Install Applications after ESP (Enrollment Status Page)

A customer wanted to install applications after the ESP (Enrollment Status Page) phase. This application configures a BitLocker PIN which, obviously, needs interaction with the user. This is not possible in the ESP phase because of, well, the ESP. So, I needed a solution for that.

I have configured Olivier Kieselbach’s BitLocker PIN solution. It’s awesome! Check it out in this link.

So, I needed a solution for the ESP paradox situation. You want to make the BitLocker PIN application required but you need to make sure that the user gets the pop-up after completion of the Enrollment Status Page. Otherwise, the pop-up might show up during the ESP phase and cause your enrollment to fail.

How can we do that? Well, what happens after you have completed the Enrollment Status Page? You are asked to set up Windows Hello For Business. I thought: “That’s it!”. I need to check whether Windows Hello For Business is configured in the requirements for the Win32App for the BitLocker PIN.

We can do this by using Powershell! I got a script from Spiceworks and modified it a bit:

$StartTime = Get-Date
Start-Process ms-settings:signinoptions
Start-Sleep -Seconds 1
Stop-Process -Name SystemSettings -Force
$Events = Get-WinEvent -FilterXml "<QueryList><Query><Select Path='Microsoft-Windows-HelloForBusiness/Operational'>*[System[(EventID=7203)]]</Select></Query></QueryList>" -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt $StartTime }
If ($Events.Count -gt 0) { 
    Write-Host "Windows Hello for Business is not enabled" -ForegroundColor Red 
}
ElseIf ($Events.Count -eq 0) { 
    Write-Host "Windows Hello for Business is enabled" -ForegroundColor Green 
}

Save the script above as a PS1 file.

We now need to add this script as a requirement for the Win32App. Furthermore, I am only showing adding the requirement. If you want a more detailed description of adding a Win32App. Check out this post.

Now, log on to Microsoft Intune. Go to your Win32App and edit the requirements of said App:

Click here:

After that, use this as your input for the requirement rule:

Save the application and in my experience, the application is installed after the ESP completes.

2 thoughts on “Install Applications after ESP (Enrollment Status Page)”

Jerry

January 17, 2024 at 11:03 am

Hi Niels,
Any suggestions what could be used if you are not using Windows Hello for Business, it has been disabled in Intune.
- Niels Kok
  
  January 18, 2024 at 11:20 am
  
  Hi Jerry,
  
  Good one. Havent thought of the usecase where you don’t use Hello For Business.
  
  You could check this one out:
  
  https://call4cloud.nl/2022/08/autopilot-is-mine-all-others-pay-time/
  
  Thanks,
  Niels

2 thoughts on “Install Applications after ESP (Enrollment Status Page)”

Leave a Comment Cancel reply