Configuring Windows Enrolment Status Page (ESP)

So this is a common configuration for Windows Autopilot, and makes a huge difference in the whole process. Prior to the ESP or Enrollment Status Page. Windows Enrollment would just drop you into the desktop after provisioning the users profile. This worked ok as the MDM in this case Intune would be provisioned automatically during Azure AD Enrollment and would then automatically provision all required items targeted at either the user or device. But we were dramatically limited on how to provide a user experience and in many case this wasn't ideal as many security baselines require configurations to be in place prior to users access their desktop, such as Disk Encryption, Anti-Virus, Device Certificates, and VPN.

The ESP gives use the ability to hold the user as a designated screen, until our configurations are complete then allow the user access to their desktop once all configurations are complete. Below is an example on how I configure this with customers.

Set up the Enrollment Status Page - Microsoft Intune | Microsoft Docs

Configuring the ESP Enrollment Status Page:

The enrollment status page appears during initial device setup and during first user sign in. If enabled, users can see the configuration progress of assigned apps and profiles targeted to their device.

Browse to Device > Enroll device> Windows enrollment > Enrollment Status Page.

Now if you have never configured ESP then you will only see the Default profile named All users and all devices. I would strongly discourage modifying this profile as it by default targets all users and devices. Modifying this will change the users first time logon experience on Azure AD join and Hybrid Azure AD join Configurations. instead create a new profile.

Select the + Create button, and provide a name and description

Next you will configure the meat of the policy. Below are some of my call outs here. Key items are "Block device use until all apps and profiles are installed" and "Block device use until these required apps are installed if they are assigned to the user/device" Be sure when testing you make adjustments for testing and when moving to prod make adjustments accordingly.

Next Assign to a Group, I typically will target a Dynamic Device Group Typically the same I'm using for Autopilot. If I plan to allow users to do Self Enroll during OOBE of Unknown Devices then I will target the ESP accordingly to those users.

Set Scope Tag, typically leave this blank and select Next

Then Review and Create > Select Create and our profile is Live.

Enrollment status page priority

You can have multiple profiles for your needs. For example, a user can be in many groups and have many ESP profiles. If this happens, multiple profiles can be applied to the user. This can cause conflicts among settings. To handle this, ESP can have a priority. Only the highest priority profile is applied to the enrolling devices.