Blog Post

Intune Customer Success
6 MIN READ

Selecting Required Apps for your Enrollment Status Page

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Mar 10, 2021

By Jon Callahan – Senior Program Manager | Microsoft Endpoint Manager

 

The Enrollment Status Page is a feature of Microsoft Endpoint Manager that displays progress of preparing the device for management, applying policies, and installing apps during the out-of-box experience (OOBE) of Windows Autopilot. An available configuration is the option to block device use until apps are installed – preventing the user from accessing the desktop for the first time until the device is in an expected state.

 

Screenshot of the Enrollment Status Page

 

Those familiar with Windows operating system deployment using a custom “golden image” may want to block device use until all apps are installed. Blocking on all apps will most closely mimic what IT and users are familiar with in their existing deployment process where a fully configured device is delivered to the user. However, carry-over of this legacy approach comes with trade-offs that may compromise your goals of delivering a better user experience and simplified setup with Autopilot. Successful transition to Autopilot must begin with a careful evaluation of the approach and assumptions of “how” and “why” services are delivered by IT and requires making necessary changes to the experiences and expectations of both IT and users. This post will provide a simple framework for evaluating those trade-offs and discuss how to configure the Enrollment Status Page within Microsoft Intune to meet your goals.

 

Planning for the Enrollment Status Page

The following table can be useful in planning what apps should be configured to block use of the device during the Enrollment Status Page:

Block device use until required apps are installed

Required apps that can be installed as the device is used

Apps that can be installed later from Company Portal
  • Critical apps that if missing would lead to an inability to be secure or access core services (ex: VPN, antivirus, etc.)
  • Core productivity apps like Microsoft 365 Apps and Teams
  • Important apps that are likely to be needed within the first 30 minutes to 1 hour of provisioning the device
  • Important apps that may not be needed right away or take a long time to install (ex: CAD software)
  • Everything else

 

These categories provide a simple framework for maximizing the value of the Enrollment Status Page. The rest of this post will discuss each category in detail and how to configure the desired behavior.

 

Configuring the Enrollment Status Page

The Enrollment Status Page can be configured to block until all apps are installed or a specific list of apps have been installed.

 

It is important to keep in mind that there are trade-offs to the number of required apps configured to block use of the device:

 

  • User Experience – The Enrollment Status Page will take longer to complete as you increase the number of apps that can block the use of a newly provisioned device. Blocking on apps that are unlikely to be needed right away will unnecessarily delay the device becoming productive.

  • Probability of issues – Every app that can block use of the device adds a chance for something to go wrong. Unforeseen app install issues like a network or power loss could prevent use of the device if these apps are configured to block use.

 

Block only on apps that are required for the device to be acceptable in your environment like critical security apps and important apps that will likely be needed within the first 30 minutes to 1 hour. Required apps not included in your list of blocking apps will continue to install in the background even after the Enrollment Status Page has finished. Any apps that failed to install will automatically try installing again.

 

Block device use until all required apps are installed

Blocking use of the device until all apps have been installed is useful in scenarios where you may have a limited number of required apps that will not take too long to install or for dedicated devices like kiosks where all apps must be installed prior to use.

 

This option is configured by setting Block device use until these required apps are installed if they are assigned to the user/device to All.

 

Screenshot of the Block device use until all required apps are installed toggle

 

Block use until a specific list of apps are installed

Blocking use of the device until a specific list of apps are installed is the most common option and carefully planning this list will help create the best user experience. Not including your critical apps in this list might result in a device that is not yet ready for the user, but including too many apps can make users unhappy as they wait for their device to be ready. Both too few and too many apps in this list can result in unnecessary headaches and calls to the helpdesk.

 

The types of apps to consider blocking device use until they are installed:

 

  • Critical apps – Apps that if missing can lead to an inability to be secure or access core services. These types of apps might include VPN clients, antivirus, or data protection and compliance software.

  • Core productivity - Microsoft 365 Apps and Teams are likely the first apps to be opened on a device. Consider blocking device use on these apps to make sure users can read their emails, chat with colleagues, and access files stored in OneDrive for Business.

  • Important apps – Core business or functional apps that are both necessary and important for the user. These are the apps that will likely be opened within the first 30 minutes to 1 hour of receiving the device, and if missing there will be a loss of productivity or ability to execute. This is likely a short list of apps.

 

This option is configured by setting Block device use until these required apps are installed if they are assigned to the user/device to Selected and adding apps to the Selected apps list.

 

Screenshot of the Block device use until all required apps are installed toggle and Application list

 

Note that adding apps to this list does not mean that only those apps will install during the Enrollment Status Page:

 

  • Apps do not install in any specific order – Adding apps to your list of blocking apps for the Enrollment Status Page does not mean that only those apps will install or that those apps will install first. Additional required apps may install in the background while the Enrollment Status Page is displayed that are not included in this list.

  • Win32 app dependenciesApp dependencies may install in the background before a Win32 app included in your blocking apps list. The Enrollment Status Page will block device use until the Win32 app and its required dependencies have been installed.

 

Apps that can be installed as the device is used

Do not block device use on apps that are unlikely to be needed immediately or can take a long time to download and install, like CAD software. Including these apps in your list would unnecessarily delay the device from becoming productive. Plug-ins, file viewer and utility apps, or business apps that are not used all the time are other examples of this type of app.

 

Required apps will install automatically in the background as the device is used. In most cases, these apps will already be installed by the time they are needed.

 

You may want to communicate to users in printed documentation included with their new device that not all apps will be installed when they first logon, but that they should be installed soon. This will help avoid unnecessary calls to the helpdesk.

 

Apps available in Company Portal

All other apps can be made available in Company Portal for the user to install as needed. Assigning apps as required that are not needed will waste disk space, increase overhead to manage and update the app overtime, and potentially increase the attack surface of a device if security vulnerabilities are later discovered.

 

Communicate to users that they can install additional apps from Company Portal without having to contact the helpdesk.

 

More info and feedback

For further resources on the Enrollment Status page, please see the links below.

Windows Autopilot Enrollment Status Page

Set up the Enrollment Status Page

Understand and troubleshoot the Enrollment Status Page

 

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Updated Dec 19, 2023
Version 8.0
Enrollment Status Page (ESP)
windows
windows autopilot
  • prajith111's avatar
    prajith111
    Copper Contributor
    Sep 23, 2023

    Hi

     

    How apps will install in ESP.Suppose i added 10 apps ,which one will install first.

     

    Thanks,

    Prajith

  • rahuljindal-MVP's avatar
    rahuljindal-MVP
    Bronze Contributor
    Jul 14, 2023

    One way you can sequence the installation is by adding dependencies. ConfigMgr agent can be installed after the user logs in. The assignment can be against a dynamic group. 

  • shockotechcom's avatar
    shockotechcom
    Iron Contributor
    Jul 14, 2023

    I'm looking at similar issues. I have 4 apps I need to included and have installed by the time the user gets to logon (including a VPN software). I'm going to bundle everything into one Win32 app and install that way and block ESP on that single app. Its also hybrid joined enrolment policy.

    I'm confused on what to do with the MECM agent though. See here it states

     

    You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the hybrid Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process. For alternative options to install the client, see Client installation methods in Configuration Manager.

     

    So how to deploy after the autopilot process?

  • JRobl610's avatar
    JRobl610
    Copper Contributor
    Mar 27, 2023

    From ConfigMgr to Intune it should be the same but I guess it's not. The ESP Page should be just like a task sequence. Will there be any other side that will be added to the ESP like cloud-run books?

  • Ryan Pertusio's avatar
    Ryan Pertusio
    Brass Contributor
    May 27, 2022

    The biggest understatement comes from Derek_Pickell in the comment right above mine about the MECM agent.

     

    There should be at least 1 recommended way that works to install MEM:ConfigMgr agent as part of MEM:Intune AutoPilot that works for AADJ and HADJ.  (In my case, I'm AADJ and the MECM agent is among the most difficult trial-and-error experiments.)

     

    As a customer, I expect that 2 products (Intune + ConfigMgr) with the same branding ("Microsoft Endpoint Manager") will be treated as complementary services and not only work together, but have clear documentation so there's no confusion.

  • Derek_Pickell's avatar
    Derek_Pickell
    Brass Contributor
    May 05, 2022

    The one app that flies in the face of all this logic, e.g. when to have it in the blocking list and when to have it set to Required, is the SCCM Client, during Hybrid Join mode with Co-Management enabled.  If the SCCM client is in the Blocking List and it installs successfully and Configuration Manager becomes active then it will become the management authority and it will cause the provisioning process to fail. The Intune Management Extension no longer has authority and cannot proceed.

    My challenge, which I have not yet resolved, is how to have the SCCM client install reasonably quickly (e.g. within an hour) after the provisioning process has completed. I have it set to Required Intent and NOT in the ESP list of apps to wait for, and it does EVENTUALLY install, but often not for hours or until the next day.  We have a whole bunch of work we need the SCCM client to do for us to get the device to where we need it to be, configuration-wise, and this can't start until the client is installed and working. There does not seem to be any way to prioritize an app install outside of the blocking list.