Share via

Pre-provisioning Reseal issue. After couple of days enrolment profile missing

Karthick Sekar 0 Reputation points
2026-04-03T00:58:29.7766667+00:00

We are in the process of SCCM to Intune migration and planned to have Intune build on the newly build machines and using pre-provisioning with windows autopilot. I tried couple of machines of pre-provisioning with windows autopilot resealed. After couple of days, when I try to hand over the machine to user to proceed on user flow, found that Enrollment profile is missing from the machine and it stuck are 'checking the connection to Microsoft' loop after network selection. However, able to see the device entry in Intune and Entra ID without primary user assigned.
So once again I need to reset, do the pre-provisioning and hand over the machine to the user. We got Win 11 24H2 and getting updated to 25H2, noticed having problem with this and it's happening only on Entra Joined machines.
Any troubleshooting steps to fix it is much appreciated.
Note: The testing i did it on On-prem domain join machine and those machines are co-managed. I can see the entry in Entra ID mentioning as Microsoft Entra Hybrid Join. If you are suggesting clearing the device object both in on-prem and entra, please suggest the step by step procedure to clear the device object. Thanks.

Microsoft Security | Windows Autopilot

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-03T00:58:48.4066667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Windows Autopilot pre-provisioning has specific lifecycle and re-enrollment behaviors that explain the symptoms described and define the supported remediation steps.

    Key points from the documented behavior:

    1. Pre-provisioned devices cannot automatically re-enroll via Autopilot
      • After an initial deployment using pre-provisioning mode, a device cannot automatically re-enroll through Windows Autopilot.
      • To reuse a device with Autopilot pre-provisioning, the device record must be deleted in Intune before redeployment:
        • In the Microsoft Intune admin center: DevicesAll devices → select the device(s) → Delete.
      • This is required before starting the process over again with pre-provisioning.
    2. Technician flow and User flow timing requirements
      • Technician flow (pre-provisioning) completes, the device is resealed, and then handed to the user for User flow.
      • The User flow should be run within six months after the Technician flow finishes. Waiting more than six months can cause Intune Management Engine certificate issues and app/policy errors.
      • Additionally, it is important to wait at least 90 minutes between completion of Technician flow and starting User flow, especially in lab/testing scenarios, to ensure token refresh between flows.
      • If User flow is started too soon (within 90 minutes) or after a very long delay (beyond the supported window), enrollment and ESP behavior can be unreliable.
    3. ESP and reseal behavior
      • Technician flow inherits behavior from self-deploying mode and uses the Enrollment Status Page (ESP) to hold the device in a provisioning state.
      • If ESP is disabled or misconfigured, the reseal button can appear before all software and configuration are fully applied. In that case, the success screen confirms enrollment success, not necessarily that all technician provisioning is complete.
      • If the device is resealed and handed over before technician provisioning is fully complete, the subsequent User flow can encounter issues, including enrollment/profile problems.
    4. Recommended troubleshooting and remediation steps Based on the documented behavior, the supported path to fix devices that have already gone through pre-provisioning but are now failing in User flow is:
      1. For each affected device:
        • Reset the device so that OOBE restarts.
      2. In Intune:
        • Go to DevicesAll devices.
        • Locate the affected device entries.
        • Delete the device records.
      3. If using pre-provisioning again:
        • Ensure the device is still registered for Autopilot and has the correct Autopilot profile assigned.
        • Run Technician flow again and wait for the success screen.
        • Confirm ESP is enabled and correctly targeted to the device, as an ESP profile must be targeted for pre-provisioning.
        • After Technician flow completes and the device is resealed, wait at least 90 minutes before starting User flow.
        • Ensure User flow is started within six months of Technician flow completion.
    5. Hybrid vs Entra join considerations
      • For Microsoft Entra hybrid join pre-provisioning, the OEM/technician phase does not require access to on-prem domain infrastructure; domain connectivity is only required when the end user unboxes the device on-premises.
      • The described behavior (device visible in Entra ID and Intune, but issues at OOBE) aligns with the documented requirement that devices cannot automatically re-enroll after a pre-provisioning deployment and must be reset and have their Intune device records deleted before reusing Autopilot pre-provisioning.

    For ongoing deployments, ensure:

    • ESP is enabled and targeted to the devices used in pre-provisioning.
    • Technician flow is allowed to fully complete before reseal.
    • User flow is started after the 90-minute token-refresh window and within six months of Technician flow.
    • Devices that need to be rebuilt with pre-provisioning have their Intune device records deleted before starting the new cycle.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.