When setting up new devices, one of the common requests from IT teams is ensuring that certain business-critical applications are installed before a user logs in for the first time. This not only improves the user experience but also ensures compliance and security from day one.

In this article, we’ll explore how you can configure mandatory app installations during Autopilot deployment, why it’s useful and some practical tips to make the process smoother.

Why Pre-Logon Application Installation Matters

Imagine a new employee receiving their laptop on day one. They power it on, sign in and immediately discover that Microsoft Teams, antivirus software or a VPN client is missing. Not only does this delay productivity, but it also creates unnecessary frustration.

By requiring specific apps to be installed before first logon, IT can:

  • Ensure security tools are in place.
  • Deliver a consistent experience across the organisation.
  • Minimise support tickets related to missing applications.

How to Configure Mandatory Apps in Intune

Using Intune with Windows Autopilot, you can configure applications to install in the System Context and set them as required before logon.

Steps:

  1. Assign the Application: In the Intune portal, go to Apps and assign your chosen app to a device group linked to Autopilot.
  2. Set as Required: Choose Required assignment.
  3. Ensure System Context Installation: Ensure system-level installation for apps like Win32.
  4. Configure Enrollment Status Page (ESP): The ESP ensures users cannot reach the desktop until mandatory apps finish installing.

This way, users only access their desktop once all required apps are present.

Real-World Scenario

If a financial services company needed to ensure that their VPN software and secure browser were installed before employees accessed corporate resources, they could configure these applications in ESP. This ensures the apps are pre-installed, the device is compliant with company policies and corporate data is accessed only through the secure methods in place.

Troubleshooting Tips

  • App Size Matters: Large applications can delay first logon. Prioritise only the most critical apps.
  • Monitor ESP Logs: If installation fails, check C:\ProgramData\Microsoft\IntuneManagementExtension\Logs for clues.
  • Stagger Less Critical Apps: Non-essential apps can be pushed after logon to speed up first use.

Conclusion

Mandatory pre-logon application installation with Autopilot ensures a secure, consistent and user-friendly experience from day one. By carefully selecting which apps to enforce, IT teams can strike the right balance between security and usability.

Takeaway: Use the Enrollment Status Page wisely - keep essential apps required before logon and push secondary apps later.