Blog Post

Intune Customer Success
3 MIN READ

Update to Windows Autopilot pre-provisioning process for app installs

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Feb 27, 2023

By: Juanita Baptiste, Sr Product Manager and Kiran Alli Prinicipal Software Engineer | Microsoft Intune

 

Windows Autopilot enables IT pros to provision devices in ways that work best for their organization, including pre-provisioning (formally known as white glove). We understand that, for many customers, installing as many applications as possible during pre-provisioning is desired to reduce the user setup time. To help customers achieve this, we’ll be implementing an option to attempt the installation of all required apps assigned to a device during technician phase. In case of app installation failure, the Enrollment Status Page (ESP) will continue except for those apps specified in the ESP profile.

 

How this works

The purpose of the ESP is to block device use until essential policies and apps are applied. While there’s no ability to sequence the apps today, ESP will prioritize installation of the selected blocking apps first (Win32 apps only). Blocking applications will prevent the user from getting to the desktop until it’s successfully installed. For customers using pre-provisioning to install as many apps as possible on the device at the same time, you would need to select the All option on the Block device use until required apps are installed if they are assigned to the user/device setting in the ESP profile. With this option selected, your deployments may fail for nonessential apps which could result in device resets and increased setup time for users.

 

With this new feature, ESP will continue to block device use until other targeted apps are at least attempted during the technician phase. ESP won’t fail the deployment if the non-blocking app is unsuccessful. For example, if only three critical apps are needed for installation, you can specify them as the blocking apps and use the new toggle to only fail the deployment if one of those three apps fails. This is a configurable function and, if it’s not enabled, the previous pre-provisioning behavior remains, including attempting to install other targeted and required applications for the device or user after the technician phase is completed, depending on how long the device has network connectivity post ESP.

 

How to enable this change

This change is expected with Intune’s March (2303) service release and requires the IT pro to enable this option within the ESP profile. Existing deployments and profiles will not be impacted unless explicitly changed. To enable this change on existing profiles, you’ll need to edit your ESP profile by selecting Yes on the new setting Only fail selected apps in technician phase. For new profiles, this setting is set to Yes by default for pre-provisioning devices. To disable this setting, select No. Note that this setting will only appear as an option if you have blocking apps selected and only apply for devices going through pre-provisioning.

 

An example of the Windows enrollment, Enrollment Status Page feature in the Microsoft Endpoint Manager admin center.

 

Keep in mind that when you enable this setting, you should expect that the time to provision during the technician phase may take longer, depending on the number of applications targeted. If you’re using a third party to provision your devices, please make them aware of the potential change in provisioning time.

 

Frequently Asked Questions (FAQs)

  • Does this feature also install required apps that have dependencies?
    • Yes, any required apps that are targeted to the user and has a dependency will be attempted but will not fail the deployment.

  • Do we prioritize the blocking apps to be installed first?
    • No, in this scenario, ESP will wait until both blocking and required apps are attempted.

  • What happens if a required app fails?
    • If a required app fails, ESP will continue, and the app will be retried again when the user logs in.

  • What happens if a blocking app fails?
    • If a blocking app fails, the Autopilot deployment fails.

  • If ESP times out while installing required apps, does it fail the deployment?
    • Yes, if ESP times out while still installing required apps, the process will fail due to time out so IT pros will need to increase their time out if enabling this feature.

 

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

 

Post Updates:

03/10/23: added section with frequently asked questions. Thanks for the feedback!

Updated Mar 10, 2023
Version 2.0

27 Comments

Sort By
Show More
  • geirdybbugt's avatar
    geirdybbugt
    Copper Contributor
    Feb 28, 2023

    Hopefully you will implement this before year 2300 🙂

     

    "This change is expected with Intune’s March (2303)"

  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Feb 28, 2023

    Nice! This would help a lot.

    I would like to see a new feature back where it is possible to change the installation order.

  • johnjjohn's avatar
    johnjjohn
    Iron Contributor
    Feb 28, 2023

    I understand Win32 app is a requirement for this feature, could you confirm "Microsoft 365 Apps" app deployment cannot be used?

  • JuanitaBaptiste's avatar
    JuanitaBaptiste
    Icon for Microsoft rankMicrosoft
    Feb 27, 2023

    Hi DanielDavila we have not changed any behavior with blocking apps in ESP. What you are experiencing is the intended day 0 AP behavior. When using Win32 apps only during ESP, all other Win32 apps are deferred until after ESP completes. If you are using other app services like LoB apps, there is no deferral process, and those apps may come down during ESP. 

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Feb 27, 2023

    Sounds like a great improvement (for those who like to install all apps during pre-pro 🙂 )

    Can't wait to check out what happens underneath 🙂 ..

  • DanielDavila's avatar
    DanielDavila
    Brass Contributor
    Feb 27, 2023

    There's some confusion in the documentation vs observation, can you clarify?

    The ESP documentation page linked for "essential policies and apps are applied" describes previously understood and tested behavior where, all device assigned apps will still get installed, but ESP simply doesn't track apps that are not on the Blocked Apps list.

    Example from the link:

     

    The apps that are included in this list are used by Intune to filter the list that should be considered blocking. It doesn't specify what apps should be installed. For example, if you configure this list to include "App 1," "App 2," and "App 3" and "App 3" and "App 4" are targeted to the device or user, the ESP will track only "App 3." "App 4" will still be installed, but the ESP will not wait for it to complete.

    The Blocking apps behavior seems to have changed; instead of ESP simply not tracking apps that are assigned to devices but not on the Blocked Apps list, the IME Agent actively queries only apps on the Blocked List (or all apps if no Blocked Apps are defined) and only installs those apps during Device Setup phase.

     

    The remaining apps will skip the User OOBE phase and install sometime after the user gets to their desktop but it's not immediate, it seems to happen on the next few IME agent policy syncs (minutes to hours later).

     

    https://call4cloud.nl/2021/06/those-magnificent-drivers-in-their-flying-microsoft-store-or-how-i-flew-from-the-enrolment-status-page-to-paris-in-25-hours-11-minutes/#part3 and this has been confirmed with Win10 and Win11 testing with pre-provisioning.