Forum Discussion
Domain Join Configuration Profile suddenly erroring out.
Good morning,
I have never posted on here, so I hope this goes through. I have been working on getting HAADJ Autopilot setup in my organization the past few weeks and it has been going well so far, except for yesterday.
In my testing I have successfully deployed a few machines using HYAAD Autopilot process with not many issues. Yesterday I pre-provisioned a laptop with no issues, it domain joined and Entra joined and I was able to reseal. A few minutes later I tried a different machine and then it didn't work on that machine. Since then I have been trying multiple machines, and it seems to not be working now at all. I am not sure what broke or changed in my environment that caused this to change.
I am very new at Intune and picked up this environment from a team that left a few months ago, so it is a miracle I have gotten this far by myself, but now I am at a complete loss. This just broke on me and I have no lead as to what may have caused this.
Please if anyone has ANY ideas on where to start for this please let me know. Google has not been much help.
This is what I see when I check the report on the domain join config profile:
9 Replies
I also ran into the issue where it "suddenly" stopped working as well, only getting an error in the event log that didn't say anything useful.
Turns out I skipped the following step in the article https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid?tabs=general-requirements%2Cupdated-connector%2Cwindows-server-2025#increase-the-computer-account-limit-in-the-organizational-unit. Because of this (as mentioned in the article) no more than 10 computers could be created by the service account.
After assigning the right permissions to the service account it started working again.I too encountered similar problems and other problems in the past.
To resolve the issues for once from root. I completely un-installed the existing Intune Connector for Active Directory and Installed the new version.
Before Installing the Intune Active Directory Install. Install WebView2 or follow below instructions.1. Verify Prerequisites
1.1.Windows Server 2016 or later
1.2 .NET Framework version 4.7.2 or later ( verify by Navigating to HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full).
1.3. The server hosting the Intune Connector for Active Directory must have access to the Internet and Active Directory. (https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/intune-endpoints)
1.4.To increase scale and availability, multiple connectors can be installed in a domain. Each connector must be able to create computer objects in the domain that it supports.
1.5.The administrator installing the Intune Connector for Active Directory must be a local administrator on the server where the Intune Connector for Active Directory is being installed.
1.6.Explicitly granting permissions on C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard.
2. Installation Procedure
2.1.Navigate to https://developer.microsoft.com/en-us/microsoft-edge/webview2/?form=MA13LH#download download Evergreen Bootstrapper version and then Run as Administrator.
2.2.After successful WebView2 installation, we'll install Intune Connector. Go To Intune Admin Center > Devices > Enrollment > Intune Connector for Active Directory > Add > Download and Run as Administrator.
2.3.After successfully installing the Connector, do the Sign-in using Intune Administrator account or Global Administrator account.
2.4 Now we neeed to grant the right permissions. Navigate to C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard. Click on Properties and then give Full Control to the login account.
2.5. Open ODJConnectorEnrollmentWizard.exe.config with Notepad. Add the OU's Distinguished Name after the value="
2.6.Create msDs-ManagedServiceAccount objects in the Managed Service Accounts container in Active Directory.
2.7.Local administrator rights on the server where the Intune connector is installed.
3. Post Installation procedure
Also, the whole process makes a lot easier if you use domain admin account to install and configure the setup otherwise you will need to work with AD/directory services team to grant necessary permissions.
Below are the example steps of giving msDs-ManagedServiceAccount permission to a domain account.
3.1.In Active Directory, use the tool ADSIEDIT.msc to assign the msDs-ManagedServiceAccount permissions to the account.
3.2.Launch ADSIEDIT.msc, navigate to CN=Managed Service Accounts, and right-click on the container.
3.3.Select Properties, go to the Security tab, and click on Advanced.
3.4.Add the account and enable permissions for Create msDs-ManagedServiceAccount.
3.5.Choose type “Allow”, applies to “This object only” and Enable “Create msDs-ManagedServiceAccount” while leaving the default read permissions.
3.6.Next, go back to the Intune Connector, hit Configure Managed Service Account
Hallo everyone,
i have the same issue since couple of days. i did the same settings but the error kepps show up.
tried different devices. different ISOs.
MSaadSh - did you try the steps i wrote on Mar 02, 2026 ?
Hi!
I have been in a similar situation , where one day it works and the next it doesn't :(
I went back through and copy and pasted any settings rather than typing them.What do you see in Windows Autopilot Devices page?
Does the device have an assigned profile?
Home\Devices\Windows\Enrolment\Devices
I am getting event code 30132 on the Intune Connector whenever a computer tries to pre-provision or go through the setup. It says:
RequestOfflineDomainJoinBlob_Failure: Failed to generate ODJ blob
RequestId: .......
DeviceId: ........
DomainName: .......
RetryCount: 0
ErrorDescription: Failed to call NetProvisionComputerAccount machineName=LAPTOP-........
InstanceId: .....
DiagnosticCode: 268435455
WinErrorCode: 8557
DiagnosticText: We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."] [Exception Message: "Failed to call NetProvisionComputerAccount machineName=LAPTOP-...."]Like I said. This was working fine thus far and even yesterday it worked. Then it just stopped working completely.
Everywhere I see says to check the config profile spelling and names of the OUs but I promise NOTHING has changed with those configs.
I really do not know what is causing the issue. Im going to try a different image (w10) and see if it works.
Hi Theworstsysadminalive
Based on event code 30132 you described, it seems like there is incorrect permission for the organizational unit where Windows Autopilot is being created. You may need to increase delegation.Increase delegation:
1- Open Active directory users and computers2- Right click on the OU that well used t ocreate the Microsoft hybrid joined.
3- in the delegation of controll select add -> object types and then select computers
4- In the users, enter the name oc the computer where the connector is installed.
5- select the custom task and click next
6- check te box (Only the following objects), check the computer objects and thecheck two last boxex (create selected and delete selected)
7- under promission select full kontroll
Plz let me know if this works.
Have you made any progress on this Issue?
