for physical access or imaging. You can also customize the out-of-box experience (OOBE) for your users and enroll devices into your preferred management solution.
However, to get the most out of Windows Autopilot, you need to optimize your scenarios and workflows. In this blog series, I will share the most effective ways to do so, based on my experience and Best Practices.
Note
If you are currently using Hybrid Windows Autopilot, I highly recommend you reconsider your decision, and encourage you to move to a cloud-only Windows Autopilot deployment.
Despite you might benefit from these 3 ways to optimize any Windows Autopilot scenarios in a Hybrid Windows Autopilot scenario, I cannot guaranty the result as I have not tested Hybrid Windows Autopilot.
To use Windows Autopilot, you need the following:
- Microsoft Entra ID (Azure AD) Premium subscription, or a Microsoft 365 subscription that includes Microsoft Entra ID Premium.
- Microsoft Intune subscription, or another mobile device management (MDM) service that supports Windows Autopilot.
- Windows device that meets the minimum hardware specifications and has a valid Windows Pro, Enterprise, or Education license.
Microsoft Intune is a cloud-based service that helps organizations manage and secure their mobile devices, apps, and data. An important feature of Microsoft Intune is device configuration policies, which allow administrators to set and enforce settings on devices enrolled in Microsoft Intune.
3 ways to optimize any Windows Autopilot scenario.
The purpose of these 3 ways to optimize any Windows Autopilot scenario, is to ensure a unified user experience, to ensure Windows configurations will be how you would expect, safeguarding the user will experience similarity moving from one device to another, and ensure non-business applications is removed, however not blocked, minimize Windows Autopilot failures and reducing support calls.
- Enable Windows Autopilot Enrollment Status Page (ESP) and add five or less applications assigned to devices to the ESP block list.
- Assign a Desired State Configuration (DSC) package to all devices.
- Disable the Account Setup phase of the Windows Autopilot Enrollment Status Page (ESP)
Enable Windows Autopilot Enrollment Status Page (ESP) and add five or less applications assigned to devices to the ESP block list.
The Enrollment Status Page (ESP) displays the provisioning status to people enrolling Windows devices and signing in for the first time. You can configure the ESP to block device use until all required policies and applications are installed.
Device users follow the ESP process to track how far along their device is in the setup process.
My recommended list consists of these few applications:
- Microsoft 365 Apps including the New Microsoft Teams client - If you do not yet use the new Microsoft Teams client, I encourage you to remove it from the Microsoft 365 Apps deployment and add the Microsoft Teams app and a user assigned stand-alone application.
- Windows Desired State Configuration (DSC) application package(s)
- Microsoft Company Portal.
You might need more apps for your scenario, but please keep as many apps as possible out of the ESP block list, and let the user get to the Desktop and be productive.
Note
You can add more that five application to the ESP block list in total, however ensure to only add/assign five or less application per Windows Autopilot profile.
Limiting the applications in the ESP block list can help you reduce the ESP duration, avoid the ESP timeout, and improve the user experience and satisfaction during the Windows Autopilot provisioning process. You should only include the applications that are essential for the user to perform their work tasks, and exclude the applications that are not critical, optional, or personal.
If you want to know more about enableing Windows Autopilot Enrollment Status Page (ESP) to you Windows Autopilot deployment, please see the How to enable Windows Autopilot Enrollment Status Page post.
Assign a Desired State Configuration (DSC) package to all devices.
Adding a Desired State Configuration (DSC) package to your Windows device allows you to define and apply a consistent configuration to your Windows devices. You can use DSC to configure settings such as registry values, files and folders, services, roles, and features, and more.
There as several ways to achieve a Windows desired state configuration baseline and several approaches. A DSC should be built upon the requirement to provide a default configuration baseline, or a desired state configuration, and is not stop the end user to install a previously removed app or circumvent a desired setting. The DSC should be purely to allow device administrators to provide a default baseline, or corporate baseline, to the end user as part of Windows Autopilot scenarios.
Why You Should Add a DSC Package to Your Devices
By adding a DSC package to your devices, you can leverage the benefits of both DSC and Microsoft Intune to manage and configure your devices more efficiently and consistently.
The mindset of the solution should aim baselining the device, ensuring that your devices are configured according to your organization’s standards and Best Practices, regardless of where they are located or who is using them.
- You can enhance the user experience and satisfaction, as you can provide a consistent and optimized configuration for your devices.
- You will improve the security and compliance of your devices, as you can enforce the desired configuration. If you want to prevent unauthorized or unwanted changes, I highly recommend you, to enforce any desired settings by leverage Microsoft Intune configuration settings, and not add policy settings within your DSC package.
I am maintaining the Windows gecko project, so if you need some inspiration or just want the Desired State Configuration (DSC) package I am using on every Windows Autopilot implementations, please head over to my Windows gecko repository on GitHub.
This repository contains the source code for Windows gecko, a multifunctional script designed to adapt to various Windows management tasks, however built with Windows Autopilot provisioning in mind.
Current features:
- Windows Apps: Remove Windows In-box Apps and Store Apps.
- Windows Branding: Configure OEM information and Registration (Coming soon)
- Windows Features:
- Enable and/or disable Windows features.
- Enable and/or disable Windows optional features.
- Windows Groups: Add accounts to local groups (Coming soon).
- Windows Files: Copy file(s) to device from payload package.
- Windows Registry: Modifying Windows registry entries (add, change, and remove).
- Windows Run: Run local executables and/or download and run executables.
- Windows Services: Configure/re-configure Windows Services.
- Windows TCR: Windows Time zone, Culture and Regional settings manager (PREVIEW).
If you want to know more about adding a Desired State Configuration (DSC) package to you Windows Autopilot deployment, or any other deployment, please see the How to apply a Windows Desired State Configuration package post.
Disable the Account Setup phase of the Windows Autopilot Enrollment Status Page (ESP).
The Windows Autopilot Enrollment Status Page (ESP) is a feature that shows the progress of device configuration during the Windows out-of-box experience (OOBE).
The ESP has three phases: Device Preparation, Device Setup, and, Account Setup.
In most Windows Autopilot implementations I am engage in, needed applications and device configuration profiles are for the most assigned to device groups. When assigning to device groups, settings and applications will be applied during the Device Setup phase of the ESP. With the updated Windows Store App experience, Store App can be applied (provisioning) during the Device Setup phase as well.
This is all great, so why do I want to disable the Account Setup phase?
Even though no user configuration profiles, or user assigned applications are applied, the Account Setup phase, is often taking time to complete. However, in most cases, user configuration profiles, and user assigned applications will be used (and it is not wrong), and this is where it gets a bit tricky. When the Windows Autopilot enrollment fails, 8 of 10 enrollments is failing in the Account Setup phase.
So why not just skip the Account Setup phase of the enrollment and save time and enhance the user experience?
What happens when the ESP Account Setup phase is disabled?
When the ESP Account Setup phase is disabled, the user will not see the ESP after signing in. Instead, they will see the desktop and can start using the device. However, this does not mean that the device configuration is complete. Depending on the network bandwidth and the number of policies and applications assigned to the user, the configuration process may take minutes or hours to finish in the background.
Disabling the ESP Account Setup phase may have the following negative impacts and risks:
- The user may not have access to all applications, as they may not be fully applied or installed on the device.
- The user may not be able to use all features, as they may depend on the configuration policies and settings.
Disabling the ESP Account Setup phase
Disabling the ESP Account Setup phase is currently achieved using a Microsoft Intune custom configuration profile with just one OMA-URI setting.
Name: SkipUserStatusPage
Description: Disable User ESP Account setup phase
OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Data type: Boolean
Value: True
Assign the configuration profile to the device group(s) you assign the Windows Autopilot enrollment profile(s), or any other device group you use for device in scope.
If you want to know more about disabling the Account Setup phase, please see the How to disable the Autopilot ESP Account Setup phase post.
Conclusion
By following these 3 ways to optimize any Windows Autopilot scenario, end users are ensured an optimized and robust Windows Autopilot enrollment experience. However, there are more configurations you could receive help from, like perfecting the way applications are configured when created and assigned in Microsoft Intune, how you configure your Windows Autopilot profiles and how to configure and perfect the settings in your ESP configuration to fit your needs.
Best Practice for assigning configuration policies and applications for users.
- Ensure all required applications blocked apps list in the ESP, is Windows app (Win32) only – well, always use Windows app (Win32) if possible.
- Consider not to deploy VPN client, third party Endpoint Security and/or Firewall software or similar applications, as these applications tend to hook into the network stack, breaking the network connectivity, resulting in the Windows Autopilot enrollment to fail.
- Consider your level of Self-Service accepted by users and reduce the number of required applications.
- Optimize the user configuration policies and user assigned applications, by minimizing the number, size, and complexity of the policies and applications.
And finally, ensure to enable and configure Windows Autopilot enrollment notification .
–Jesper
Header image attribution: Created using Adobe Firefly