If you use the Enrollment Status Page (ESP) on your (Autopilot) devices in blocking mode (Block device use until all apps and profiles are installed) things can get ugly and complicated if you sign-in with another user account on that machine. So it might be better to disable the Enrollment Status Page for all users who sign-in after the initial device enrollment.

ESP behaviour

I was not aware of the fact that only one ESP gets applied to a device and the first one applied will also remain on that device nevertheless if you configure additional ESP settings for different groups of users. In addition the ESP gets displayed for every account even if the account has no Intune license assigned and causing the ESP therefore to fail.

The Enrollment Status Page can only be targeted to a user who belongs to an assigned group and the policy is set on the device at the time of enrollment for all users that use the device. https://docs.microsoft.com/en-us/intune/windows-enrollment-status

Use cases from the field

I have came past the following use cases where you would want to disable the ESP after the initial enrollment:

  • Support and maintenance on Azure AD joined machines with unlicensed administrator accounts (causing ESP to fail)
  • Improving logon times for shared devices e.g. a desktop in a meeting room where every user of the tenant can sign-in with his account (causing slow logons)
  • Using a blocking ESP (which somehow fails and or takes ages to complete) on machines which are already enrolled
  • Configuration Manager co-management scenarios with Autopilot

Configuration

Long story short - if you want to disable the ESP after the initial enrollment was completed and the ESP initially displayed the status - configure the following OMA-URI's on your devices with a custom Intune device configuration:

Name Disable User ESP
OMA-URI ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Value type Boolean
Value True
Name Disable Device ESP
OMA-URI ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipDeviceStatusPage
Value type Boolean
Value True

Additionally I recommend to disable the Windows 10 first logon animation in order to speed the first sign-in up. Because the ESP also bypasses the first logon animation.

Name Disable first sign-in animation
OMA-URI ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
Value type Integer
Value 0

in the end your Intune device configuration could look like this:

Intune device configuration to disable the Enrollment Status Page