What Pre-Provisioning Does
Pre-provisioning (formerly "White Glove") splits Autopilot into two phases:
- Technician phase — done in your IT room. The device joins Azure AD, downloads policies and apps in the device context. A technician initiates this by pressing Windows 5 times at the OOBE screen.
- User phase — done by the end user at their desk. Completes quickly because the heavy lifting was done in phase 1.
Pre-provisioning fails at the technician phase, showing a red screen with an error code.
Red Screen — Common Error Codes
0x800705B4 — Timeout
The device timed out waiting for apps or policies to install. Usually large apps, slow network, or a required app that's silently failing.
# After failure, check what was being installed # Navigate the device to the MDM Diagnostics log: # %windir%\Temp\MDMDiagnostics\MDMDiagReport.html # Open it in a browser and search for "failed"
0x80180018 — MDM enrollment failed
The device couldn't complete MDM enrollment. Usually caused by MDM auto-enrollment not being configured, or the enrolling account lacking a license.
dsregcmd /status | findstr /i "MDM AzureAd Workplace"
0x80070774 — TPM attestation failed
Required for Self-Deploying mode. Fix: clear the TPM, update firmware, and retry.
# Clear TPM — requires reboot — data loss risk on encrypted drives Clear-Tpm
0xc000006d — Logon failed
Credentials were wrong or the account doesn't have an Intune license. Verify the enrolling account is licensed and not blocked for sign-in in Azure AD.
ESP Timeout Failures
The Enrollment Status Page blocks pre-provisioning from completing until all required apps install. If any app fails or takes too long, the ESP times out.
# Check app install status for the device in Intune: # Intune -> Devices -> [device] -> App install status # Look for "Failed" or "Pending install"
Common fixes:
- Remove large apps from the required assignment — only essential apps should block enrollment
- Increase the ESP timeout: Devices → Windows enrollment → Enrollment Status Page → [profile] → Error timeout. Set to 120 minutes for large app sets.
- Only Win32 apps with a valid detection rule reliably report status to the ESP — store apps and LOB apps can cause hangs
Network and Proxy Issues
Pre-provisioning makes extensive calls to Microsoft endpoints. A proxy that requires authentication will break it entirely — the device context has no credentials to pass.
# Test connectivity from the device OOBE — press Shift+F10 for CMD, then: ping manage.microsoft.com curl -v https://manage.microsoft.com
Required endpoints — must be reachable without proxy authentication:
*.microsoftonline.com*.windows.net*.manage.microsoft.com*.windowsupdate.comgo.microsoft.com
Read the Diagnostics
On the red screen, a View Diagnostics link appears. Click it to download a ZIP of MDM logs. Key files:
MDMDiagReport.html— overall enrollment report with app statusAutopilotDDSZTDFile.json— shows the Autopilot profile that was applieddeviceenrollment.log— detailed enrollment timeline with error codes
Search deviceenrollment.log for error or fail to find the exact point of failure.
Reset and Retry
# From the red screen: press the Windows key to access OOBE options # Or: Settings -> Update & Security -> Recovery -> Reset this PC -> Remove everything # Autopilot Reset (re-runs OOBE, keeps device enrolled in Intune) # In Intune: Devices -> [device] -> Autopilot Reset