Merge pull request #7628 from MicrosoftDocs/lenewsad-patch-3

Angela Fleischmann · web-flow · commit a56bb250e6c4 · 2022-06-03T14:17:30.000-06:00
Update windows-enrollment-status.md
diff --git a/memdocs/intune/enrollment/windows-enrollment-status.md b/memdocs/intune/enrollment/windows-enrollment-status.md
@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Set up the Enrollment Status Page
+title: Set up the Enrollment Status Page in the admin center
 titleSuffix: Microsoft Intune
 description: Set up a greeting page for users signing in and enrolling Windows devices.
 keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 03/02/2022
+ms.date: 06/02/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -41,19 +41,21 @@ ms.collection:
  
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
  
-The Enrollment Status Page (ESP) displays provisioning progress after a new device is enrolled, and also when new users sign in to the device. The ESP provides a user interface so that the device user can monitor and track setup and enrollment progress. It locks the device during setup and doesn't let the user progress beyond the screen until provisioning is complete. 
+The enrollment status page (ESP) displays the provisioning status to people enrolling Windows devices and signing in for the first time. You can configure the ESP to block device use until all required policies and applications are installed. Device users can look at the ESP to track how far along their device is in the setup process. 
 
-You can show the enrollment status page during the default out-of-box experience (OOBE) for Azure AD Join, any [Windows Autopilot](../../autopilot/index.yml) provisioning scenario, or when new users sign into the device for the first time.  
+The ESP can be deployed during the default out-of-box experience (OOBE) for Azure Active Directory (Azure AD) Join, and any [Windows Autopilot](../../autopilot/index.yml) provisioning scenario.  
 
-To deploy the enrollment status page, you have to create an enrollment status page profile in Microsoft Intune. Within a profile, you can configure:   
+To deploy the ESP to devices, you have to create an ESP profile in Microsoft Intune. Within the profile, you can configure the ESP settings that control:  
 
-- The visibility of installation progress
-- Blocking device access until the provisioning process is completed
-- Time limits
-- Allowed troubleshooting operations  
+- Visibility of installation progress indicators     
+- Device access during provisioning   
+- Time limits  
+- Allowed troubleshooting operations    
 
-This article describes how to create and edit a profile, and describes the information that the enrollment status page tracks.     
+This article describes the information that the enrollment status page tracks and how to create an ESP profile.
 
+## Windows CSP  
+ESP uses the [EnrollmentStatusTracking configuration service provider (CSP)](/windows/client-management/mdm/enrollmentstatustracking-csp) and [FirstSyncStatus CSP](/windows/client-management/mdm/dmclient-csp) to track app installation.  
 
 ## Create new profile 
 
@@ -114,10 +116,12 @@ This article describes how to create and edit a profile, and describes the infor
 8. Select **Next**.  
  
 9. Optionally, in **Scope tags**, assign a tag to limit profile management to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. Then select **Next**.   
+
+    > [!NOTE]
+    > Scope tags limit who can see and reprioritize ESP profiles in the admin center. A scoped user can tell the relative priority of their profile even if they can't see all of the other profiles in Intune. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md).  
  
-10. In **Review + create**, review your settings. After you select **Create**, your changes are saved, and the profile is assigned. You can access the profile from your profiles list. 
+10. In **Review + create**, review your settings. After you select **Create**, your changes are saved, and the profile is assigned. Once deployed, the profile will be applied the next time the devices check in. You can access the profile from your profiles list. 
 
-  The next time each device checks in, the profile is applied.  
 
 ## Edit default profile 
 
@@ -146,19 +150,14 @@ If you assign a user or device more than one ESP profile, the profile with the h
 2. If no profiles are targeted at the device, Intune applies the highest-priority profile assigned to the user. This only works in scenarios where there is a user. In white glove and self-deploying scenarios, only profiles targeted at devices can be applied.   
 3. If no profiles are assigned to the device or user, Intune applies the default ESP profile.    
 
-### Set priority  
 To prioritize your profiles:  
 
 1. Hover over the profile in the list with your cursor until you see three vertical dots.  
-2. Drag the profile to the desired position in the list.  
- 
-### Scope tags  
-  
-Scope tags limit who can see and reprioritize an ESP profile. A scoped user can tell the relative priority of their profile even if they can't see all the other profiles in Intune. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md).  
+2. Drag the profile to the desired position in the list.   
 
 ## Block access to a device until a specific application is installed
 
-You can specify which apps must be installed before the Enrollment Status Page (ESP) completes.
+Specify the apps that must be installed before the user can exit the ESP. You can choose up to 100 apps.   
 
 1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Windows** > **Windows enrollment** > **Enrollment Status Page**.
 2. Choose a profile > **Settings**.
@@ -167,75 +166,110 @@ You can specify which apps must be installed before the Enrollment Status Page (
 5. Choose **Selected** for **Block device use until these required apps are installed if they're assigned to the user/device**.
 6. Choose **Select apps** > choose the apps > **Select** > **Save**.
 
-The apps that are included in this list are used by Intune to filter the list that should be considered blocking.  It doesn't specify what apps should be installed.  For example, if you configure this list to include "App 1," "App 2," and "App 3" and "App 3" and "App 4" are targeted to the device or user, the Enrollment Status Page will track only "App 3."  "App 4" will still be installed, but the Enrollment Status Page will not wait for it to complete.
+The apps that are included in this list are used by Intune to filter the list that should be considered blocking.  It doesn't specify what apps should be installed.  For example, if you configure this list to include "App 1," "App 2," and "App 3" and "App 3" and "App 4" are targeted to the device or user, the ESP will track only "App 3."  "App 4" will still be installed, but the ESP will not wait for it to complete.
 
-A maximum of 100 apps can be specified.
+## ESP tracking     
 
-## Enrollment Status Page tracking information  
+The enrollment status page tracks these phases of provisioning: 
 
-There are three phases where the Enrollment Status Page tracks information for; device preparation, device setup, and account setup.
+* Device preparation
+* Device setup
+* Account setup  
+
+This section describes the types of information, apps, and policies tracked during each phase.  
 
 ### Device preparation
 
-For device preparation, the enrollment status page tracks:
+During device preparation, the enrollment status page tracks these tasks for the device user: 
+
+* Secure your hardware
+* Join your organization's network
+* Register your device for mobile management    
+
+#### Secure your hardware
+This task ensures that the device completes the Trusted Platform Module (TPM) key attestation and validates its identity with Azure AD. Azure AD sends a token to the device, which is used during Azure AD join. 
 
-- Trusted Platform Module (TPM) key attestation (when applicable)
-- Azure Active Directory join process
-- Intune (MDM) enrollment
-- Installation of the Intune Management Extensions (used to install Win32 apps)
+This step is required for self-deploying mode and white glove deployment. It isn't needed for Windows Autopilot scenarios in user-driven mode.   
+
+#### Join your organization's network  
+The device uses the token received in the previous step to join Azure AD. This step is required in self-deploying mode and white glove deployment. Devices in user-driven mode have already completed this task by time they open the ESP.  
+
+### Register your device for mobile management
+The device enrolls in Microsoft Intune for mobile device management (MDM). 
+
+This step is required in self-deploying mode and white glove deployment. Devices in user-driven mode have already completed this step by time they open the ESP. 
+
+After enrollment, the device calculates the policies and apps required to track in the next phase. For Windows 10, version 1903 and later versions, the device also creates the tracking policy for the SideCar agent, and installs the Intune Management Extension that's used to install Win32 apps.  
 
 ### Device setup
 
-The Enrollment Status Page tracks the following device setup items:
+The enrollment status page tracks these items during the device setup phase:
+
+* Security policies  
+* Certificate profiles  
+* Network connection  
+* Apps  
+
+#### Security policies
+ESP doesn't track security policies, such as device restrictions, but these policies are installed in the background. The ESP does track Microsoft Edge, Assigned Access, and Kiosk Browser policies. 
 
-- Security policies
-  - Microsoft Edge, Assigned Access, and Kiosk Browser policies are presently tracked.
-  - Other policies aren't tracked.
-- Applications
-  - Per machine Line-of-business (LoB) MSI apps.
-  - LoB store apps with installation context = Device.
-  - Offline store apps with installation context = Device.
-  - Win32 applications (Windows 11 and Windows 10 version 1903 and later only) 
+  > [!TIP]
+  >  When complete, the status for security policies appears on the ESP as **(1 of 1) completed**.  
 
-  > [!NOTE]
-  > It's preferable to deploy the offline-licensed Microsoft Store for Business apps. Don't mix LOB and Win32 apps. Both LOB (MSI) and Win32 installers use TrustedInstaller, which doesn't allow simultaneous installations. If the OMA DM agent starts an MSI installation, the Intune Management Extension plugin starts a Win32 app installation by using the same TrustedInstaller. In this situation, Win32 app installation fails and returns an **Another installation is in progress, please try again later** error message. In this situation, ESP fails. Therefore, don't mix LOB and Win32 apps in any type of Autopilot enrollment.
-  > 
+#### Certificates  
+The ESP tracks the installation of SCEP certificate profiles targeted at devices.  
 
-- Connectivity profiles
-  - VPN or Wi-Fi profiles that are assigned to **All Devices** or a device group in which the enrolling device is a member, but only for Autopilot devices
-- Certificate profiles that are assigned to **All Devices** or a device group in which the enrolling device is a member, but only for Autopilot devices
+#### Network connections    
+The ESP tracks VPN and Wi-Fi profiles targeted at devices.  
+
+#### Apps  
+The ESP tracks the installation of apps deployed in a device context, and includes:   
+
+  - Per machine line-of-business (LoB) MSI apps
+  - LoB store apps where installation context = device 
+  - Offline store apps where installation context = device 
+  - Win32 applications for Windows 10, version 1903 and later, and Windows 11.    
 
 ### Account setup
 
-For account setup, the Enrollment Status Page tracks the following items if they're assigned to the current logged in user:
-
-- Security policies
-  - Microsoft Edge, Assigned Access, and Kiosk Browser policies are presently tracked.
-  - Other policies aren't tracked.
-- Applications
-  - Per user LoB MSI apps that are assigned to All Devices, All Users, or a user group in which the user enrolling the device is a member.
-  - Per machine LoB MSI apps that are assigned to All Users or a user group in which the user enrolling device is a member.
-  - LoB store apps, online store apps, and offline store apps that are assigned to any of the following objects:
-    - All Devices
-    - All Users
-    - A user group in which the user enrolling the device is a member with installation context set to User.
-  - Win32 applications (Windows 10 version 1903 and newer only) 
-- Connectivity profiles
-  - VPN or Wi-Fi profiles that are assigned to All Users or a user group in which the user enrolling the device is a member.
-- Certificates
-  - Certificate profiles that are assigned to All Users or a user group in which the user enrolling the device is a member.
+During the account setup phase, the ESP tracks apps and policies targeted at users, including: 
+
+* Security policies  
+* Certificates
+* Network connections
+* Apps 
+
+  > [!TIP]
+  > Before installation begins, the device creates a tracking policy and calculates all apps and policies that need to be tracked. While that's happening, the ESP shows subtasks in an **Identifying** state.  
+
+#### Security policies  
+ESP doesn't track security policies, such as device restrictions, but these policies are installed in the background. The ESP does track Microsoft Edge, Assigned Access, and Kiosk Browser policies.  
+
+#### Certificates   
+The ESP tracks the installation of SCEP certificate profiles assigned to users.  
+
+#### Network connections 
+The ESP tracks Wi-Fi profiles assigned to users.  
+
+#### Apps  
+During this phase, the ESP tracks the installation of apps assigned to the user. The ESP tracks Win32 apps for Windows 10, version 1903 and later.   
+
+It also tracks the following types of apps when they're assigned to all devices, all users, or a user group that includes the enrolling device user:  
+
+  - Per user LoB MSI apps     
+  - Per machine LoB MSI apps   
+  - LoB store apps, online store apps, and offline store apps 
 
 ### Known issues
 
-The following are known issues related to the Enrollment Status Page.
+This section lists the known issues for the enrollment status page.  
+
 - When creating apps that will be deployed during ESP, any reboots that are packaged within the app may cause ESP to hang and fail the deployment. We recommend specifying the reboot behavior in Intune instead of triggering the reboot within the package. 
 - Disabling the ESP profile doesn't remove ESP policy from devices and users still get ESP when they log in to device for first time. The policy isn't removed when the ESP profile is disabled. 
-- A reboot during Device setup will force the user to enter their credentials before transitioning to Account setup phase. User credentials aren't preserved during reboot. Have the user enter their credentials then the Enrollment Status Page can continue. 
-- Enrollment Status Page will always time out during an Add work and school account enrollment on Windows 10 versions earlier than 1903. The Enrollment Status Page waits for Azure AD registration to complete. The issue is fixed on Windows 10 version 1903 and newer.  
-- Hybrid Azure AD Autopilot deployment with ESP takes longer than the timeout duration entered in the ESP profile. On Hybrid Azure AD Autopilot deployments, the ESP will take 40 minutes longer than the value set in the ESP profile. For example, you set the timeout duration to 30 minutes in the profile. The ESP can take 30 minutes + 40 minutes.
-
-  This delay gives time for the on-prem AD connector to create the new device record to Azure AD.
-  
+- A reboot during device setup forces the user to enter their credentials before the account setup phase. User credentials aren't preserved during reboot. Instruct the device users to enter their credentials to continue to the account setup phase.  
+- The ESP always times out on devices running Windows 10, version 1903 and earlier, and
+enrolled via the *Add work and school account* option. The ESP waits for Azure AD registration to complete. The issue is fixed on Windows 10 version 1903 and later.  
+- Hybrid Azure AD Autopilot deployment with ESP takes longer than the timeout duration entered in the ESP profile. On Hybrid Azure AD Autopilot deployments, the ESP takes 40 minutes longer than the value set in the ESP profile. For example, you set the timeout duration to 30 minutes in the profile. The ESP can take 30 minutes + 40 minutes. This delay gives the on-prem AD connector time to create the new device record to Azure AD.  
 - Windows logon page isn't pre-populated with the username in Autopilot User Driven Mode. If there's a reboot during the Device Setup phase of ESP:
   - the user credentials aren't preserved
   - the user must enter the credentials again before proceeding from Device Setup phase to the Account setup phase
@@ -249,4 +283,4 @@ The following are known issues related to the Enrollment Status Page.
 
 ## Troubleshooting  
 
-For troubleshooting help, including how to disable an already-enabled ESP, see [Troubleshoot the Windows Enrollment Status page](/troubleshoot/mem/intune/understand-troubleshoot-esp#troubleshooting).  
+For help with errors or messages related to the ESP, including how to disable an already-enabled ESP, see [Troubleshoot the Windows Enrollment Status page](/troubleshoot/mem/intune/understand-troubleshoot-esp#troubleshooting).  
