While the Hybrid Azure AD Join over VPN process probably gets people more excited, another change went live in Intune at the same time: The ability to target enrollment status page (ESP) profiles to groups of devices. Prior to this change, you could target groups containing users, and you could use the default ESP profile to target “All users and devices” as a fallback, but there was no way to target device groups. That was rather awkward with self-deploying mode and the white glove technician process, which don’t have a user, so for those scenarios you had no choice but to use the default ESP profile. There was also an “interesting” scenario where the blocking app list would not work during device ESP with a non-default (user-targeted) ESP profile, so ESP would end up tracking all apps.
If you target device groups instead of user groups, all of these issues go away (although you still do need to be careful with Hybrid Azure AD Join due to the shift from the Azure AD device object to the Hybrid Azure AD device object, as I discuss here and here). You can use a device-targeted ESP profile with self-deploying mode, white glove, and any other scenario, and you can use it in co-management scenarios where you want to turn off ESP for co-managed devices (once you build a group containing those devices).
Since this is just a “behind-the-scenes” behavioral change in the targeting mechanism for ESP profiles, you’ll notice no changes in the Intune portal, just a change in the result. You should understand the overall behavior though:
- Intune will go through all the non-default ESP profiles in priority order, attempting to find one assigned to a group that the current device is a member of.
- If no device assignment was found, Intune will go through all the non-default ESP profiles in priority order again, attempting to find one assigned to a group that the current user is a member of.
- If there was no device or user assignment found, Intune will use the default ESP profile (if enabled).
If you are using Windows Autopilot for existing devices, you would still need to use the default ESP profile, but all other scenarios will work fine with device targeting (and in some cases, better).
(See my previous blog on ESP to explain why the image above is impossible – it was manually assembled using Paint – and what each of the steps means.)
Categories: Windows Autopilot