Fast sign-in experience on Windows Autopilot enrolled Shared Devices
Consider a scenario where you deploy devices, that are shared amongst multiple users, with Windows Autopilot and the Enrollment Status Page. By default, every user that logs on to the device will go through the account setup phase of the enrollment status page. This can be a lenghty process for some users, that just want to log in and use the device.
Especially if you deploy many resources assigned to devices in system context, and only few in user context, you may want to improve the sign-in experience by decreasing sign-in time, which can be achieved by opting-out of the account setup phase, and relying solely on the device setup phase.
Before getting to the part how to skip the account setup phase, let’s walk through how a device is deployed with Windows Autopilot and the Enrollment Status Page first.
Introduction to Windows Autopilot and the Enrollment Status Page
With Windows Autopilot combined with the Enrollment Status Page, you can set up and pre-configure new devices, getting them ready for productive use.
Windows Autopilot enables you to automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join) and auto-enroll these devices into MDM services, such as Microsoft Intune.
Together with the Windows Autopilot Enrollment Status Page, you can display the status of the complete device configuration process, providing information to the user to show that the device is being set up. The enrollment status page can be configured to prevent access to the desktop until the configuration is complete.
The enrollment status page typically tracks device configuration information, which is divided into three phases:
- Device preparation
- Device setup
- Account setup
Device prepration
During the device preparation phase, the enrollment status page tracks Trusted Platform Module (TPM) key attestations (when applicable), progress in joining Azure Active Directory, and enrolling into Intune.
When the enrollment status page has finished device prepration, it automatically continues to the device setup phase.
Device setup
For the device setup phase, the enrollment status page tracks items, such as device configuration profiles and applications, assigned to the device.
When the device setup phase is completed, any user is able to login to the device, after which the account setup phase is activated.
Account setup
For the account setup phase, the enrollment status page tracks items, such as device configuration profiles and applications, assigned to the user.
For a full list of items being tracked by the enrollment status page, refer to the enrollment status page tracking information Microsoft documentation.
Fast sign-in experience on Shared Devices
By default, the account setup phase runs for every unique user that logs in on a device for the first time. Unfortunately, in scenario’s where many devices are deployed that are shared amongst multiple users, this can be a lengthy process for a user. Fortunately, since Windows 10, version 1803, you can opt-out of the account setup phase.
Note: When you skip the account setup phase, settings that are assigned to users rather then devices might not be available to users directly after their first sign in. These settings will be applied on-the-go, when users have access to their desktop.
For details about the underlying implementation of the enrollment status page, the Microsoft Docs refer to see the FirstSyncStatus details in the DMClient CSP documentation.
In Windows 10, version 1803, the SkipUserStatusPage node was added to the FirstSyncStatus node, with a description of: “Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.”
How to configure the SkipUserStatusPage node in Intune
Using the SkipUserStatusPage node, you can skip the account setup phase. This enables users to get access to their desktop even faster, when they login to the device after a successful device setup.
Currently, it is not possible to configure this setting from the enrollment status page UI in the management portal. However, you can configure this by creating a custom device configuration profile, using the steps below:
- Navigate to the Microsoft 365 Device Management portal
- Open the Device configuration blade
- Click on Profiles and + Create a profile
- Enter a name for your profile, for example: Skip Account Setup
- Select the Windows 10 and later platform
- Select Custom as the profile type
- Click Add
- Enter a Name for the custom OMA-URI, for example: SkipUserStatusPage
- Enter the OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
- For the data type, select Boolean
- For the boolean value, select True
- Save the device configuration profile
Now that the device configuration is created, you can assign it to your devices. When enrolling new devices, this setting will be applied during the device setup phase.
Every user that logs in to the device, after the device setup phase is complete, will skip the account setup phase, experiencing an ever faster sign in!
Note: The device configuration can only be assigned to devices, it will not apply when assigned to users. You can also assign the profile to existing devices, after a device syncs with Intune, users that have never accessed that device before will also skip the account setup phase.
As always, if you have any feedback or questions, i’d be happy to hear them!
12 thoughts on “Fast sign-in experience on Windows Autopilot enrolled Shared Devices”
Hey, John.
Thanks for your great contributions!
But can’t you just hide the enrollment status page and not get the message?
Last time I had to use the same policy because of AutoPilot problems, but if everything went fine the setting in the DEP: “Show app and profile installation progress” as no would help, wouldn’t it?
Dear greetings
Sascha
Hi Sascha,
Thank you for your comment.
Yes, you can hide the enrollment status page, but what I’m trying to achieve is to still get an enterprise ready device, just using the “Device setup” step and skipping the “Account setup” step. For example: Deploying the Office 365 ProPlus suite to all devices, and maybe some applications that should be installed in SYSTEM context, so that they are available for every user on the device. Those applications will be installed on the device during the “Device setup” phase. As soon as a user logs in, the “Account setup” phase is skipped, and those applications are already available.
If we set the “Show app and profile installation progress” to no, the enrollment status page is skipped, that means it does not track the device setup either. But I do want the device to be ready for productive use, just willing to skip the last phase (account setup), which will apply settings and install applications in the user’s context, as it can be a lengthy process, which end users on shared devices might not even need to wait on, depending on your Intune configuration.
Regards,
John
if you truly want to speed up the signin experience you might also want to add the authentication csp: EnableFastFirstSignIn
Hi pm,
I agree that the EnableFastFirstSignIn CSP is even faster, and will also skip the “Account setup” phase. This setting is available since 1809, but I’ve had issues using it on that version. After the “Device setup” phase some devices would already have accessed the desktop with a local account named “New user #”, and on other devices it would prompt with the login interface that is expected. I’ve deployed this with Shared PC Mode enable too, maybe there’s some conflict.
Might be worth another test, with and without Shared PC Mode enabled, and maybe include 1903 in it too 🙂
Regards,
John
yep, the new user will be renamed after reboot IIRC
Have you noticed this setting causing Microsoft Store for Business not getting pushed to user’s Microsoft Store, and/or some compliance profiles not sycning well or delayed?
After I enabled this the few devices I enrolled afterwards just felt “buggish”. I’m not sure if it is just coincidental. I wonder when you skip this user ESP step, what happens after the user logs in? Does Windows proceed to do all the things it’s meant to do in that step in the background? Let’s say if the laptop got restarted or shutdown in this process, can it potentially cause some issues?
Hi Mike,
Microsoft Store for Business applications are installed in the user’s context, and they do come later if you skip this phase.
Compliance Policies have always been buggy in multi-user environments and are currently not supported in multi-user environments either. From the docs at https://docs.microsoft.com/en-us/intune/create-compliance-policy: “Enroll devices to one user, or enroll without a primary user. Devices enrolled to multiple users aren’t supported.”
If you skip this step during ESP, the settings do come through later on, but the users will already have access to their desktop. Even if a laptop is restarted/shutdown, when it comes back up settings will still be applied.
Regards,
John
Hi,
Thanks very much for this! I was wonder, does this change the device owner? One of the issues I have is that if another user sign-in to the device, they aren’t the device owner. As a result this locks the store for business down to only the first user that signs in. Do you happen to have a work-around solution for this?
Thanks,
Mark.D
Hi Mark,
This does not change the device owner/primary user. Only the user that enrolls the device will become the primary user. I’m not really sure about the Store for Business, but I know for the Company Portal that this happens too. Intune automatically adds a primary user to a device during or soon after the enrollment. The enrollment method determines when the primary user is added to a device.
One way to unlock the Company Portal for any user on the device is to enroll the device using Autopilot Self-Deploying mode. Because then there is no primary user and the device is tagged as “Shared”.
Reference: https://docs.microsoft.com/en-us/intune/remote-actions/find-primary-user#who-is-assigned-as-the-primary-user
Best regards,
John
Hello John,
Thanks for the great tutorial. I’m hoping this will solve my issue with a couple of tweaks. I am enrolling my devices using Group Policy and co-managing them with SCCM. I am using a Device Enrollment Manager account to enroll them, but I was seeing the Account Setup phase when I would logon with a student account. Using the SkipStatusPage OAM-URI as you detailed above did skip the page on devices that already have been enrolled and were seeing this issue and that is awesome. However I still need to enroll new devices as I am going school by school to enroll as we get them beyond 1803. I am currently trying to enroll a device, but it isn’t “finishing” is the best way I can describe it. It isn’t co-managed as far as SCCM is concerned and it is in the Pilot group. It therefore isn’t getting workloads and also the compliant policy isn’t applicable nor are any of my usual configuration profiles. I realize this is a lot, but that is the long and short of it. Thanks for any help you can be and thanks again for the help you have provided so far!
Thanks for this
When setting up the “How to configure the SkipUserStatusPage node in Intune” do you assign this to a user group or device group ?
Hi Dan,
I assign this value to device groups.
Best regards,
John