Jump to content


anyweb

Displaying a welcome page after Windows Autopilot completes

Recommended Posts

Introduction

Understanding when Windows Autopilot is complete is an interesting topic. It would be great if there was a reg-key or file that was set when Windows Autopilot completed successfully, but there isn't, at least not now. Or if there is, I haven't seen any official documentation stating it.

In the meantime let's use some other method of determining whether it's complete or not.

To do that we'll rely on the creation date of the Microsoft Intune Device Management Extension folder as that gets created on the device if a PowerShell script or a Win32 app is targeted to the user or device, and I'm fairly confident that we all have at least one Win32 app or a PowerShell script deployed to our Autopilot devices during the Enrollment Status Page (ESP) phase of Autopilot.

You can see how the enrollment date is calculated from the script here.

enrollment date time.png

Note: The script will only run based on the hours since enrollment detected and the detected logged on user. The script will not run if it detects that the current logged on user is defaultuser0. That user is used by Windows during the Enrollment Status Page (ESP) Device Setup phase. As the script runs again during the Account Setup phase of the ESP (the last phase), this time it will be running as a user that is not defaultuser0 and in fact is the actual user that will use the computer. Therefore it will create a scheduled task to run XX minutes after the date/time that it detects, and that usually is 15 minutes or so after the user enters their credentials. It's not perfect, but it's better than nothing. Please adjust it to suit your individual requirements. If you know a better way to do this, then let us know.

Now that we have an idea of when Autopilot finished, we can deploy a PowerShell script to our Autopilot users to present a welcome page to the end user. At least that's the idea, and speaking of ideas, this great idea came from a friend of mine on Twitter, I just expanded upon it and fine tuned it for my needs, so please show your thanks to Chris Roberts for the great idea, and do him a favor and follow him on Twitter.

The scheduled task will only show the web browser once (1 minute after login), during the time frame we've decided (first 48 hours after enrollment). This gives your users a nice warm fuzzy feeling that everything is completed, and let's them know that they can now use their computer.

In order to achieve this we'll do the following.

  • Create a static website in Azure
  • Upload some files to the website
  • Add a PowerShell script in Intune

Note: This guide assumes you've already created an app for Microsoft Edge Chromium and deployed it to your Autopilot users.

Step 1. Create Storage Account

In Azure Active Directory create a storage account. To do that click on Create a Resource in https://portal.azure.com.

create a resource.png

In the page that appears, search for Storage Account. Select it and click on Create.

storage account.png

You can attach it to an existing Resource Group or as in my case (to keep things clean) create a new Resource Group. Next, fill in a Storage account name and select the region and performance.

new resource group.png

And click on Review + create and after being presented with the summary, click Create.

In the Storage Account, select Static Website from the options in the left pane.

static website.png

Set it to Enabled and provide the following file names Welcome.html and 404.html.

welcome.png

Click Save when done. Next, click on $web, you will be presented with a simple interface for uploading files to your new static website.

upload files to web.png

Step 2. Download files

Download the Welcome page html files and the LaunchEdgeWelcomePage.ps1 PowerShell script here.

Note: To download the files hosted on windows-noob.com, make sure you are logged on to the site first.

Step3. Upload files

After installing the Microsoft Azure Storage Explorer, browse to the $web folder of your storage account in the Blob Containers

microsoft azure storage explorer tool.png

The easiest way to get the files and folders to the $web folder is to drag and drop from Windows File Explorer.

drag and drop.png

 

Step 4. Change Access Level

In the $Web container click refresh, you should see your files/folders.

files showing after refresh.png

Click on Change access level to change the access level to these files. Set it to the access level you require, for example Blob access.

blob access.png

To restrict access to this website and to block public see the following post.

Step 5. Add the static website URL to the script

In the $web container, click on properties. The static website URL is displayed, copy the url.

Note: the returned URL is case sensitive.

copy URL.png

 

Edit the LaunchEdgeWelcomePage.ps1 PowerShell script and paste in your static website URL. Notice how I didn't copy over the /$web part of the url, it's added later.

add url to powershell script.png

Save the changes.

Step 6. Upload the PowerShell script to Intune

In Endpoint Manager, select Devices, Windows Devices and choose PowerShell scripts. Add the edited LaunchEdgeWelcomePage.ps1 script.

add powershell script to intune.png

Don't forget to assign the Powershell script to your Windows Autopilot users.

Step 7. Review the end result

During Autopilot, you've probably enabled the ESP (Enrollment Status Page), if not it's a good idea to do so as it gives your users an indication that something is happening.

esp.png

After Windows Autopilot enrollment is complete, it should logon to the desktop, and Edge should launch with the welcome page.

we've signed you in.png

After the user selects the Sync option they'll see this (you can auto configure sync options).

welcome web page done.png

The user can click on any of the icons in the webpage to bring them to the online versions of those applications. In addition, an icon on the desktop links back to the welcome page.

icon on desktop.png

Step 8. Troubleshooting

If it didn't go as planned, check for the presence of the scheduled task. Try running it manually, also look for the log file in C:\Windows\temp\LaunchEdgeWelcomePage.log

troubleshooting.png

The script creates a scheduled task to launch the welcome page one time (for each user that logs on to the computer within the allotted time frame of 48 hours) after Autopilot is complete.

script creates a scheduled task.pngin

In the example below I ran the script on my daily laptop and it wouldn't add the scheduled task as enrollment was many months ago.

outside enrollment.png

If you want to test it anyway, then temporarily remove the # on line 87 and try again. Make sure to add the # back before uploading the script to Intune.

Note: If Edge Chromium doesn't install during the ESP for whatever reason, and yes, sadly it happens then this welcome page won't launch either. If that happens to you try plan b, which is to launch another browser (I picked Internet Explorer). Below is the section containing the workaround which is NOT in the main script, so it's here just in-case you want to use it.

Replace the $action line with this

 

		# special workaround for cases where MS Edge Chromium failed to install during ESP
 		LogWrite "checking if Edge Chromium is actually installed right now...."
       	$EdgeChromiumPath = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

       if (!(Test-Path $EdgeChromiumPath)) {
        LogWrite "'$EdgeChromiumPath' is NOT present, will use plan b..."
        $action = New-ScheduledTaskAction -Execute '"C:\Program Files (x86)\Internet Explorer\iexplore.exe"' -Argument $websiteURL     
            }

            else

            {LogWrite "$EdgeChromiumPath is present, good !"
            $action = New-ScheduledTaskAction -Execute $EdgeChromiumPath -Argument $websiteURL
            }
		# end workaround

That's it !

Have fun and please let me know how you get on with this, if you modify the script or webpage then please show us your changes/ideas !

Useful links

cheers

niall

 

  • Like 1

Share this post


Link to post
Share on other sites

On 2/6/2022 at 2:20 PM, anyweb said:

hi, the link works fine you just need to be logged in to download files from windows-noob.com

Sorry i missed that 😳

But im having some issues with it. im currently testing this with hybrid join. the task is created but with "COMPUTERNAME\Defult0" as user account so edge never starts.

Have you tested this with hybrid join or Azure AD join?

Share this post


Link to post
Share on other sites

hi @MagnusL

I've tested it with AzureAd joined devices only as that's what we use, and it works fine in that scenario, so when you checked task scheduler can you show me what it did create ? ive not seen a defult0 user before, DefaultUser0 yes, but not the other one...

 

did you heavily modify the scripts ?

Share this post


Link to post
Share on other sites

3 hours ago, anyweb said:

hi @MagnusL

I've tested it with AzureAd joined devices only as that's what we use, and it works fine in that scenario, so when you checked task scheduler can you show me what it did create ? ive not seen a defult0 user before, DefaultUser0 yes, but not the other one...

 

did you heavily modify the scripts ?

sorry its DefaultUser0

I´m running it unmodified

Share this post


Link to post
Share on other sites

ok so the script will create a scheduled task for each user but basically won't do anything for defaultuser0, as that's not a real user, it's only used by Windows Autopilot during the ESP,

so... after the Account Setup phase (user account) part of the ESP is done, and you logon to the desktop, what scheduled tasks do you see ?

Share this post


Link to post
Share on other sites

Nice job! Is it possible to make it all run from the deployed script from Intune? I'm trying to adapt the script to only run a script that reverts back to the device's OEM License, using your ESP complete trigger

Share this post


Link to post
Share on other sites

Great post, thank you very much!

I am having the same issue as @MagnusL - The scheduled task is been created but the account that it is been assigned to 'When running the task, use the following user account:' is 'defaultuser0'. This means that scheduled task does not run, as its not been created under the user who logs into the device.

The only section that has been edited in your script is the '$websiteURL =' as per your instructions.

Looking at your script, I couldn't work out which section stops the user, 'defaultuser0', from running it? 

Any help will be greatly appreciated|, thanks.

IMG_3653.jpg

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.