Intune Autopilot ESP Timeout During Win32 App and Certificate Profile Deployment on Windows 11 24H2/25H2

Indicators

• Enrollment Status Page (ESP) hangs indefinitely and eventually displays a generic timeout error during device provisioning — device cannot proceed past the ESP screen
• Win32 LOB application deployment profiles fail to complete within the ESP tracking window
• Certificate deployment profiles fail to complete within the ESP tracking window
• Newly provisioned corporate laptops require manual L3 engineer intervention to bypass the ESP failure screen
• IntuneManagementExtension.log at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log contains non-zero exit codes associated with Win32 LOB app deployments or TPM attestation timeout/error entries

Likely causes

• Intune side-car agent (IntuneManagementExtension) installation tracking failure: the agent fails to report successful app installation status back to the ESP, causing the ESP to wait until timeout rather than advance.
• TPM attestation bottleneck introduced by hardware provider driver structural updates on Windows 11 24H2/25H2: attestation steps required before certificate profiles or certain app profiles can be applied are stalled or failing, blocking the ESP phase from completing.

Diagnostic steps

1. At the ESP failure/timeout screen, press Shift + F10 to open a command prompt session during the OOBE/ESP phase.
   Opens a local command prompt without completing provisioning, enabling log inspection on the stuck device.
2. Open the primary Intune diagnostic log: type 'notepad C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log' at the command prompt, or use 'type C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log | more' to page through it.
   This log contains app installation exit codes and attestation step details that identify the specific failure point causing the ESP timeout.
3. Search IntuneManagementExtension.log for non-zero exit codes associated with Win32 LOB application deployments. Look for lines containing 'ExitCode', 'InstallResult', or 'failed' alongside application names. Non-zero exit codes (anything other than 0 or 3010) indicate installation or tracking failures.
   Determines whether a specific Win32 LOB application is failing to install or failing to report its status to the IntuneManagementExtension agent, triggering the ESP timeout.
4. Search IntuneManagementExtension.log for TPM attestation errors or timeouts. Look for entries referencing 'attestation', 'TPM', 'timeout', or error codes associated with hardware attestation steps.
   Determines whether TPM attestation bottlenecks (caused by hardware provider driver structural changes on 24H2/25H2) are stalling certificate profile or app profile deployment, independently of or in addition to Win32 tracking failures.
5. Cross-reference the identified failing apps or attestation errors against the ESP profile configuration in the Intune admin portal: navigate to Devices > Enroll devices > Enrollment Status Page > select the relevant ESP profile, and review which Win32 LOB apps are listed under 'Block device use until these required apps are installed'.
   Identifies which specific apps are currently configured as blocking in the ESP and determines which can be safely moved to non-blocking to implement the workaround.

Resolution path

• 1. In the Microsoft Intune admin portal, navigate to: Devices > Enroll devices > Enrollment Status Page > select the relevant ESP profile.
• 2. Edit the ESP profile: under 'Block device use until all apps and profiles are installed', review the list of tracked Win32 LOB applications. For each non-critical application (i.e., not endpoint protection, VPN client, or compliance tooling), remove it from the blocking list or set it as not tracked so it does not prevent the ESP from advancing.
• 3. Save the updated ESP profile and reassign it to the affected device group. On the next Autopilot provisioning attempt, the device will be allowed to reach the Windows desktop while non-critical Win32 LOB applications install silently in the background via the IntuneManagementExtension agent.
• 4. For critical apps or certificate profiles that must complete before desktop access and are failing due to TPM attestation bottlenecks: engage the hardware vendor (laptop OEM) for updated TPM provider drivers validated for Windows 11 24H2/25H2, and retest provisioning after driver updates are applied via a BIOS/firmware or driver package update in Autopilot or a pre-provisioning step.

Prevention

• Audit ESP profiles on a recurring basis and classify Win32 LOB applications as blocking or non-blocking based on strict security criticality — only apps essential for secure device operation before desktop access (endpoint protection agents, VPN clients, certificate trust anchors) should block the ESP phase.
• After every major Windows 11 feature update (e.g., 24H2, 25H2) or significant hardware vendor driver update, perform a pilot Autopilot provisioning test on 2–3 representative hardware models before broad fleet deployment to detect TPM attestation regressions or ESP tracking failures early.
• Monitor IntuneManagementExtension.log proactively during pilot provisioning runs by reviewing it via Shift+F10 at the ESP phase, checking for non-zero exit codes or attestation failure entries before those failures impact the full device fleet.

Tools

• Shift + F10 — opens a command prompt during ESP/OOBE failure screen for on-device diagnostics
• IntuneManagementExtension.log (C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\) — primary diagnostic log for ESP failures, app exit codes, and TPM attestation errors
• Microsoft Intune admin portal — ESP profile configuration, app blocking list management, and profile reassignment
• Intune Company Portal — post-provisioning app installation status verification

References

• Intune Autopilot Provisioning Failure via ESP Timeout Errors — The Triage Manual