If you use the Enrollment Status Page (ESP) on your (Autopilot) devices in blocking mode (Block device use until all apps and profiles are installed) things can get ugly and complicated if you sign-in with another user account on that machine. So it might be better to disable the Enrollment Status Page for all users who sign-in after the initial device enrollment.
ESP behaviour
I was not aware of the fact that only one ESP gets applied to a device and the first one applied will also remain on that device nevertheless if you configure additional ESP settings for different groups of users. In addition the ESP gets displayed for every account even if the account has no Intune license assigned and causing the ESP therefore to fail.
The Enrollment Status Page can only be targeted to a user who belongs to an assigned group and the policy is set on the device at the time of enrollment for all users that use the device. https://docs.microsoft.com/en-us/intune/windows-enrollment-status
Use cases from the field
I have came past the following use cases where you would want to disable the ESP after the initial enrollment:
- Support and maintenance on Azure AD joined machines with unlicensed administrator accounts (causing ESP to fail)
- Improving logon times for shared devices e.g. a desktop in a meeting room where every user of the tenant can sign-in with his account (causing slow logons)
- Using a blocking ESP (which somehow fails and or takes ages to complete) on machines which are already enrolled
- Configuration Manager co-management scenarios with Autopilot
Long story short - if you want to disable the ESP after the initial enrollment was completed and the ESP initially displayed the status:
This can now be accomplished with a simple setting directly in the ESP profile (which has the same effect as if you would configure the OMA-URI’s above):
Additionally I recommend to disable the Windows 10 first logon animation in order to speed the first sign-in up. Because the ESP also bypasses the first logon animation.
| Name | Disable first sign-in animation | | OMA-URI | ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation | | Value type | Integer | | Value | 0 |