Forum Discussion

elvys_marchon's avatar
elvys_marchon
Copper Contributor
Jan 31, 2022

Error running on-premises Intune Connector for Active Directory (ODJ Connector).

Hi, 

 

I trying add AAD joined devices hybrid at my AD DS local whit Autopilot.

 

I downloaded the ODJConnectorBootstrapper.exe file from the Microsoft Endpoint Manager > Devices > Enroll devices portal, the installation was successful, but after trying to sign in, an error occurred in the log file (C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorUI\ODJConnectorUI. log) and also in the Event Viewer (Application and Servecies Logs > ODJ Connector Service) ..

 

Event Viewer:
{
"Metric":{
"Dimensions":{
"InstanceId":"746F3603-6956-42CF-B6B0-A9673088C5F0",
"DiagnosticCode":"0x0FFFFFFF",
"DiagnosticText":"We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \"DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again.\"] [Exception Message: \"Value cannot be null.\u000d\u000aParameter name: cert\"]"
},
"Name":"RequestHandlingPipeline_DownloadFailure",
"Value":0
}
}


log file:
ODJ Connector UI Error: 2 : ERROR: Failed to check if machine is already enrolled. Detailed message is: Error in retrieving certificate. A certificate could not be found in the specified store.


The articles I used:
https://docs.microsoft.com/en-pt/mem/autopilot/windows-autopilot-hybrid
https://techcommunity.microsoft.com/t5/intune-customer-success/admins-experience-deploy-hybrid-azure-ad-joined-devices-by-using/ba-p/1131428

 

The IE Enhanced Security Configuration is already OFF, I've removed everything related to Intune and reinstalled only the ODJConnector, I've restarted the server, but the problem persists.

 

Can anyone help me?

Intune

27 Replies

  • Syed8131's avatar
    Syed8131
    Copper Contributor
    Jul 08, 2025

    Don't use any domain admin account. Satisfy the above 5 condition, this WebView2 Runtime should be installed before running the installer. The user who is installing the Intune connector for active directory should have the necessary permission on the OU. Once the installation is complete it will create MSA which will the same right on that OU once we add the distinguished name of the OU in the config file. 

     

     

    For uninstall delete the Managed service account which is created and uninstall using the ODJConnectorBootstrapper. 

     

    Firewall rules should be configure for outbound connectivity to the cloud. 

     

    login.microsoftonline.com
    graph.windows.net
    *.officeconfig.msocdn.com
    config.office.com
    enterpriseregistration.windows.net
    certauth.enterpriseregistration.windows.net 
    *.notify.windows.com
    *.wns.windows.com
    sinwns1011421.wns.windows.com
    sin.notify.windows.com 
    *.windowsupdate.com
    *.dl.delivery.mp.microsoft.com
    *.prod.do.dsp.mp.microsoft.com
    *.delivery.mp.microsoft.com
    *.update.microsoft.com
    tsfe.trafficshaping.dsp.mp.microsoft.com
    adl.windows.com
    time.windows.com
    clientconfig.passport.net
    windowsphone.com
    s-microsoft.com
    c.s-microsoft.com
    ekop.intel.com
    ekcert.spserv.microsoft.com
    ftpm.amd.com
    lgmsapeweu.blob.core.windows.net
    lgmsapewus2.blob.core.windows.net
    lgmsapesea.blob.core.windows.net
    lgmsapeaus.blob.core.windows.net
    lgmsapeind.blob.core.windows.net
    *.manage.microsoft.com
    manage.microsoft.com
    *.delivery.mp.microsoft.com
    *.update.microsoft.com
    *.windowsupdate.com
    adl.windows.com
    tsfe.trafficshaping.dsp.mp.microsoft.com
    time.windows.com
    *.s-microsoft.com
    clientconfig.passport.net
    windowsphone.com
    approdimedatahotfix.azureedge.net
    approdimedatapri.azureedge.net
    approdimedatasec.azureedge.net
    euprodimedatahotfix.azureedge.net
    euprodimedatapri.azureedge.net
    euprodimedatasec.azureedge.net
    naprodimedatahotfix.azureedge.net
    naprodimedatapri.azureedge.net
    naprodimedatasec.azureedge.net
    swda01-mscdn.azureedge.net
    swda02-mscdn.azureedge.net
    swdb01-mscdn.azureedge.net
    swdb02-mscdn.azureedge.net
    swdc01-mscdn.azureedge.net
    swdc02-mscdn.azureedge.net
    swdd01-mscdn.azureedge.net
    swdd02-mscdn.azureedge.net
    swdin01-mscdn.azureedge.net
    swdin02-mscdn.azureedge.net
    *.notify.windows.com
    *.wns.windows.com
    *.do.dsp.mp.microsoft.com
    ekcert.spserv.microsoft.com
    ekop.intel.com
    ftpm.amd.com
    *.itunes.apple.com
    *.mzstatic.com
    *.phobos.apple.com
    5-courier.push.apple.com
    ax.itunes.apple.com.edgesuite.net
    itunes.apple.com
    ocsp.apple.com
    phobos.apple.com
    phobos.itunes-apple.com.akadns.net
    intunecdnpeasd.azureedge.net
    *.monitor.azure.com
    *.support.services.microsoft.com
    *.trouter.communication.microsoft.com
    *.trouter.skype.com
    *.trouter.teams.microsoft.com
    api.flightproxy.skype.com
    ecs.communication.microsoft.com
    edge.microsoft.com
    edge.skype.com
    remoteassistanceprodacs.communication.azure.com
    remoteassistanceprodacseu.communication.azure.com
    remotehelp.microsoft.com
    wcpstatic.microsoft.com
    lgmsapeweu.blob.core.windows.net
    intunemaape1.eus.attest.azure.net
    intunemaape10.weu.attest.azure.net
    intunemaape11.weu.attest.azure.net
    intunemaape12.weu.attest.azure.net
    intunemaape13.jpe.attest.azure.net
    intunemaape17.jpe.attest.azure.net
    intunemaape18.jpe.attest.azure.net
    intunemaape19.jpe.attest.azure.net
    intunemaape2.eus2.attest.azure.net
    intunemaape3.cus.attest.azure.net
    intunemaape4.wus.attest.azure.net
    intunemaape5.scus.attest.azure.net
    intunemaape7.neu.attest.azure.net
    intunemaape8.neu.attest.azure.net
    intunemaape9.neu.attest.azure.net
    *.webpubsub.azure.com
    *.gov.teams.microsoft.us
    remoteassistanceweb.usgov.communication.azure.us
    config.edge.skype.com
    contentauthassetscdn-prod.azureedge.net
    contentauthassetscdn-prodeur.azureedge.net
    contentauthrafcontentcdn-prod.azureedge.net
    contentauthrafcontentcdn-prodeur.azureedge.net
    fd.api.orgmsg.microsoft.com
    ris.prod.api.personalization.ideas.microsoft.com

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Feb 01, 2022
    I have seen this issue before when you install the connector before giving the OU permissions. Please uninstall the connector, change the OU permissions and install the Connector just like the steps below:

    Hope this helps!
    Moe

    https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit
    • Ka_kashi's avatar
      Ka_kashi
      Copper Contributor
      Dec 25, 2022

      Moe_Kinani 

      Is there away fully remove the Intune Connector for Active Directory?

      I uninstalled the connector from the server, but it still shows under Devices>Enroll devices>windows enrollment>Intune Connector for Active Directory. Please advice.

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        Dec 28, 2022

        Sorry about the delay in response!

        Expected, you can’t delete the connector from Intune, it should  automatically remove after sometime of inactivity.

        Moe

      • elvys_marchon's avatar
        elvys_marchon
        Copper Contributor
        Feb 01, 2022
        bad news 😞

        I installed it on a domain member server with win 2019 following the steps in the document and the exact same errors occurred.

        Any more ideas?

Resources