Enhancing your IT Infrastructure with Microsoft Intune # Episode 9B

Topic Covered: Windows Enrolment Workloads (General -CNAME Validation & ESP)

Hello, LinkedIn audience! In this article, we'll examine the third and fourth Windows Enrolment Workload general settings that are crucial for the users to enroll their device to MDM and to have the enrollment experience. I'm indeed talking about CName Validation and Enrollment Status Page (ESP).

▶ CNAME Validation

The CNAME is critical for the device that is enrolling in the MDM agent. To simplify enrolment, create a domain name server (DNS) alias (CNAME record type) that redirects enrolment requests to Intune servers. If users do not enter the Intune server name during enrolment, they will be unable to connect to Intune.

▶ Create CNAME

Create CNAME DNS resource records for your company's domain. If your company's website is labenterprises.com, for example, you would use DNS to create a CNAME that redirects EnterpriseEnrollment.labenterprises.com to enterprise enrollment-s.manage.microsoft.com.

Although creating CNAME DNS entries is optional, they help with user enrollment. If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.

If your company has more than one UPN suffix, you must create a CNAME for each domain name and point it to EnterpriseEnrollment-s.manage.microsoft.com. Labenterprise users, for example, use the following email/UPN formats:

• name@labenterprises.com
• name@us.labenterprises.com
• name@eu.labenterprises.com

The Contoso DNS admin should create the following CNAMEs:

EnterpriseEnrollment-s.manage.microsoft.com - Allows for a redirect to the Intune service based on the domain name of the email.

DNS record changes may take up to 72 hours to propagate. Intune cannot verify the DNS change until the DNS record propagates.

▶ Verify CNAME 

1. Go to Devices > Windows > Windows enrollment > CNAME Validation.
2. In the Domain box, enter the company website and then choose Test.

▶ Enrollment Status Page (ESP)

People enrolling on Windows devices and logging in for the first time can see their provisioning status on the enrollment status page (ESP). You can set up the ESP to prevent device use until all necessary policies and applications are installed. Users of the device can check the ESP to see how far along it is in the configuration process.

The ESP can be deployed during the default out-of-box experience (OOBE) for Azure Active Directory (Azure AD) Join, and any Windows Autopilot provisioning scenario.

But is it a requirement for Autopilot deployment? The answer is No. This totally depends on your organizational standards.

You must create an ESP profile in Microsoft Intune before you can distribute the ESP to devices. You can set the ESP settings that govern within the profile.

• Visibility of installation progress indicators
• Device access during provisioning
• Time limits
• Allowed troubleshooting operations

▶ Creating a New ESP profile

The below steps describe the enrollment status page's information and how to create an ESP profile.

Step 1: Go to Devices - Windows - Windows enrollment - Enrollment status page

Step 2: Click on Create.

Step 3: In Basics, enter the following Properties

1. Name: Name your profile so you can easily identify it later. (I'll name it as Autopilot ESP Profile)
2. Description: Enter a description for the profile. This setting is optional but recommended. (This ESP profile is to be deployed for Windows Autopiloted Devices)
3. Click on Next for Settings.

Step 4: In Settings, configure the following settings:

• Show app and profile configuration progress: You can choose any of the below options.

→ No: During device setup, the enrollment status page is not displayed. Choose this option if you do not want users to see the ESP.

→ Yes: The enrollment status page appears during device setup.

So, let's assume you selected Yes here. That sends us to the next configuration.

• Show an error when installation takes longer than the specified number of minutes: 

The time-out period is set to 60 minutes by default. If you believe it will take more time to install apps on your devices, enter a higher value.

• Show custom message when time limit or error occurs: 

Include a message informing people what happened and who to contact for assistance. Your options are:

→ No: The default message is shown to users when an error occurs. That message is: "Setup could not be completed. Please try again or contact your support person for help."

→ Yes: Your custom message is shown to users when an error occurs. Enter your message in the provided text box.

• Turn on the log collection and diagnostics page for end users: 

I recommend turning on the user's logs and diagnostics to help with troubleshooting. Your options are:

→ No: When an installation error occurs, the collect logs button is hidden from users. On Windows 11 devices, the Windows Autopilot diagnostics page is not displayed.

→ Yes: When an installation error occurs, the collect logs button is displayed to users. On Windows 11 devices, the Windows Autopilot diagnostics page is displayed.

• Only show page to devices provisioned by out-of-box experience (OOBE): 

Your Options are:

→ No: The enrollment status page is displayed on all Intune-managed and co-managed devices that complete the out-of-the-box experience (OOBE), as well as the first user who signs into each device. As a result, subsequent users who sign in do does not see the ESP.

→ Yes: The enrollment status page is only displayed on devices that have completed the out-of-the-box experience (OOBE).

• Block device use until all apps and profiles are installed:

Your options are:

→No: Users can leave the ESP before Intune is finished setting up the device.

→Yes: Users can't leave the ESP until Intune is done setting up the device. This option unlocks additional settings for this scenario.

• Allow users to reset the device if an installation error :

Your options are:

→ No: The ESP doesn't give users the option to reset their devices when an installation fails.

→ Yes: The ESP gives users the option to reset their devices when an installation fails.

• Allow users to use the device if an installation error occurs: 

Your options are:

→ No: The ESP doesn't give users the option to bypass the ESP when an installation fails.

→ Yes: The ESP gives users the option to bypass the ESP and use their devices when an installation fails

• Block device use until these required apps are installed if they are assigned to the user/device:

Your options are:

→ All: All assigned apps must be installed before users can use their devices.

→ Selected: Selected apps must be installed before users can use their devices. Choose this option to select from your managed apps.

Step 5: Click on Next to go to Assignments

Your options are,

→ Add Groups: You wish to deploy this ESP profile for a particular group, for example, you have a security group called "Windows 10 Autopilot devices". Click on the Add groups and select that group.

→ Add all users: Choose this if you want to apply the ESP profile user level.

→ Add all Devices: Choose this if you want to apply the ESP profile device level.

Step 6: Select Next. Optionally, in Scope tags, assign a tag to limit profile management to specific IT groups, such as EU-GE IT Team or LabEnterprises_ITDepartment. Then select Next.

Step 7: In Review + create, review your settings. After you select Create, your changes are saved, and the profile is assigned. Once deployed, the profile will be applied the next time the devices check-in. You can access the profile from your profile list.

▶ Edit default profile

Intune applies the default profile to all users and all devices when no other ESP profiles are available to assign. You can configure the default profile to show or hide the ESP.

1.    Sign in to the Microsoft Endpoint Manager admin center and select Devices.

2.    Select Windows > Windows enrollment > Enrollment Status Page.

3.    Select the Default profile in the table.

4.    Select Properties.

5.    Go to the Settings section and select Edit.

6.    Configure the Show app and profile installation progress to set the behavior of the default profile. Your options:

• No: The ESP isn't visible to users during initial device setup and sign-in.
•  Yes: The ESP is visible to users during initial device setup and sign-in.

If you select Yes, more settings become available for you to configure.

7.    Select Review + save.

8.    Review the summary of changes and then select Save.

▶ Prioritize profiles

If you assign a user or device more than one ESP profile, the profile with the highest priority takes precedence over the other profiles. The profile set to 1 has the highest priority.

Intune applies profiles in the following order:

1.    Intune applies the highest-priority profile assigned to the device.

2.    If no profiles are targeted at the device, Intune applies the highest-priority profile assigned to the user. This only works in scenarios where there is a user. In white glove and self-deploying scenarios, only profiles targeted at devices can be applied.

3.    If no profiles are assigned to the device or user, Intune applies the default ESP profile.

To prioritize your profiles:

1.    Hover over the profile in the list with your cursor until you see three vertical dots.

2.    Drag the profile to the desired position in the list.

▶ Block access to a device until a specific application is installed

Specify the apps that must be installed before the user can exit the ESP. You can choose up to 100 apps.

1.    In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Enrollment Status Page.

2.    Choose a profile > Settings.

3.    Choose Yes for Show app and profile installation progress.

4.    Choose Yes for Block device use until all apps and profiles are installed.

5.    Choose Selected for Block device use until these required apps are installed if they're assigned to the user/device.

6.    Choose Select apps > choose the apps > Select > Save.

The apps that are included in this list are used by Intune to filter the list that should be considered blocking. It doesn't specify what apps should be installed. For example, if you configure this list to include "App 1," "App 2," "App 3" "App 3" and "App 4" are targeted to the device or user, the ESP will track only "App 3." "App 4" will still be installed, but the ESP will not wait for it to complete.

▶ ESP tracking

The enrolment status page tracks these phases of provisioning:

• Device preparation
• Device setup
• Account setup

This section describes the types of information, apps, and policies tracked during each phase.

→ Device preparation

During device preparation, the enrollment status page tracks these tasks for the device user:

•  Secure your hardware

This task validates the device's identity with Azure AD and completes the Trusted Platform Module (TPM) key attestation. Azure AD sends the device a token, which is used during Azure AD join.

This step is required for both self-deploying and white glove deployment modes. In user-driven mode, it is not required for Windows Autopilot scenarios.

•   Join your organization's network

To join Azure AD, the device uses the token obtained in the previous step. This step is required in both self-deploying and white glove deployment modes. When devices in user-driven mode open the ESP, they have already completed this task.

•   Register your device for mobile management

The device signs up for Microsoft Intune mobile device management (MDM).

This step is required in both self-deploying and white glove deployment modes. When a device in user-driven mode opens the ESP, it has already completed this step.

Following enrollment, the device calculates the policies and apps that will be tracked in the following phase. For Windows 10, version 1903 and later, the device also creates the Sidecar agent's tracking policy and installs the Intune Management Extension, which is used to install Win32 apps.

→ Device setup and Account Setup

The enrollment status page tracks these items during the device and account setup phase:

•  Security policies

Security policies, such as device restrictions, are not tracked by ESP, but they are installed in the background. Microsoft Edge, Assigned Access, and Kiosk Browser policies are all tracked by the ESP.

• Certificate profiles

The ESP tracks the installation of SCEP certificate profiles targeted at devices.

• Network connection

The ESP tracks VPN and Wi-Fi profiles targeted at devices.

•   Apps

The ESP tracks the installation of apps deployed in a device context and includes:

1. Per machine line-of-business (LoB) MSI apps
2. LoB store apps where installation context = device
3. Offline store apps where installation context = device
4. Win32 applications for Windows 10, version 1903, and later, and Windows 11.

Important note from Microsoft:

It's preferable to deploy the offline-licensed Microsoft Store for Business apps. Don't mix LOB and Win32 apps. Both LOB (MSI) and Win32 installers use TrustedInstaller, which doesn't allow simultaneous installations.

If the OMA-DM agent starts an MSI installation, the Intune Management Extension plugin starts a Win32 app installation by using the same TrustedInstaller.

In this situation, the Win32 app installation fails and returns an Another installation is in progress, please try again later error message. In this situation, ESP fails. Therefore, don't mix LOB and Win32 apps in any type of Autopilot enrollment.

That's a long one, right? In my next article, I'll be explaining the new feature which is currently added called Enrollment notifications and the other setting called co-management settings.

#windows11 #windows10 #Enrollmentstatuspage #Cnamevalidation #autopilot #AzureAdjoin #Azureadregistered #deviceidentity #conditionalaccess #m365 #cloudcomputingservices #modernworkplace #digitalworkplace #intune #mem #mam #saas #paas #itmodernization #itinfrastructuremanagement #dws #wms #learningeveryday #linkedinforcreators #connections