The Curious Cage of Hiding the OOBE stage

The Curious Cage of Hiding the OOBE stage

In this blog, I will show you how to remove the OOBE stage when NOT using Autopilot. I know, I know why not use Autopilot? Apparently, there are still enough It pro’s who don’t use Autopilot. So let’s focus on that in this blog. To make things very clear… please, please just start using Autopilot and block personal enrollments!

I will divide this blog into multiple parts

  1. Introduction
  2. Changing the OOBE experience on our own

1.Introduction

Let’s start by looking at the nice options we have when we DO use Autopilot. Open the Autopilot profile settings and take a look at what options you can configure to change the OOBE experience.

  • Hide Privacy Settings / Hide Microsoft Software License Terms / Hide Change account options!!!!

When NOT using Autopilot, you have got some challenges. One of them is skipping this kind of question:

Configuring the user account type, is the second challenge. You really want to have a standard user and not an admin! Luckily I already blogged about it, how you can prevent users from becoming local admins!

2. Changing the OOBE Experience on our own!

Back to the OOBE stage. The OOBE stage will be presented when enrolling an existing device and when enrolling a new device.

2.1 First OOBE possibility:

How are we going to prevent these questions when enrolling a new device?

Step 1: Creating a PowerShell script and converting it to an intunewin app. PowerShell script content:

$content = @'
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE"
$Name1 = "DisablePrivacyExperience"
$Name2 = "DisableVoice"
$Name3 = "PrivacyConsentStatus"
$Name4 = "Protectyourpc"
$Name5 = "HideEULAPage"
New-ItemProperty -Path $registryPath -Name $name1 -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name2 -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name3 -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name4 -Value 3 -PropertyType DWord -Force
New-ItemProperty -Path $registryPath -Name $name5 -Value 1 -PropertyType DWord -Force
gpupdate /force
'@

Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\disableeula.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false
 
New-Item -Path "c:\" -Name "temp" -ItemType "directory" -force
$path = "c:\temp"
New-Item -path $path -name "disableeula.txt" -ItemType file -force

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\disableeula.ps1`" -Verb RunAs"
Register-ScheduledTask -TaskName "DisableEula" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "DisableEula"

Step 2: Upload the Intunewin app to Intune

Step 3: Block device until required apps are installed, within the ESP page

You have set these apps as required to make sure this app will be installed before the first user logs in.

2.2 Second OOBE possibility:

When enrolling an existing device into Intune you can also skip the OOBE stage. Create a new installation package with Windows configuration Designer and install it: Install-ProvisioningPackage -PackagePath “C:\temp\project_2\project_2.ppkg” -QuietInstall

Please beware

1.Download the APK version

https://go.microsoft.com/fwlink/?linkid=2120254

2. The service account you are using must have App consent permisisons

3. The service account has to be excluded from all the Conditional Access policies

4. Requiring MFA for an azure ad join must be disabled.

Conclusion:

Autopilot has its benefits, some of them can also be configured when joining Azure Ad manually. Everyone ends up in removing local admins and skipping the OOBE stage are two of them.

One thought on “The Curious Cage of Hiding the OOBE stage

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  1  =  11