The Windows Enrollment Status Page is an integral feature for ensuring devices are configured correctly and securely during the Windows Enrollment process. Despite always recommending enabling and configuring the Windows Enrollment Status Page, I have experienced 9 out of 10 failures happening in the last phase of the Windows Enrollment, the User Account phase, which is why I always recommend disabling this phase.
In this post, I will delve into the specifics of enabling the Windows Enrollment Status Page (ESP) and how to configure the Windows Enrollment Status Page including how to disable the User Account phase.
This guide is part of the series 3 ways to optimize any Windows scenario .
The Windows Enrollment Status Page (ESP)
The Windows Enrollment Status Page (ESP) is a feature that provides status updates during the setup and configuration of a new device. It is designed to ensure devices are configured, and ready for use, before the user can access the desktop.
The Windows Enrollment Status Page (ESP) displays the provisioning status to people enrolling Windows devices signing in for the first time, and can be implemented during the default out-of-box experience (OOBE) for Microsoft Entra join, as well as any Windows Autopilot provisioning scenario.
Reference: Set up the Enrollment Status Page .
Benefits of the Enrollment Status Page
Enabling the Enrollment Status Page offers several benefits:
- Improves user experience: Reduces the likelihood of user intervention by automating device setup requirements and adding visibility of installation progress indicators.
- Enhances security: Ensures that security policies and configurations are applied before use.
- Streamline deployment: Simplifies the deployment process and provides visibility into the device setup progress.
Windows Enrollment Status Page tracking
The enrollment status page tracks these phases of provisioning:
- Device preparation. During device preparation, the enrollment status page tracks these tasks for the device:
- Secure your hardware
- Join your organization’s network
- Register your device for mobile management
- Device setup. The enrollment status page tracks these items during the device setup phase targeted at devices, including:
- Security policies
- Certificate profiles
- Network connection
- Apps
- Account setup. During the account setup phase, the ESP tracks apps and policies targeted at users, including:
- Security policies
- Certificates
- Network connections
- Apps targeted at users
For a full description of the process, see Windows ESP tracking .
Tip
See below, why I recommend disabling the Account Setup phase.
Enable Windows Enrollment Status Page
Follow these steps to enable the Windows Enrollment Status Page:
Sign in to the Microsoft Intune admin center as an Intune administrator.
Create new profile
- Select Devices.
- Expand Device onboarding, and then select Enrollment
- Select the Windows tab
Device onboarding - Enrollment - Under Windows Autopilot, select Enrollment Status Page
- On the Enrollment Status Page, select Create
- In Basics, enter the following properties:
- Name: Name your profile so you can easily identify it later
- Description: Enter a description for the profile. This is optional but highly recommended
- Select Next
- In Settings, configure Show app and profile configuration progress to Yes. This will show all the configuration settings.
- Select the settings you want to enable:
- Show an error when installation takes longer than specified number of minutes: 60
- Show custom message when time limit or error occurs: Yes
- Turn on log collection and diagnostics page for end users: Yes
- Only show page to devices provisioned by out-of-box experience (OOBE): Yes
- Block device use until all apps and profiles are installed: Yes
- Allow users to reset device if installation error occurs: Yes
- Allow users to use device if installation error occurs: No
- Block device use until required apps are installed if they are assigned to the user/device: Selected
- Add apps you need to be installed during the Windows Enrollment. Target to add/assign five or less application per Windows Enrollment Status Page profile
- Only fail selected blocking apps in technician phase: Yes
Windows Enrollment Status Page Profile Creation
- Select Next.
- Assign the Windows Enrollment Status Page (ESP) profile to select device groups
- Select Next
- Select Next
- Select Create
Disable the Account Setup phase of the Windows Enrollment Status Page (ESP).
In most Windows Autopilot implementations, I have been engaged in, applications and device configuration profiles are for the most assigned to device groups. When assigning applications and device configuration profiles to device groups, these settings and applications will be applied during the Device Setup phase of the Windows Enrollment Status Page (ESP). With the updated Windows Store App experience, Store Apps can be applied (provisioning) during the Device Setup phase as well.
Even though no user configuration profiles, or user assigned applications are applied, the Account Setup phase often takes time to complete. However, in most cases, user configuration profiles, and user assigned applications will be used (and it is not wrong), and this is where it gets a bit tricky. When the Windows Autopilot enrollment fails, 9 of 10 enrollments are failing in the Account Setup phase.
So why not just skip the Account Setup phase of enrollment and save time and enhance the user experience?
What happens when the Windows Enrollment Status Page (ESP)Account Setup phase is disabled?
When the Windows Enrollment Status Page (ESP)Account Setup phase is disabled, the user will not see the Windows Enrollment Status Page (ESP)after signing in. Instead, they will see the desktop and can start using the device. However, this does not mean that the device configuration is complete. Depending on the network bandwidth and the number of policies and applications assigned to the user, the configuration process may take minutes or hours to finish in the background.
Disabling the Windows Enrollment Status Page (ESP)Account Setup phase may have the following negative impacts and risks:
- The user may not have access to all applications, as they may not be fully applied or installed on the device.
- The user may not be able to use all features, as they may depend on the configuration policies and settings.
Disabling the Windows Enrollment Status Page (ESP)Account Setup phase
Disabling the Windows Enrollment Status Page (ESP)Account Setup phase is currently achieved using a Microsoft Intune custom configuration profile, with just one OMA-URI setting.
If you are new to creating Microsoft Intune custom configuration profiles, see How to configure Microsoft Intune custom policy .
Name: SkipUserStatusPage
Description: Disable User ESP Account setup phase
OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Data type: Boolean
Value: True
Assign the configuration profile to the device group(s) you assign the Windows Autopilot enrollment profile(s), or any other device group you use for device in scope.
Conclusion
The user experience of utilizing the Windows Enrollment Status Page (ESP) is significantly streamlined and enhanced.
By disabling the Windows ESP Account Setup phase, administrators can reduce device setup time and mitigate potential issues during the enrollment process. This leads to more efficient deployment and smoother onboarding experience for end-users.
The benefits of using the Enrollment Status Page are manifold. It provides a clear visual representation of the device setup progress, ensuring transparency and reducing uncertainty. Furthermore, it can help in identifying and troubleshooting issues that may arise during the enrollment process, thereby improving overall device management and user satisfaction.
Happy configuring!
–Jesper
Header image attribution: Created using Adobe Firefly