The curious cage of hiding the OOBE stage

The curious cage of hiding the OOBE stage

In this blog, I will show you how to remove the OOBE stage when NOT using autopilot. When using autopilot you can configure the OOBE experience like this.

When NOT using autopilot, you have got some challenges. One of them is skipping this kind of questions:

Configuring the user account type, is the second challenge. You really want to have a standard user and not an admin! Luckily I already blogged about it, how you can prevent users from becoming local admins!

Back to the OOBE stage. The OOBE stage will be presented when enrolling an existing device and when enrolling a new device.

First OOBE possibility: How are we going to prevent these questions when enrolling a new device?

Step 1: Creating a PowerShell script and converting it to an intunewin app. PowerShell script content:

$content = @'
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE"
$Name1 = "DisablePrivacyExperience"
$Name2 = "DisableVoice"
$Name3 = "PrivacyConsentStatus"
$Name4 = "Protectyourpc"
$Name5 = "HideEULAPage"
New-ItemProperty -Path $registryPath -Name $name1 -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name2 -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name3 -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name4 -Value 3 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name5 -Value 1 -PropertyType DWord -Force
gpupdate /force
'@

Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\disableeula.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false
 
New-Item -Path "c:\" -Name "temp" -ItemType "directory" -force
$path = "c:\temp"
New-Item -path $path -name "disableeula.txt" -ItemType file -force

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\disableeula.ps1`" -Verb RunAs"
Register-ScheduledTask -TaskName "DisableEula" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "DisableEula"

Step 2: Upload the Intunewin app to Intune

Step 3: Block device until required apps are installed, within the ESP page

You have set these apps as required to make sure this app will be installed before the first user logs in.

Second OOBE possibility: When enrolling an existing device into Intune you can also skip the OOBE stage. Create a new installation package with Windows configuration Designer and install it: Install-ProvisioningPackage -PackagePath “C:\temp\project_2\project_2.ppkg” -QuietInstall

Please beware

1.Download the APK version

https://go.microsoft.com/fwlink/?linkid=2120254

2. The service account you are using must have App consent permisisons

3. The service account has to be excluded from all the Conditional Access policies

4. Requiring MFA for an azure ad join must be disabled.

Conclusion:

Autopilot has its benefits, some of them can also be configured when joining azure ad manually. Everyone ends up in removing local admins and skipping the OOBE stage are two of them.

Leave a Reply

Your email address will not be published. Required fields are marked *