Today just a very short blog on how to speed up your Autopilot deployments by disabling the Account Setup phase. The enrollment phase from Windows Autopilot contains three phases; Device preparation, Device setup, and Account setup.
In my Autopilot implementations, the required applications and configuration profiles are all assigned to device groups, which means the settings and applications should all be handled during the Device setup phase of the enrollment. Only the Online store apps were previously installed during the Account setup phase. But since we switched the Store apps to the offline version, also this app type is installed during the Device setup phase.
But even as no profiles or applications are handled during the Account setup phase, that phase is handled and takes some time (for identifying if there are apps and profiles to be handled). Why shouldn’t we just skip this phase of the enrollment and save some minutes?
To skip the Account setup phase and speed up the Windows Autopilot enrollment, we can use a custom configuration profile with just one OMA-URI:
./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
To add this setting follow below steps:
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows – Configuration profiles
- Click + Create profile
- Choose Windows 10 a Platform
- Choose Templates and select Custom
- Click Create
- Give the profile a Name
- Enter a Description (Optional)
- Click Next
- Click Add to add a new OMA-URI row
- Enter a Name
- Enter a Description (Optional)
- Enter the OMA-URI ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
- Choose Boolean as Data type
- Choose True as Value
- Click Save
- Finish the creation of the profile
Assign the profile to the same device group(s) as to which you assign the Autopilot enrollment profile(s).
That’s it! The Account Setup phase should be skipped now and the enrollment time should be a little shorter now.
Thank you!
What are the possible downsides of skipping this phase?
I haven’t seen any.
Just make sure your apps are installed during the Device setup phase and it works fine.
Thanks!
The biggest downside is you don’t know if the account setup phase was successful, so basically anything assigned to the user that would be processed during logon.
This includes things like Azure AD device registration if you’re doing Hybrid AD Join, which can fail for a variety of reasons, especially with ADFS and SSO.
You’re really just shifting the burden of time from the user to IT if there’s a problem :).
The thing is that you assign everything to a device group, so this is all handled during the device setup phase.
The AD join part isn’t handled during the account setup phase. The creation of the computer object is already handled by the Intune Hybrid Connector. And if you can sign in to Windows after the device setup phase (usually between the device and account setup phase), that means you have a connection to a DC which is enough to finish that process.
I have set this up as we had new users taking ages during the account set up but it doesn’t seem to work, laptops are still taken sometimes hours in that phase…
Any recommendations or things to check?
Maybe it’s a little late, but if you’re doing a hybrid join, you’ll want to run a delta sync after the Device prep stage. This means you’re not waiting ofr a manual sync, which it needs to do to verify that the device is in AD and Azure AD.
Hi,
Instead of the custom option(oma-uri) is there a option in the Settings catalog avaiable?
according to https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/understand-troubleshoot-esp#how-can-i-disable-the-esp-if-it-has-been-configured-on-the-device the OMA-URI is just ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage without ./Device in the beginning…
even later then most.
but isnt this just Whiteglove with extra steps?