The enrollment status page (ESP) is something I highly recommend you implement, to ensure each device is fully provisioned before the user can get to the desktop. It makes sure the device is sufficiently configured before the user is able to try to use the device.
That said, there have been some challenges with ESP in some scenarios. We’re slowly chipping away at those, with one new feature released in the past week addressing one particular scenario with what we call the “Nth user scenario.” Here’s the basic scenario:
- You go through the Windows Autopilot deployment process, showing the device ESP and user ESP. Everything works great.
- Later, another user account signs into the machine and sees the user ESP appear again. And it doesn’t work great – it will sit there for a long time, often timing out (based on your ESP settings).
That timeout happens because it’s waiting for another MDM policy sync to figure out what policies need to be tracked for this additional user. But if this second user signs in more than 2 hours after the device was initially provisioned, that sync might not happen for up to 8 hours. (We have some additional work on the backlog to take more active control over that MDM policy sync polling process during ESP.)
So, those of you that have run into this have had to work around this issue, usually by turning off user ESP via a custom OMA-URI policy. (There’s also a scripted option that works, but it’s a little messy.) Now there’s a better way, a new setting available in the ESP settings:
With that set to “Yes,” Intune will take care of turning off the user ESP after the initial Windows Autopilot completes (for the first user). So if you’ve run into this, modify your ESP settings today.
Categories: Windows Autopilot