Configuring Windows 10 defaults via Windows Autopilot using an MSI
Published Apr 16 2019 10:00 AM 48.1K Views

Windows Autopilot moves customers away from custom imaging and driver management, instead leveraging Microsoft Intune to transform a device into one that is ready for productive use. Intune supports a lot of different policies that can be used to configure the device, but in many cases there aren't any policies that enable configuring defaults.  For example, what if you wanted to configure the Start menu layout, but wanted the user to be able to change any part of it?


Most of these types of customizations can be done via scripts, similar to the way that you did them when you were building custom images.  But instead of baking them into the image, you now need to apply them to the device "just in time" - typically before a user signs on for the first time.  With Windows Autopilot, we can leverage the Enrollment Status Page (ESP) to ensure that these machine configurations are made before the user signs in.  But those capabilities vary by OS release:


  • Windows 10, version 1803 and above can leverage the ESP to block user login until all policies, certs, and device-targeted single-file MSIs (LOB apps) have been processed.
  • Windows 10, version 1809 and above adds the ability to block until Office 365 ProPlus has been installed.
  • Windows 10, version 1903 and above will have the ability to block util Win32 apps (installed by the Intune Management Extensions) and PowerShell scripts have been installed or processed.

So, you could just leverage PowerShell script to do the configuration steps that are necessary - but since few of you are deploying Windows 10, version 1903 broadly yet (not surprising, as it's not yet released), that would be rather limiting.


To do this in a way that works with Windows 10, version 1803 and above, you can take the same PowerShell script logic and embed it into a Windows Installer MSI; that MSI can then be targeted to a group of devices (e.g. All Autopilot Devices).  As long as you have enabled ESP and configured it to be blocking, this MSI install will complete before the user signs in.


Since I suspect quite a few of you have never created a "hand-crafted" MSI with an embedded PowerShell script, I thought it would be useful to publish an example.  You can find that example here:


Included in that example is a PowerShell script that performs the following customizations:


  • Customize start menu layout. By default it will apply a simple two-icon layout (similiar to the default one on Windows 10, version 1903, but without the Office app).
  • Configure background image. A custom theme is deployed with a background image; the default user profile is then configured to use this theme. (Note that this won't work if the user is enabled for Enterprise State Roaming and has previously configured a background image.)
  • Set time zone. The time zone will be set to the specified time zone name (Pacific Standard Time by default).
  • Remove in-box provisioned apps. A list of in-box provisioned apps will be removed.
  • Install updated OneDrive client per-machine. To support the latest OneDrive features, the client will be updated and installed per-machine (instead of the per-user default).
  • Disable the Microsoft Edge desktop icon. When using OneDrive Known Folder Move, this can cause duplicate (and unnecessary) shortcuts to be synced.

Feel free to download this from GitHub, customize it as you see fit, and then build your own custom MSI that can be deployed via Intune.  The necessary instructions for creating (building) the MSI are included in the GitHub repository.


If you can think of additional customizations that would be useful, feel free to send them to me via e-mail (, on Twitter (@mniehaus), or via GitHub (submit a new issue).  If you want to make some changes yourself, create your own fork and feel free to submit pull requests to have those changes integrated (as long as they are supportable).

Version history
Last update:
‎Apr 16 2019 10:56 AM
Updated by: