Consider a scenario where you deploy devices, that are shared amongst multiple users, with Windows Autopilot and the Enrollment Status Page. By default, every user that logs on to the device will go through the account setup phase of the enrollment status page. This can be a lenghty process for some users, that just want to log in and use the device.
Especially if you deploy many resources assigned to devices in system context, and only few in user context, you may want to improve the sign-in experience by decreasing sign-in time, which can be achieved by opting-out of the account setup phase, and relying solely on the device setup phase.
Before getting to the part how to skip the account setup phase, let’s walk through how a device is deployed with Windows Autopilot and the Enrollment Status Page first.
Introduction to Windows Autopilot and the Enrollment Status Page
With Windows Autopilot combined with the Enrollment Status Page, you can set up and pre-configure new devices, getting them ready for productive use.
Windows Autopilot enables you to automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join) and auto-enroll these devices into MDM services, such as Microsoft Intune.
Together with the Windows Autopilot Enrollment Status Page, you can display the status of the complete device configuration process, providing information to the user to show that the device is being set up. The enrollment status page can be configured to prevent access to the desktop until the configuration is complete.
The enrollment status page typically tracks device configuration information, which is divided into three phases:
- Device preparation
- Device setup
- Account setup
Device prepration
During the device preparation phase, the enrollment status page tracks Trusted Platform Module (TPM) key attestations (when applicable), progress in joining Azure Active Directory, and enrolling into Intune.
When the enrollment status page has finished device prepration, it automatically continues to the device setup phase.
Device setup
For the device setup phase, the enrollment status page tracks items, such as device configuration profiles and applications, assigned to the device.
When the device setup phase is completed, any user is able to login to the device, after which the account setup phase is activated.
Account setup
For the account setup phase, the enrollment status page tracks items, such as device configuration profiles and applications, assigned to the user.
For a full list of items being tracked by the enrollment status page, refer to the enrollment status page tracking information Microsoft documentation.
Fast sign-in experience on Shared Devices
By default, the account setup phase runs for every unique user that logs in on a device for the first time. Unfortunately, in scenario’s where many devices are deployed that are shared amongst multiple users, this can be a lengthy process for a user. Fortunately, since Windows 10, version 1803, you can opt-out of the account setup phase.
Note: When you skip the account setup phase, settings that are assigned to users rather then devices might not be available to users directly after their first sign in. These settings will be applied on-the-go, when users have access to their desktop.
For details about the underlying implementation of the enrollment status page, the Microsoft Docs refer to see the FirstSyncStatus details in the DMClient CSP documentation.
In Windows 10, version 1803, the SkipUserStatusPage node was added to the FirstSyncStatus node, with a description of: “Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.”
How to configure the SkipUserStatusPage node in Intune
Using the SkipUserStatusPage node, you can skip the account setup phase. This enables users to get access to their desktop even faster, when they login to the device after a successful device setup.
Currently, it is not possible to configure this setting from the enrollment status page UI in the management portal. However, you can configure this by creating a custom device configuration profile, using the steps below:
- Navigate to the Microsoft 365 Device Management portal
- Open the Device configuration blade
- Click on Profiles and + Create a profile
- Enter a name for your profile, for example: Skip Account Setup
- Select the Windows 10 and later platform
- Select Custom as the profile type
- Click Add
- Enter a Name for the custom OMA-URI, for example: SkipUserStatusPage
- Enter the OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
- For the data type, select Boolean
- For the boolean value, select True
- Save the device configuration profile
Now that the device configuration is created, you can assign it to your devices. When enrolling new devices, this setting will be applied during the device setup phase.
Every user that logs in to the device, after the device setup phase is complete, will skip the account setup phase, experiencing an ever faster sign in!
Note: The device configuration can only be assigned to devices, it will not apply when assigned to users. You can also assign the profile to existing devices, after a device syncs with Intune, users that have never accessed that device before will also skip the account setup phase.