Hide change account options – what it actually does after MC288489

Sebastian 6 Reputation points
2021-10-12T21:07:52.033+00:00

AutoPilot Deployment Profile Question – after MC288489

“Hide change account options” – what it actually does after MC288489? Which account will be prevented to change when user-device assignment in pre-enrolment doesn’t work anymore?

“Options to change account and start over with a different account appear, respectively, during initial device setup on the company sign-in page, and on the domain error page. To hide these options, you must configure company branding in Azure Active Directory (requires Windows 10, 1809 or later, or Windows 11).”

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
502 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Sebastian 6 Reputation points
    2021-10-19T07:56:47.247+00:00

    @Crystal-MSFT - thanks for the screen above. After MC288489 device can't be locked down to a specific user anymore. If everyone can sign-in, option "Hide change account option" in Windows AutoPilot portal doesn't make any sense. It does nothing. It doesn't prevent the sign-in of a non-assigned user on the device.

    So I would expect - Microsoft should communicate the change according to the importance of the "downgrade" and never without notice. It's a commercial service. We all pay for it. @Jason Sandys

    1 person found this answer helpful.

  2. Crystal-MSFT 51,976 Reputation points Microsoft Vendor
    2021-10-13T05:36:03.157+00:00

    @Sebastian , For MC288489, there's a change to the authentication experience during user enrollment for Autopilot. the user will no longer see the personalized hello screen. We will also no longer pre-populate Azure AD User Principal Name (UPN) and a user will manually enter their login credentials when prompted.
    139978-image.png
    Based on my test, if we set the as "Hide change account options" as Show, the "Change account" is still there and when we click it, we will ask to set the location ,language again and will come to the following screen:. we can enter Microsoft account or choose "Domain join instead" then enter local account.
    140082-image.png

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Sebastian 6 Reputation points
    2021-10-13T07:22:24.593+00:00

    @Crystal-MSFT

    thank you for testing. I can confirm the same behaviour on W10 / W11. It means the option "Hide change account options" in Windows AutoPilot does nothing. It doesn't work as intended. Even worse - it works different than intended.

    It changes the security flow: organisations are not able anymore to lock down the device to a particular user in AutoPilot process (pre-enrolment). Any user in the organisation can enrol a devices that has a particular user assigned to it in Windows AutoPilot Service. Which wasn't the case before MC288489.

    It looks, Microsoft removed without notice a security-related capability from Windows AutoPilot.

    @Jason Sandys

    I disagree with @Jason Sandys that said “Any other use was purely cosmetic and while we understand this may cause some disruption to your processes, this should be limited to aesthetics only with the user now having to type in their username.”

    Please correct me if I’m wrong.

    https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/planning-for-cloud-native-windows-endpoints-and-modern/bc-p/2838791/emcs_t/S2h8ZW1haWx8bWVudGlvbl9zdWJzY3JpcHRpb258S1VPQk1WWUpCUlFVNkR8MjgzODc5MXxBVF9NRU5USU9OU3xoSw#M755


  4. Sebastian 6 Reputation points
    2021-10-13T07:30:11.05+00:00

    If I’m right, the MC288489 is misleading. The communication should include “Organisations no longer are able to lock down the AutoPilot device to a user.” + effective date should be at least 90 days.

    0 comments No comments

  5. Sebastian 6 Reputation points
    2021-10-13T22:10:50.333+00:00

    @Jason Sandys - could you please take a look on above?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.