Unfortunately, there is no setting in Intune with which you can determine whether an app should be installed during ESP (Enrollment Status Page) or only after ESP. Of course, it is a huge advantage to install as many apps as possible during the ESP or even better during the white glove phase so that you have a ready to use device after enrollment. But there are cases where it can make sense to install an app after the ESP, for example if the installation routine requires an interaction. How you can skip the installation of an app in the ESP I will explain now.

How can I detect if I am in ESP?

Option 1

This is actually quite simple. During ESP the processes are executed with the “defaultuser0”. What we need to do now is simply check under which user the explorer process is running. If it is running under “defaultuser0” then we are in the ESP. If it is another user then it is after the ESP. Sometimes the process also create and “defaultuser1”. To make it more resistant we also check for this user.

To check this I have wrote a little requirement script:

<#
Version: 1.0
Author: Jannik Reinhard (jannikreinhard.com)
Script: Get-EspDetection
Description:
Skip the ESP for app installation
Release notes:
Version 1.0: Init
#> 

$processesExplorer = @(Get-CimInstance -ClassName 'Win32_Process' -Filter "Name like 'explorer.exe'" -ErrorAction 'Ignore')
$esp = $false
foreach ($processExplorer in $processesExplorer) {
    $user = (Invoke-CimMethod -InputObject $processExplorer -MethodName GetOwner).User
    if ($user -eq 'defaultuser0' -or $user -eq 'defaultuser1') {$esp = $true}
}

Write-Host $esp 

Option 2

There is a second option. For each ESP phase (Device preparation, Device setup and Account setup) are registry keys are write regarding the status. You can find this key in the following path: “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\AutopilotSettings”.

Also for this I wrote a script:

<#
Version: 1.0
Author: Jannik Reinhard (jannikreinhard.com)
Script: Get-EspDetection
Description:
Skip the ESP for app installation
Release notes:
Version 1.0: Init
#> 


[bool]$DevicePrepComplete = $false
[bool]$DeviceSetupComplete = $false
[bool]$AccountSetupComplete = $false

$regPath = 'HKLM:\SOFTWARE\Microsoft\Provisioning\AutopilotSettings'
$esp = $true

try{
    $devicePreperationCategory = (Get-ItemProperty -Path $regPath -Name 'DevicePreparationCategory.Status' -ErrorAction 'Ignore').'DevicePreparationCategory.Status'
    $deviceSetupCategory = (Get-ItemProperty -Path $regPath -Name 'DeviceSetupCategory.Status' -ErrorAction 'Ignore').'DeviceSetupCategory.Status'
    $sccountSetupCategory = (Get-ItemProperty -Path $regPath -Name 'AccountSetupCategory.Status' -ErrorAction 'Ignore').'AccountSetupCategory.Status'

}catch{
    $esp = $false
}

if (-not (($devicePreperationCategory.categorySucceeded -eq 'True') -or ($devicePreperationCategory.categoryState -eq 'succeeded'))) {$esp = $false}
if (-not (($deviceSetupCategory.categorySucceeded -eq 'True') -or ($deviceSetupCategory.categoryState -eq 'succeeded'))) {$esp = $false}
if (-not (($sccountSetupCategory.categorySucceeded -eq 'True') -or ($sccountSetupCategory.categoryState -eq 'succeeded'))) {$esp = $false}


Write-Host $esp 

How to add the requirements scrip

• Open the MEM portal and navigate to the app you want to skip the ESP
• Click Edit and Requirements

• Click +Add for Configure additional requirement rules

• Select the following settings:
  • Select Script
  • Upload the Requirement script
  • Select Boolean as “Select output data type“
  • Operator: Equals
  • Value: No
• Click OK and save the settings