Event banner
Event details
Hung_Dang
Microsoft
MicrosoftIn the ESP profile, make sure the "Only show page to devices provisioned by out-of-boxy experience (OOBE)" setting is set to No, since you're doing a Workplace Join and not an Entra join/MDM enrollment in OOBE. Setting it to Yes should make the ESP display only when Entra join/MDM enrollment occurs during OOBE. Hope this helps.
Yeah - that IS off. As I mentioned, it works as expected when the join/enrollment is done with a username/password combo. It's just FIDO2 / phishing resistant that won't start ESP.
Btw, if we go through OoBE using the same FIDO 2 key on the same device with the same account, ESP runs as expected. Awesome deployment experience btw. 😉
As we are an MSP for SMB, most of our customers bring existing devices when they sign up with us. To minimize disruption, we never wipe+load, we just onboard their devices to their (new) M365 tenant, so they can keep their old user profile "as is" and go back to it whenever they want. Works VERY well, btw.
So self-service onboarding existing Windows PCs is our most common scenario. Now that we switched to phishing resistant MFA, we need to ask them to sign in with a username/password combo just ONCE - when they sign in for the first time. That triggers ESP and deployment runs as expected.
(Side note, phishing resistant conditional access doesn't prevent username/password sign ins, it just ALSO asks for WHfB or FIDO2 on top.)
In case it helps and you're interested, I can provide the support ticket I opened a while ago about this.
The agent and their supervisor (both super helpful) said "it just doesn't work", after escalating this. (you'll need to DM me, the forum won't let me share the ticket ID here)