Edit

Pre-provision Microsoft Entra join: User flow

Windows Autopilot for pre-provisioned deployment Microsoft Entra join steps:

  • Step 9: User flow

For an overview of the Windows Autopilot for pre-provisioned deployment Microsoft Entra join workflow, see Windows Autopilot for pre-provisioned deployment Microsoft Entra join overview

User flow

Once the technician flow step of the pre-provisioning process completes successfully and the device is resealed, the device can be delivered to the end-user. The end-user then completes the normal Windows Autopilot user-driven process. This final step is know as the user flow and involves the following steps:

  1. If a wired network connection is available, connect the device to the wired network connection.

  2. Power on the device.

  3. Once the device boots up, one of two things occurs depending on the state of network connectivity:

    • If the device is connected to a wired network and has network connectivity, the device may reboot to apply critical security updates (if available or applicable). After the reboot to apply critical security updates, the Autopilot process begins.

    • If the device isn't connected to a wired network or if it doesn't have network connectivity, it prompts to connect to a network. Connectivity to the Internet is required:

      1. OOBE (out of box experience) begins and a screen asking for a country or region appears. Select the appropriate country or region, and then select Yes.

      2. The keyboard screen appears to select a keyboard layout. Select the appropriate keyboard layout, and then select Yes.

      3. An additional keyboard layouts screen appears. If needed, select additional keyboard layouts via Add layout, or select Skip if no additional keyboard layouts are needed.

        Note

        When there's no network connectivity, the device can't downloaded the Autopilot profile to know what country/region and keyboard settings to use. For this reason, when there's no network connectivity, the country/region and keyboard screens appear even if these screens have been set to hidden in the Autopilot profile. These settings need to be specified in these screens in order for the network connectivity screens that follow to work properly.

      4. The Let's connect you to a network screen appears. At this screen, either plug the device into a wired network (if available), or select and connect to a wireless Wi-Fi network.

      5. Once network connectivity is established, the Next button should become available. Select Next.

      6. At this point, the device may reboot to apply critical security updates (if available or applicable). After the reboot to apply critical security updates, the Autopilot process begins.

  1. Once the Autopilot process begins, the Microsoft Entra sign-in page appears. At the Microsoft Entra sign-in page, if a user was assigned to the device, their username may be pre-populated in this screen. Enter the Microsoft Entra credentials for the user and then select Next (Windows 10) or Sign in (Windows 11) to sign in. If necessary, proceed through the multi-factor authentication (MFA) screens.

  2. After authenticating with Microsoft Entra ID, the Enrollment Status Page (ESP) appears. The Enrollment Status Page (ESP) appears. The Enrollment Status Page (ESP) displays progress during the provisioning process across three phases:

    • Device preparation (Device ESP)
    • Device setup (Device ESP)
    • Account setup (User ESP)

    The first two phases of Device preparation and Device setup are part of the Device ESP while the final phase of Account setup is part of the User ESP.

    For the user flow of Windows Autopilot for pre-provisioned deployment, the Device setup phase of the Device ESP and the Account setup phase of the User ESP runs. The Device preparation phase of the Device ESP doesn't run during the user flow since it already ran during the Technician flow.

    The Device setup phase of the Device ESP runs again during the user flow in case any new or additional policies or applications assigned to the device became available between the technician flow phase and the user flow phase.

  3. Once Account setup and the user ESP process completes, the provisioning process completes, the ESP finishes, and the Desktop appears. At this point, the end-user can start using the device.

User-flow tips

  • Depending on how the Autopilot profile was configured at the Create and assign Autopilot profile step, additional screens may appear during the Autopilot deployment appear such as:

    • Language/Country/Region or Keyboard screens before the Microsoft Entra sign-in page.
    • Privacy screen when the user ESP/Account setup begins but before the user is automatically signed in.
  • To view and hide detailed progress information in the ESP during the provisioning process:

    • Windows 10: To show details, next to the appropriate phase select Show details. To hide the details, next to the appropriate phase select Hide details.
    • Windows 11: To show details, next to the appropriate phase select . To hide the details, next to the appropriate phase select .
  • In order to make sure tokens are refreshed properly between the Technician flow and the User flow, wait at least 90 minutes after running the Technician flow before running the User flow. This scenario mainly affects lab and testing scenarios, such as this tutorial, when the User flow is run within 90 minutes after the Technician flow completes.
  • Compliance in Microsoft Entra ID is reset during the User flow. Devices might show as compliant in Microsoft Entra ID after the Technician flow completes, but then show as noncompliant once the User flow starts. Allow enough time after the User flow completes for compliance to reevaluate and update.

More information

For more information on the user flow of a Windows Autopilot for pre-provisioned deployment, see the following article(s):