Forum Discussion
Issues with Windows 11 Autopilot Hybrid Joined Since last Week
Hi all,
as of Thursday 4th December our Windows 11 Autopilot (Hybrid Joined) has ceased functioning. On the very first step, after the user attempts to enter their username&password, we can see the deployment profile gets downloaded to the device but then everything immediately stops with error "Something went wrong. Confirm you are using the correct sign-in information and that your organisation uses this feature. You can try and do this again and contact your system administrator with the error code 800004005". We can see that the ODJ process never starts. And we think we're seeing errors with the device reading the deployment profile JSON locally.
Has anyone else had any errors? Wondering if Microsoft have made a change somewhere or have issues.
13 Replies
- undefined
I started having this exact same issue at the exact same time. The Intune connector wasn't in an error state, it was just gone. Reinstalled the latest connector, still nothing. Tackled this from every possible angle, but I knew our config hadn't changed so I really didn't want to rebuild the whole thing. In the end what got it working was adjusting our Intune URL whitelist; specifically: clientconfig.passport.net and *delivery.mp.microsoft.com. Definitely check to make sure your endpoints are pinging wherever you have your connector installed. Good luck!
We were experiencing a similar error while enrolling hybrid-joined devices. After further troubleshooting, we identified that changes were also required in the ODJConnectorEnrollmentWizard XML file. Additionally, the MSA account needed the appropriate permissions to create device objects in the specified OU.
Once the permissions were assigned and the OU value was added to the XML file, we were able to successfully start the enrollment without any issues.
Here's a MS documentation: https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid?tabs=general-requirements%2Cupdated-connector%2Cwindows-server-2025#configure-the-msa-to-allow-creating-objects-in-ous-optionalThey mentioned it is optional, but it actually is required for Hybrid Autopilot devices
Hi biggingerdazza , error 80004005/800004005 at the point where the Autopilot profile downloads but ODJ never starts usually means the Hybrid Join “offline domain join blob” can’t be generated/returned. Since this started suddenly around Dec 4, I’d check two things that have impacted multiple tenants recently:
1. Intune Connector for Active Directory (ODJ connector)
- In Intune: Devices > Enrollment > Windows > Intune Connector for Active Directory (bottom page)
- If it shows Error/Inactive, and/or you’re still on the legacy connector, Hybrid Autopilot ODJ will stop working.
- Fix: uninstall the old connector and install the latest MSA-based connector, then sign in during setup with a properly privileged Intune admin account that also has an Intune license (new requirement).
2. Firewall/network allowlisting changes (Azure Front Door)
- Microsoft announced Intune endpoint changes starting on/after Dec 2, 2025 (Azure Front Door IPs). If your firewall is strict, enrollment/ODJ calls can fail even though things worked for months. Verify outbound allowlisting per the Intune guidance. Support tip: Upcoming Microsoft Intune network changes | Microsoft Community Hub
If you confirm:
- Connector status (Active vs Error) + connector version
- Whether you have strict outbound filtering
…we can narrow it down quickly, but in most “stopped on Dec 4” cases it’s the connector upgrade and/or new Intune network endpoints.
We have explored all of this already. Several third party experts have checked it all too, and confirmed it should all work. They profile is getting downloaded but then everything stops. No blob even attempted. But if we run Pre-Prov it works. Also, if we run a SSO kerberos Entra key rotation the next Autopilot device works, then the rest fail after that. Microsoft have this with their product team... they seem to think it may be a bug (perhaps related to new endpoints). We see other customers having same issue on reddit forum
https://www.reddit.com/r/Intune/comments/1ph9lse/issues_with_windows_autopilot_hybrid_joined/
Convinced this is a Microsoft back-end issue.
The fact that Pre-Provisioning works doesn’t rule this out, it just means the failure is likely in the post-credential user-driven leg (different calls/endpoints than technician flow).
What I’d suggest adding to your MS case (to speed escalation):
- Screenshot of Intune > Devices > Enrollment > Windows > Intune Connector for AD showing status + version
- Connector logs from the connector server (ODJConnectorSvc.log etc.) around a failed attempt
- Autopilot diagnostics + correlation ID/time from a failing device at the “Something went wrong” screen
As an interim workaround, you already found the most practical one: use Pre-Provisioning until MS confirms the root cause, but I’d still re-check connector currency + AFD allowlisting because many “backend-looking” cases ended up being one of those two.
And just to clarify: the ODJConnectorEnrollmentWizard XML file is fine with permissions?
Same issue here. Connector is up to date. Any news from the MSFT cases?
We’ve been experiencing multiple issues with Autopilot pre-provisioning using the Hybrid Join profile in our tenant over the past few weeks.
- Various applications deployed during device setup are failing inconsistently across different devices.
- The user flow is taking hours to complete and often does not bring users to the desktop. The microsoft-windows-user device registration-admin.evtx log does not show any errors explaining why users are unable to sign in.
Our Intune connector for active directory is up to date (version 6.2505.2001.2)
Please any suggestions on additional steps we can take?
ThanksIs the device join profile applying correctly? Also, if it the process is reporting failure against installation of applications, then I would start checking there first.
biggingerdazza We ran into the same problem and fixed it. Its because your Intune Connector for Active Directory is in error mode. As of the 4th December, if you were using the old connector, it won't process anymore AD joins/computer object creations.
Go to Intune, Devices, Enrolment, Windows, Intune Connector for AD. You'll see its in an error state. You'll see a link above to an Intune blog with instructions.
Effectively...
- Uninstall old legacy connector on Windows server
- Install new connector on Windows server (can be the same machine)
- Within the connector, login with an account which has Intune Admin minimum AND Intune license.
- This is new - OU placement via script - if you want the process to place new computer objects into specific OU
- This is new - create a new managed service account which will do the ODJ
This may require a deep dive, but you can start by checking for some basics - is the device assigned with an AP profile? Has the process ever worked? Do you need to check for the Intune endpoints for network\FW connectivity etc?
Yes it is assign with AP profile.
Yes - it worked for 300+ devices until Thursday morning.
I think FW rules are fine... this has been working for months. Entra AD Sync devices green healthy statusSee if this is affecting you or not.
