Set up the Enrollment Status Page

The Enrollment Status Page (ESP) displays provisioning progress after a new device is enrolled, as well as when new users sign into the device. This enables IT administrators to optionally prevent (block) access to the device until it has been fully provisioned, while at the same time giving users information about the tasks remaining in the provisioning process.

The ESP can be used as part of any Windows Autopilot provisioning scenario, and can also be used separately from Windows Autopilot as part of the default out-of-box experience (OOBE) for Azure AD Join, as well as for any new users signing into the device for the first time.

You can create multiple Enrollment Status Page profiles with different configurations that specify:

  • Showing installation progress
  • Blocking access until the provisioning process is completed
  • Time limits
  • Allowed troubleshooting operations

These profiles are specified in a priority order; the highest priority that is applicable will be used. Each ESP profile can be targeted to groups containing devices or users. When determining which profile to use, the following criteria will be followed:

  • The highest-priority profile targeted to the device will be used first.
  • If there are no profiles targeted to the device, the highest priority profile targeted to the current user will be used. (This only applies in scenarios where there is a user. In white glove and self-deploying scenarios, only device targeting can be used.)
  • If there are no profiles targeted to specific groups, then the default ESP profile will be used.

Available settings

The following settings can be configured to customize behavior of the Enrollment Status page:

SettingYesNo
Show app and profile installation progressThe enrollment status page is displayed.The enrollment status page isn't displayed.
Block device use until all apps and profiles are installedThe settings in this table are made available to customize behavior of the enrollment status page, so that the user can address potential installation issues. The enrollment status page is displayed with no additional options to address installation failures.
Allow users to reset device if installation error occursA Reset device button is displayed if there's an installation failure.The Reset device button isn't displayed if there's an installation failure.
Allow users to use device if installation error occursA Continue anyway button is displayed if there's an installation failure.The Continue anyway button isn't displayed if there's an installation failure.
Show timeout error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered.
Show custom message when an error occursA text box is provided where you can specify a custom message to display if an installation error occurs.The default message is displayed:
Installation exceeded the time limit set by your organization. Try again or contact your IT support person for help.
Allow users to collect logs about installation errorsIf there's an installation error, a Collect logs button is displayed.
If the user clicks this button, they're asked to choose a location to save the log file MDMDiagReport.cab
The Collect logs button isn't displayed if there's an installation error.
Block device use until these required apps are installed if they're assigned to the user/deviceChoose All or Selected.

If Selected is chosen, a Select apps button appears that lets you choose which apps must be installed before enabling the device.

Turn on default Enrollment Status Page for all users

To turn on the Enrollment Status Page, follow the steps below.

  1. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Enrollment Status Page.
  2. In the Enrollment Status Page blade, choose Default > Settings.
  3. For Show app and profile installation progress, choose Yes.
  4. Choose the other settings that you want to turn on and then choose Save.

Create Enrollment Status Page profile and assign to a group

  1. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Enrollment Status Page > Create profile.
  2. Provide a Name and Description.
  3. Choose Create.
  4. Choose the new profile in the Enrollment Status Page list.
  5. Choose Assignments > Select groups > choose the groups that you want to adopt this profile > Select > Save.
  6. Choose Settings > choose the settings you want to apply to this profile > Save.

Set the enrollment status page priority

A device or user can be in many groups and have multiple Enrollment Status Page profiles targeted. To control which profiles are considered first, you can set the priorities for each profile; those with higher priorities are considered first.

  1. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Enrollment Status Page.
  2. Hover over the profile in the list.
  3. Using the three vertical dots, drag the profile to the desired position on the list.

Block access to a device until a specific application is installed

You can specify which apps must be installed before the Enrollment Status Page (ESP) completes.

  1. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Enrollment Status Page.
  2. Choose a profile > Settings.
  3. Choose Yes for Show app and profile installation progress.
  4. Choose Yes for Block device use until all apps and profiles are installed.
  5. Choose Selected for Block device use until these required apps are installed if they're assigned to the user/device.
  6. Choose Select apps > choose the apps > Select > Save.

The apps that are included in this list are used by Intune to filter the list that should be considered blocking. It does not specify what apps should be installed. For example, if you configure this list to include "App 1," "App 2," and "App 3" and "App 3" and "App 4" are targeted to the device or user, the Enrollment Status Page will track only "App 3." "App 4" will still be installed, but the Enrollment Status Page will not wait for it to complete.

A maximum of 100 apps can be specified.

Enrollment Status Page tracking information

There are three phases where the Enrollment Status Page tracks information for; device preparation, device setup, and account setup.

Device preparation

For device preparation, the enrollment status page tracks:

  • Trusted Platform Module (TPM) key attestation (when applicable)
  • Azure Active Directory join process
  • Intune (MDM) enrollment
  • Installation of the Intune Management Extensions (used to install Win32 apps)

Device setup

The Enrollment Status Page tracks the following device setup items:

  • Security policies
    • One configuration service provider (CSP) for all enrollments.
    • Actual CSPs configured by Intune aren't tracked here.
  • Applications
    • Per machine Line-of-business (LoB) MSI apps.
    • LoB store apps with installation context = Device.
    • Offline store and LoB store apps with installation context = Device.
    • Win32 applications (Windows 10 version 1903 and newer only)
  • Connectivity profiles
    • VPN or Wi-Fi profiles that are assigned to All Devices or a device group in which the enrolling device is a member, but only for Autopilot devices
  • Certificate profiles that are assigned to All Devices or a device group in which the enrolling device is a member, but only for Autopilot devices

Account setup

For account setup, the Enrollment Status Page tracks the following items if they're assigned to the current logged in user:

  • Security policies
    • One CSP for all enrollments.
    • Actual CSPs configured by Intune aren't tracked here.
  • Applications
    • Per user LoB MSI apps that are assigned to All Devices, All Users, or a user group in which the user enrolling the device is a member.
    • Per machine LoB MSI apps that are assigned to All Users or a user group in which the user enrolling device is a member.
    • LoB store apps, online store apps, and offline store apps that are assigned to any of the following objects:
      • All Devices
      • All Users
      • A user group in which the user enrolling the device is a member with installation context set to User.
    • Win32 applications (Windows 10 version 1903 and newer only)
  • Connectivity profiles
    • VPN or Wi-Fi profiles that are assigned to All Users or a user group in which the user enrolling the device is a member.
  • Certificates
    • Certificate profiles that are assigned to All Users or a user group in which the user enrolling the device is a member.

Troubleshooting

The following are common questions for troubleshooting issues related to the Enrollment Status Page.

  • Why were my applications not installed and tracked using the Enrollment Status Page?

    • To guarantee applications are installed and tracked using the Enrollment Status Page, ensure that:
      • The apps are assigned to an Azure AD group containing the device (for device-targeted apps) or the user (for user-targeted apps), using a "required" assignment. (Device-targeted apps are tracked during the device phase of ESP, while user-targeted apps are tracked during the user phase of ESP.)
      • You either specify Block device use until all apps and profiles are installed or include the app in the Block device use until these required apps are installed list.
      • The apps install in device context and have no user-context applicability rules.
  • Why is the Enrollment Status Page showing for non-Autopilot deployments, for example when a user logs in for the first time on a Configuration Manager co-management enrolled device?

    • The Enrollment Status Page lists installation status for all enrollment methods, including
      • Autopilot
      • Configuration Manager co-management
      • when any new user logs into the device that has Enrollment Status Page policy applied for the first time
      • when the Only show page to devices provisioned by out-of-box experience (OOBE) setting is on and the policy is set, only the first user who signs into the device gets the Enrollment Status Page
  • How can I disable the Enrollment Status Page if it has been configured on the device?

    • Enrollment status page policy is set on a device at the time of enrollment. To disable the Enrollment Status Page, you must disable user and device Enrollment Status Page sections. You disable the sections by creating custom OMA-URI settings with the following configurations.

      Disable user Enrollment Status Page:

      Name:  Disable User ESP (choose a name you desire)
      Description:  (enter a description)
      OMA-URI:  ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
      Data type:  Boolean
      Value:  True 
      

      Disable device Enrollment Status Page:

      Name:  Disable Device ESP (choose a name you desire)
      Description:  (enter a description)
      OMA-URI:  ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipDeviceStatusPage
      Data type:  Boolean
      Value:  True 
      
  • How can I collect log files?

    • There are two ways Enrollment Status Page log files can be collected:

      • Enable the ability for users to collect logs in the ESP policy. When a timeout occurs in the Enrollment Status Page, the end user can choose the option to Collect logs. By inserting a USB drive, the log files can be copied to the drive
      • Open a command prompt by entering Shift-F10 key sequence, then enter the following commandline to generate the log files:
      mdmdiagnosticstool.exe -area Autopilot -cab <pathToOutputCabFile>.cab 
      

Known issues

The following are known issues related to the Enrollment Status Page.

  • Disabling the ESP profile doesn't remove ESP policy from devices and users still get ESP when they log in to device for first time. The policy isn't removed when the ESP profile is disabled. You must deploy OMA-URI to disable the ESP. See above for instructions on how to disable ESP using OMA-URI.
  • A reboot during Device setup will force the user to enter their credentials before transitioning to Account setup phase. User credentials aren't preserved during reboot. Have the user enter their credentials then the Enrollment Status Page can continue.
  • Enrollment Status Page will always time out during an Add work and school account enrollment on Windows 10 versions less than 1903. The Enrollment Status Page waits for Azure AD registration to complete. The issue is fixed in Windows 10 version 1903 and newer.
  • Hybrid Azure AD Autopilot deployment with ESP takes longer than the timeout duration defined in the ESP profile. On Hybrid Azure AD Autopilot deployments, the ESP will take 40 minutes longer than the value set in the ESP profile. This delay gives time for the on-prem AD connector to create the new device record to Azure AD.
  • Windows logon page isn't pre-populated with the username in Autopilot User Driven Mode. If there's a reboot during the Device Setup phase of ESP:
    • the user credentials aren't preserved
    • the user must enter the credentials again before proceeding from Device Setup phase to the Account setup phase
  • ESP is stuck for a long time or never completes the "Identifying" phase. Intune computes the ESP policies during the identifying phase. A device may never complete computing ESP policies if the current user doesn't have an Intune licensed assigned.
  • Configuring Microsoft Defender Application Control causes a prompt to reboot during Autopilot. Configuring Microsoft Defender Application (AppLocker CSP) requires a reboot. When this policy is configured, it may cause a device to reboot during Autopilot. Currently, there's no way to suppress or postpone the reboot.
  • When the DeviceLock policy (https://docs.microsoft.com/windows/client-management/mdm/policy-csp-devicelock) is enabled as part of an ESP profile, the OOBE or user desktop autologon could fail unexpectantly for two reasons.
    • If the device didn't reboot before exiting the ESP Device setup phase, the user may be prompted to enter their Azure AD credentials. This prompt occurs instead of a successful autologon where the user sees the Windows first login animation.
    • The autologon will fail if the device rebooted after the user entered their Azure AD credentials but before exiting the ESP Device setup phase. This failure occurs because the ESP Device setup phase never completed. The workaround is to reset the device.

Next steps

After you set up Windows enrollment pages, learn how to manage Windows devices. For more information, see What is Microsoft Intune device management?