diff --git a/libwvdrmengine/cdm/core/include/certificate_provisioning.h b/libwvdrmengine/cdm/core/include/certificate_provisioning.h
index dde4d1e8..097a8006 100644
--- a/libwvdrmengine/cdm/core/include/certificate_provisioning.h
+++ b/libwvdrmengine/cdm/core/include/certificate_provisioning.h
@@ -82,7 +82,8 @@ class CertificateProvisioning {
       const std::string& origin, const std::string& spoid,
       CdmProvisioningRequest* request, std::string* default_url);
   CdmResponseType GetProvisioning40RequestInternal(
-      wvutil::FileSystem* file_system, CdmProvisioningRequest* request);
+      wvutil::FileSystem* file_system, CdmProvisioningRequest* request,
+      std::string* default_url);
   CdmResponseType FillEncryptedClientId(
       const std::string& client_token,
       video_widevine::ProvisioningRequest& provisioning_request);
diff --git a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
index f7ce8efe..77e20747 100644
--- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
+++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
@@ -26,6 +26,11 @@ const std::string kProvisioningServerUrl =
     "https://www.googleapis.com/"
     "certificateprovisioning/v1/devicecertificates/create"
     "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
+// In case of provisioning 4, the default url is used as a way to inform app of
+// the current provisioning stage. In the first stage, this suffix is appended
+// to kProvisioningServerUrl; in the second stage, there is no change to
+// kProvisioningServerUrl.
+const std::string kProv40FirstStageServerUrlSuffix = "&preProvisioning=true";
 
 // NOTE: Provider ID = widevine.com
 const std::string kCpProductionServiceCertificate = wvutil::a2bs_hex(
@@ -207,7 +212,7 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequestInternal(
 
   if (crypto_session_->GetPreProvisionTokenType() ==
       kClientTokenBootCertChain) {
-    return GetProvisioning40RequestInternal(file_system, request);
+    return GetProvisioning40RequestInternal(file_system, request, default_url);
   }
 
   // Prepare device provisioning request.
@@ -298,7 +303,8 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequestInternal(
 }
 
 CdmResponseType CertificateProvisioning::GetProvisioning40RequestInternal(
-    wvutil::FileSystem* file_system, CdmProvisioningRequest* request) {
+    wvutil::FileSystem* file_system, CdmProvisioningRequest* request,
+    std::string* default_url) {
   if (!crypto_session_->IsOpen()) {
     LOGE("Crypto session is not open");
     return PROVISIONING_4_CRYPTO_SESSION_NOT_OPEN;
@@ -333,6 +339,15 @@ CdmResponseType CertificateProvisioning::GetProvisioning40RequestInternal(
     }
   }
 
+  if (stored_oem_cert.empty()) {
+    // This is the first stage provisioning.
+    default_url->assign(kProvisioningServerUrl +
+                        kProv40FirstStageServerUrlSuffix);
+  } else {
+    // This is the second stage provisioning.
+    default_url->assign(kProvisioningServerUrl);
+  }
+
   // If this is the first stage, |stored_oem_cert| remains empty. In this case,
   // the client identification token will be retrieved from OEMCrypto, which is
   // the BCC in this case.