First-run experience with Autopilot and the Enrollment Status Page
Microsoft Managed Desktop uses both Windows Autopilot and Microsoft Intune's Enrollment Status Page (ESP) to provide the best possible first-run experience to your users.
Initial deployment
To provide the ESP experience, you must register devices in the Microsoft Managed Desktop service. For more about registration, see Manual registration or Partner registration. Enrollment Status Page and Autopilot for pre-provisioned deployment are enabled by default in Microsoft Managed Desktop.
Autopilot profile settings
Microsoft Managed Desktop uses these settings in the Autopilot profile used for your users' devices:
MMD-%RAND:11% Autopilot settings
| Setting | Value |
|---|---|
| Deployment mode | User Driven |
| Join to Microsoft Entra ID as | Microsoft Entra joined |
| Language (Region) | User Select |
| Automatically configure keyboard | No |
| Microsoft Software License Terms | Hide |
| Privacy settings | Hide |
| Hide change account options | Show |
| User account type | Standard |
| Allow White Glove Out of Box Experience (OOBE) | Yes |
| Apply device name template | Yes |
| Enter a name | MMD-%RAND:11% |
Kiosk-%RAND:9% Autopilot settings
These settings apply to devices with the Kiosk device profile assigned.
| Setting | Value |
|---|---|
| Deployment mode | Self-Deploying |
| Join to Microsoft Entra ID as | Microsoft Entra joined |
| Language (Region) | Operating system default |
| Automatically configure keyboard | No |
| Microsoft Software License Terms | Hide |
| Privacy settings | Hide |
| Hide change account options | Hide |
| User account type | Standard |
| Allow White Glove Out of Box Experience (OOBE) | Yes |
| Apply device name template | Yes |
| Enter a name | Kiosk-%RAND:9% |
Enrollment Status Page settings
Microsoft Managed Desktop uses these settings for the Enrollment Status Page experience:
MMD-%RAND:11% Enrollment Status Page settings
| Setting | Value |
|---|---|
| Show app and profile configuration progress | Yes |
| Show an error when installation takes longer than specified number of minutes | 60 |
| Show custom message when time limit error occurs | No |
| Turn on log collection and diagnostics page for end users | Yes |
| Only show page to devices provisioned by out-of-box experience (OOBE) | Yes |
| Block device use until all apps and profiles are installed | Yes |
| Allow users to reset device if installation error occurs | Yes |
| Allow users to use device if installation error occurs | Yes |
Block device use until these required apps are installed if they're assigned to the user/device
|
Yes |
Kiosk-%RAND:9% Enrollment Status Page settings
| Setting | Value |
|---|---|
| Show app and profile configuration progress | Yes |
| Show an error when installation takes longer than specified number of minutes | 60 |
| Show custom message when time limit error occurs | No |
| Turn on log collection and diagnostics page for end users | Yes |
| Only show page to devices provisioned by out-of-box experience (OOBE) | Yes |
| Block device use until all apps and profiles are installed | Yes |
| Allow users to reset device if installation error occurs | Yes |
| Allow users to use device if installation error occurs | Yes |
Block device use until these required apps are installed if they're assigned to the user/device
|
All |
Enrollment Status Page experience
The Enrollment Status Page experience occurs in three phases. For more, see Enrollment Status Page tracking information.
The experience proceeds as follows:
- The Autopilot experience starts and the user enters their credentials.
- The device opens the Enrollment Status Page and proceeds through Device Preparation and Device Set up phases. The third step (Account Setup) is currently skipped in the Microsoft Managed Desktop configuration because the User ESP is disabled. The device restarts.
- After restarting, the device opens the Windows sign-in page with Other user.
- The users enter their credentials again and the desktop opens.
Note
Win32 apps are only deployed during ESP if the Windows 10 version is 1903 or later.
Additional prerequisites for Autopilot for pre-provisioned deployment
- Device must have a wired network connection.
- If you have devices that were registered using the Microsoft Managed Desktop admin center before August 2020, de-register and re-register the devices.
- Devices must have a factory image that includes the November 2020 cumulative update 19H1/19H2 2020.11C, or 20H1 2020.11C installed, or must be reimaged with the latest Microsoft Managed Desktop image.
- Physical devices must support TPM 2.0 and device attestation. Virtual machines aren't supported. The pre-provisioning process uses Windows Autopilot self-deploying capabilities, so TPM 2.0 is required. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-deploying mode and Autopilot pre-provisioned deployment in Windows Autopilot networking requirements.
Sequence of events in Autopilot for pre-provisioned deployment
- IT Admin reimages or resets the device if needed.
- IT Admin boots the device, reaches the out-of-box-experience, and presses the Windows key five times.
- IT Admin selects Windows Autopilot Provisioning and then selects Continue. On the Windows Autopilot configuration screen, information will be displayed about the device.
- IT admin selects Provision to start the provisioning process.
- Device starts ESP and goes through device preparation and setup phases. During the device setup phase, you'll see App installation x of x displayed (depending on the exact configuration of the ESP profile).
- The account setup step is currently skipped in the Microsoft Managed Desktop configuration, since we disable User ESP.
- The device restarts.
After it restarts, the device will show the green status screen, with a Reseal button.
Important
Known issues:
- ESP does not run again after the Autopilot for pre-provisioned deployment reseal function.
- Device are not being renamed by Autopilot for pre-provisioned deployment. The device will only be renamed after going through the ESP user flow.
Change to Autopilot and Enrollment Status Page settings
If the setup used by Microsoft Managed Desktop doesn't exactly match your needs, you can file a support ticket through the Azure portal. Here are some examples of the types of configuration you might need:
Autopilot settings change
You might want to request a different device name template. You can't, however, change Deployment Mode, Join to Microsoft Entra ID As, Privacy Settings, or User Account Type.
Enrollment Status Page settings change
- A longer number of minutes for the "Show an error when installation takes longer than specified number of minutes" setting.
- The error message displayed.
- Adding or removing applications in the "Block device use until these required apps are installed if they're assigned to the user/device" setting.
Required applications
- You must target applications in the Modern Workplace device groups Test, First, Fast, and Broad. Applications must install in the "System" context. Make sure to complete testing with ESP in the Test group before you assign them to all groups.
- No applications should require the device to restart. We recommend that applications be set to "Do nothing" when you build the application package if the device requires a restart.
- Limit required applications to only the core applications that a user needs immediately when they sign in to the device.
- Keep the total size of all applications collectively under 1 GB to avoid timeouts during the application installation phase.
- Ideally, apps shouldn't have any dependencies. If you have apps that must have dependencies, be sure you configure, test, and validate them as part of your ESP evaluation.
- Microsoft Teams can't be included in ESP.