Fast sign-in experience on Windows Autopilot enrolled Shared Devices

Fast sign-in experience on Windows Autopilot enrolled Shared Devices

Consider a scenario where you deploy devices, that are shared amongst multiple users, with Windows Autopilot and the Enrollment Status Page. By default, every user that logs on to the device will go through the account setup phase of the enrollment status page. This can be a lenghty process for some users, that just want to log in and use the device.

Especially if you deploy many resources assigned to devices in system context, and only few in user context, you may want to improve the sign-in experience by decreasing sign-in time, which can be achieved by opting-out of the account setup phase, and relying solely on the device setup phase.

Before getting to the part how to skip the account setup phase, let’s walk through how a device is deployed with Windows Autopilot and the Enrollment Status Page first.

Introduction to Windows Autopilot and the Enrollment Status Page

With Windows Autopilot combined with the Enrollment Status Page, you can set up and pre-configure new devices, getting them ready for productive use.

Windows Autopilot enables you to automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join) and auto-enroll these devices into MDM services, such as Microsoft Intune.

Together with the Windows Autopilot Enrollment Status Page, you can display the status of the complete device configuration process, providing information to the user to show that the device is being set up. The enrollment status page can be configured to prevent access to the desktop until the configuration is complete.

The enrollment status page typically tracks device configuration information, which is divided into three phases:

  • Device preparation
  • Device setup
  • Account setup

Device prepration

During the device preparation phase, the enrollment status page tracks Trusted Platform Module (TPM) key attestations (when applicable), progress in joining Azure Active Directory, and enrolling into Intune.

When the enrollment status page has finished device prepration, it automatically continues to the device setup phase.

Device setup

For the device setup phase, the enrollment status page tracks items, such as device configuration profiles and applications, assigned to the device.

When the device setup phase is completed, any user is able to login to the device, after which the account setup phase is activated.

Account setup

For the account setup phase, the enrollment status page tracks items, such as device configuration profiles and applications, assigned to the user.

For a full list of items being tracked by the enrollment status page, refer to the enrollment status page tracking information Microsoft documentation.

Fast sign-in experience on Shared Devices

By default, the account setup phase runs for every unique user that logs in on a device for the first time. Unfortunately, in scenario’s where many devices are deployed that are shared amongst multiple users, this can be a lengthy process for a user. Fortunately, since Windows 10, version 1803, you can opt-out of the account setup phase.

Note: When you skip the account setup phase, settings that are assigned to users rather then devices might not be available to users directly after their first sign in. These settings will be applied on-the-go, when users have access to their desktop.

For details about the underlying implementation of the enrollment status page, the Microsoft Docs refer to see the FirstSyncStatus details in the DMClient CSP documentation.

In Windows 10, version 1803, the SkipUserStatusPage node was added to the FirstSyncStatus node, with a description of: “Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.”

How to configure the SkipUserStatusPage node in Intune

Using the SkipUserStatusPage node, you can skip the account setup phase. This enables users to get access to their desktop even faster, when they login to the device after a successful device setup.

Currently, it is not possible to configure this setting from the enrollment status page UI in the management portal. However, you can configure this by creating a custom device configuration profile, using the steps below:

  • Navigate to the Microsoft 365 Device Management portal
  • Open the Device configuration blade
  • Click on Profiles and + Create a profile
    • Enter a name for your profile, for example: Skip Account Setup
    • Select the Windows 10 and later platform
    • Select Custom as the profile type
  • Click Add
    • Enter a Name for the custom OMA-URI, for example: SkipUserStatusPage
    • Enter the OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
    • For the data type, select Boolean
    • For the boolean value, select True
  • Save the device configuration profile

Now that the device configuration is created, you can assign it to your devices. When enrolling new devices, this setting will be applied during the device setup phase.

Every user that logs in to the device, after the device setup phase is complete, will skip the account setup phase, experiencing an ever faster sign in!

Note: The device configuration can only be assigned to devices, it will not apply when assigned to users. You can also assign the profile to existing devices, after a device syncs with Intune, users that have never accessed that device before will also skip the account setup phase.

As always, if you have any feedback or questions, i’d be happy to hear them!

5 thoughts on “Fast sign-in experience on Windows Autopilot enrolled Shared Devices

  1. Hey, John.

    Thanks for your great contributions!
    But can’t you just hide the enrollment status page and not get the message?
    Last time I had to use the same policy because of AutoPilot problems, but if everything went fine the setting in the DEP: “Show app and profile installation progress” as no would help, wouldn’t it?

    Dear greetings
    Sascha

    1. Hi Sascha,

      Thank you for your comment.

      Yes, you can hide the enrollment status page, but what I’m trying to achieve is to still get an enterprise ready device, just using the “Device setup” step and skipping the “Account setup” step. For example: Deploying the Office 365 ProPlus suite to all devices, and maybe some applications that should be installed in SYSTEM context, so that they are available for every user on the device. Those applications will be installed on the device during the “Device setup” phase. As soon as a user logs in, the “Account setup” phase is skipped, and those applications are already available.

      If we set the “Show app and profile installation progress” to no, the enrollment status page is skipped, that means it does not track the device setup either. But I do want the device to be ready for productive use, just willing to skip the last phase (account setup), which will apply settings and install applications in the user’s context, as it can be a lengthy process, which end users on shared devices might not even need to wait on, depending on your Intune configuration.

      Regards,

      John

  2. if you truly want to speed up the signin experience you might also want to add the authentication csp: EnableFastFirstSignIn

    1. Hi pm,

      I agree that the EnableFastFirstSignIn CSP is even faster, and will also skip the “Account setup” phase. This setting is available since 1809, but I’ve had issues using it on that version. After the “Device setup” phase some devices would already have accessed the desktop with a local account named “New user #”, and on other devices it would prompt with the login interface that is expected. I’ve deployed this with Shared PC Mode enable too, maybe there’s some conflict.

      Might be worth another test, with and without Shared PC Mode enabled, and maybe include 1903 in it too 🙂

      Regards,

      John

Leave a Reply

Your email address will not be published. Required fields are marked *