Let’s understand how to Disable Intune ESP for AVD and Windows 365 Cloud PC, and analyze Intune ESP FirstSync Registry Entries, & ESP Event Logs. Probably, I’m the odd one out here, and I require to disable the Enrollment Status Page (ESP) for Azure Virtual Desktop(AVD) deployments.
There are some special reasons that I don’t want to deploy ESP policy to AVD VMs. I will try to cover “special” reasons in future posts (maybe?). Also, you get a bit of understanding about troubleshooting options for the Enrollment Status Page from this post.
I have a post about Intune Enrollment Status Page Troubleshooting. In my experience, ESP works well with Windows Autopilot enrollment. However, ESP doesn’t solve the same purpose for Intune group policy enrollment used in the AVD world.
Microsoft added Intune Filter Rules support for Enrollment Status Page (ESP) as well. This will help Azure Virtual Desktop and Windows 365 Cloud PC deployments in some scenarios.
Issue Intune ESP
The following are some of the steps I tried to fix Intune ESP policy issue with the portal workload. I didn’t want to use any custom CSP policy to disable ESP before testing all other possibilities.
I tried to deploy “disable ESP policy” using the option Show app and profile configuration progressed to NO without any luck.
I also tried to configure the stupid things like “Show an error when installation takes longer than the specified number of minutes” to 1 minute again without any luck.
Well, all these ESP policies are set to priority 1. But again, no luck. AVD users were still getting ESP screens after Windows 10 2004 upgrade. This was a bit irritating.
Intune ESP Known Issues
I don’t know how many of you noticed the ESP known issues documentation on Microsoft docs. I don’t want to pretend that I understand the first point from the known issue list.
Disabling the ESP profile doesn’t remove the ESP policy from devices and users still get ESP when they login to the device for the first time. The policy isn’t removed when the ESP profile is disabled.
Is this reason why I am getting all these inconsistent test results related to Enrollment Status Page (ESP)? I don’t know! Let me know what you think in the comments.
Intune ESP FirstSync Registry Entries
I tried to check the registry entries for corresponding registry entries for ESP policies. The ESP policy configuration from the MEM admin center portal never seems to make any registry entry changes.
The registry details of Intune ESP -> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\E3FFGF09-E4T7-421F-A54E-31774312A31C\FirstSync
Initial Registry Entries for Intune ESP policies
- AllowCollectLogsButton -> 4294967295
- BlockInStatusPage -> 7
- BlockInStatusPage -> 0
- SkipUserStatusPage -> 0
- SyncFailureTimeout -> 90 (Even though I set the policy as 60 Minutes)
Registry Entries after Enrollment and Restart
- AllowCollectLogsButton -> 4294967295
- BlockInStatusPage -> 7
- IsServerProvisioningDone -> 1
- BlockInStatusPage -> 0
- SkipUserStatusPage -> 0
- SyncFailureTimeout -> 90 (Even though I set the policy as 60 Minutes)
Intune ESP Related Even Log 352 355 361 Entries
Now, let’s check the Intune ESP policy-related event log entries. This might help you to troubleshoot Intune ESP (Enrollment Status Page) issues.
Event Logs -> Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
- Event ID 352 – First Sync: Setting ContinueAnyway. EnrollmentID: (E9B207C1-F3EA-44FF-BB71-BDF820DE59DA) SID: (S-1-5-21-1493617020-3973123668-451752572-367741) Value: (0x1).
- Event ID 351 -First Sync: Setting IsSyncDone. EnrollmentID: (E9B207C1-F3EA-44FF-BB71-BDF820DE59DA) SID: (NULL) Value: (0x1) FromServer: (0x0).
- Event ID 361 – First Sync: Getting DeviceProvisioningStatus. EnrollmentID: (E9B207C1-F3EA-44FF-BB71-BDF820DE59DA) Status: (0x2).
- Event ID 360 -First Sync: Setting DeviceProvisioningStatus. EnrollmentID: (E9B207C1-F3EA-44FF-BB71-BDF820DE59DA) SID: (NULL) Status: (0x0) FromServer: (0x0).
- Event ID 2300 – Bootstrap Enrollment Status Page: publish notification value: (0x1).
Disable Intune ESP
Finally, I was able to fix to disable Intune ESP policy (out of box policy as mentioned above) issue with the custom Windows 10 CSP mentioned below. More details about here.
Provider/ProviderID/FirstSyncStatus/SkipDeviceStatusPage Added in Windows 10, version 1803. This node decides whether or not the MDM device progress page skips after Azure AD is joined or Hybrid Azure AD is joined in OOBE.
Provider/ProviderID/FirstSyncStatus/SkipUserStatusPage – Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD is joined or Hybrid Azure AD Joins after the user’s login.
- Name: Disable User ESP
- OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
- Data type: Boolean Value: True
- Name: Disable Device ESP
- OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipDeviceStatusPage
- Data type: Boolean Value: True
Registry Details after deploying disable Intune ESP policies to Windows 10 devices.
You can get the registry details of Intune ESP -> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\{EnrollmentGUID}\FirstSync
- SkipDeviceStatusPage – ffffffff
- SkipUserStatusPage – ffffffff
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\A1FGHFE4-3C44-462A-8E60-D470F2486D44\FirstSync]
"SyncFailureTimeout"=dword:0000005a
"BlockInStatusPage"=dword:00000007
"SkipDeviceStatusPage"=dword:ffffffff
"SkipUserStatusPage"=dword:ffffffff
"AllowCollectLogsButton"=dword:ffffffff
Enrollment Status Page ESP with Intune Filters
Microsoft enabled the filter support for Intune ESP (Enrollment Status Page). The Intune filter rules might help with some of the AVD and Windows 365 Cloud PC scenarios.
- Navigate – Devices – Enroll Devices – Enrollment Status Page
- Click on Edit Filter from the assignment.
- Select How you want the filter to behave.
Resources
- Intune group policy enrollment
- Learn How To Collect Windows 10 Diagnostics Information From Intune Portal | Endpoint Manager – HTMD – How To Manage Devices
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
We were advised to add this same OMA-URI by MS support when troubleshooting an ESP issue for one of our users. After enabling him for WHfB via Intune, he hit the ESP screen when signing in with an immediate error message and no option to “Continue Anyway”. Error was that ‘timeout had been exceeded’ but this was an immediate fail on sign in.
All he could do was sign out and at next sign-in he gets to a desktop. After each reboot or sign-out he hit the same ESP error again. So effectively had to sign-in twice to be able to work.
Adding that OMA-URI resolved the issue.
I have since read elsewhere that the Registry can be edited directly and the DWORD set to 1, but as you found out yourself the correct value looks to be all the ‘f’s 🙂
Thanks for taking the time to write-up your findings.
Thanks for writing this up!
Simple powershell 3 liner.
Get-ChildItem “HKLM:\SOFTWARE\Microsoft\Enrollments” | ?{ (Get-ItemProperty “registry::$($_.Name)\FirstSync” -Name SkipUserStatusPage -ea SilentlyContinue) -ne $null } | %{ Set-ItemProperty “registry::$($_.Name)\FirstSync” -Name SkipUserStatusPage -Value 0xffffffff -Type DWord -Force | Out-Null Set-ItemProperty “registry::$($_.Name)\FirstSync” -Name SkipDeviceStatusPage -Value 0xffffffff -Type DWord -Force | Out-Null
}