Block access to a device until specific apps are installed

ESP-BlockApps-TweetThis week a short blog post about a recently introduced feature in the Enrollment Status Page (ESP). The ability block access to a device until specific apps are installed. I also tweeted about that feature recently and I thought it would be good to document the use case, the configurations and the end-user experience.

Introduction

Let’s start with a short introduction. The ESP is strongly recommended with Windows Autopilot. The idea of the ESP, is to block the device until the device is ready for usage by the user. This new feature enables an administrator to only block the device until the most important apps are installed for the user. That enables the user to be earlier productive. The administrator simply chooses which apps are tracked on the ESP and until those apps are installed, the user can’t use the device.

With the recent updates to Microsoft Intune, the ESP can track the following apps:

  • Licensed Microsoft Store for Business apps;
  • Line-of-business apps (APPX, MSIX, single-file MSI)
  • Office 365 ProPlus apps

Note; Keep in mind that there are difference between the user context and the system context. For the exact up-to-date details see the links in section More information.

Configuration

Now let’s continue by looking at the available configuration options. The following three steps walk through adjusting the default ESP. Those steps will show which configurations are required to get to the available configuration options for tracking specific apps. Similar steps are applicable when configuring custom ESPs.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment > Enrollment Status Page (Preview) to open the Enrollment Status Page (Preview) blade;
2 On the Enrollment Status Page (Preview) blade, select Default > Settings to open the All users and all devices – Settings blade;
3a On the All users and all devices – Settings blade, select Yes with Show app and profile installation progress and Yes with Block device use until all apps and profiles are installed to enable the Block device use until these required apps are installed if they are assigned to the user/device setting (see step 3b);
3b When the Block device use until these required apps are installed if they are assigned to the user/device setting is enabled, select Select apps to open the Select apps blade. On the Select apps blade, select the required apps and click Select to return to the All users and all devices – Settings blade and click Save;
ESP-BlockApps-Config

Note: Keep in mind that if the ESP is configured to track Office 365 ProPlus apps, other large apps, or just many apps, it might be required to also increase the timeout as documented in this Support Tip.

End-user experience

Now let’s end this post by looking at the end-user experience. The good thing is that the user will not notice any big differences. The user will still get the same screens and the same experiences. Only users that pay attention to details will notice the small differences. As shown below, the user will see a list of apps that is equal to the number of configured apps by the administrator. That list is most likely shorter then it was before. That’s also the reason why the user might notice that it’s possible to get productive sooner, as the device will be available for use sooner.

ESP-BlockApps-EUE

More information

For more information regarding blocking devices until certain apps are installed, please refer to the following articles:

Windows enrollment status page

This week is all about the enrollment status page for Windows 10, version 1803 and later, devices. Yes, I know that I’m not the first to write about this subject and I won’t be the last either, but I really thought that this feature deserves and demands a place on my blog. With the recent updates to Microsoft Intune, it’s now possible to enable the enrollment status page, as a preview feature, for Windows 10, version 1803 and later devices. This feature is often mentioned in combination with Windows AutoPilot, and it’s a great addition, but it’s good to remember that it’s actually applicable to any Azure AD joined (and Intune managed) Windows device. Not just Windows AutoPilot. In this post I’ll walk through the configuration options, followed by the end-user experience related to the configuration options.

Configuration options

Let’s start by walking through the configuration options for the Windows enrollment status page. The following 5 steps walk through those configuration options, with step 4 detailing the actual configuration options and the related behavior.

1 Open the Azure portal and navigate to Intune > Windows enrollment > Enrollment Status Page (Preview) to open the Enrollment Status Page (Preview) blade;
2 EnrollmentStatusPageOn the Enrollment Status Page (Preview) blade, select Default to open the All Users blade;
3 On the All Users blade, select Settings to open the All Users – Settings blade;
4a

Windows-enrollment-status_Config03On the All Users – Settings blade, select Yes with Show app and profile installation progress to enable the enrollment status page during OOBE;

4b Windows-enrollment-status_Config02On the All Users – Settings blade, select Yes with Block device use until all apps and profiles are installed to prevent users from using the device before it’s completely configured and to enable further configuration options for the enrollment status page during OOBE;
4c Windows-enrollment-status_Config01On the All Users – Settings blade,

  • select Yes with Allow users to reset device if installation error occurs to enable end-users to reset the device after a failure during OOBE;
  • select Yes with Allow users to use device if installation error occurs to enable end-users to use the device after a failure during OOBE;
  • configure [number] with Show error when installation takes longer than specified number of minutes to determine how long, in minutes, an installation can take before showing a failure during OOBE;
  • select Yes with Show custom message when an error occurs to enable a custom error message that will be shown to the end-user after a failure during OOBE;
  • select Yes with Allow users to collect logs about installation errors to enable end-users to collect log files of any installation failure during OOBE;
5 On the All Users – Settings blade, click Save;

Note: At this moment I haven’t been able to see my custom error message during OOBE and I haven’t found out how to collect the log files related to the installation failures as an end-user.

Configuration results

Now let’s have a look at the effect of the different configuration options. When configuring the basics, which is simply enabling the enrollment status page (steps 4a), the end-user will get the experience as shown below. It shows the end-user the current status and enables the end-user to click Continue anyway at any point during the enrollment status page.

Windows-enrollment-status_Continue

When configuring all the available options, which is basically enabling all the options (step 4b and 4c), the end-user will get the experience as shown below. It shows the en-user the current status and only provides the end-user with options after a failure. The Reset button is available because of the Allow users to reset device if installation error occurs setting and the Continue anyway link is available because of the Allow users to use device if installation error occurs setting.

Windows-enrollment-status-page_Failure

Note: Not all components are actually tracking something yet. For an up-to-date list of the different tracked components, see the more information URL.

More information

For more information about the enrollment status page, please refer to this article about Set up an enrollment status page.