Issues with Windows 11 Autopilot Hybrid Joined Since last Week

SOLUTION that worked for me (On premise, Hybrid azure / domain AD with intune connector setup)

1. open powershell as admin on the intune connector machine, copy paste this below (just retrieves information)
Get-ADSyncScheduler | fl NextSyncCyclePolicyType,NextSyncCycleStartTimeInUTC,SyncCycleInProgress

2. This should be into the future (1-30 minutes max) --- THIS WAS OUR PROBLEM - it said sync is planned 2 days in the past.

3. We didn't need to do any commands, we just needed to update the windows server machine and did a reboot after, then it said 30 minutes into the future again.


We didn't perform a new factory reset. We just logged in again with the right account and voila.

Before we had the same problem, but the Intune Connector was inactive in Azure. Simply needed to remove intune connector (does not break anything don't worry) and then installing it again. Then we pressed configure and account was created and you need to verify with an admin account and intune connector will be setup succesfully and shows active in Intune via azure portal. (perform the intune connector setup together with copilot or some other AI)

Hello!

I didn't see you mention finding a solution/work-around. Are you still experiencing this issue?
We have suddenly seen the same issue with the same symptoms after devices successfully joining just last week.

Running into similar issues over a month later. Were you able to find a resolution for this?

I started having this exact same issue at the exact same time. The Intune connector wasn't in an error state, it was just gone. Reinstalled the latest connector, still nothing. Tackled this from every possible angle, but I knew our config hadn't changed so I really didn't want to rebuild the whole thing. In the end what got it working was adjusting our Intune URL whitelist; specifically: clientconfig.passport.net and *delivery.mp.microsoft.com. Definitely check to make sure your endpoints are pinging wherever you have your connector installed. Good luck!

We were experiencing a similar error while enrolling hybrid-joined devices. After further troubleshooting, we identified that changes were also required in the ODJConnectorEnrollmentWizard XML file. Additionally, the MSA account needed the appropriate permissions to create device objects in the specified OU.

Once the permissions were assigned and the OU value was added to the XML file, we were able to successfully start the enrollment without any issues.

Here's a MS documentation:  https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid?tabs=general-requirements%2Cupdated-connector%2Cwindows-server-2025#configure-the-msa-to-allow-creating-objects-in-ous-optional

They mentioned it is optional, but it actually is required for Hybrid Autopilot devices

Hi biggingerdazza​ , error 80004005/800004005 at the point where the Autopilot profile downloads but ODJ never starts usually means the Hybrid Join “offline domain join blob” can’t be generated/returned. Since this started suddenly around Dec 4, I’d check two things that have impacted multiple tenants recently:

1. Intune Connector for Active Directory (ODJ connector)

• In Intune: Devices > Enrollment > Windows > Intune Connector for Active Directory (bottom page)
• If it shows Error/Inactive, and/or you’re still on the legacy connector, Hybrid Autopilot ODJ will stop working.
• Fix: uninstall the old connector and install the latest MSA-based connector, then sign in during setup with a properly privileged Intune admin account that also has an Intune license (new requirement).

2. Firewall/network allowlisting changes (Azure Front Door)

• Microsoft announced Intune endpoint changes starting on/after Dec 2, 2025 (Azure Front Door IPs). If your firewall is strict, enrollment/ODJ calls can fail even though things worked for months. Verify outbound allowlisting per the Intune guidance. Support tip: Upcoming Microsoft Intune network changes | Microsoft Community Hub

If you confirm:

• Connector status (Active vs Error) + connector version
• Whether you have strict outbound filtering
  …we can narrow it down quickly, but in most “stopped on Dec 4” cases it’s the connector upgrade and/or new Intune network endpoints.

Same issue here. Connector is up to date. Any news from the MSFT cases?

We’ve been experiencing multiple issues with Autopilot pre-provisioning using the Hybrid Join profile in our tenant over the past few weeks.

• Various applications deployed during device setup are failing inconsistently across different devices.
• The user flow is taking hours to complete and often does not bring users to the desktop. The microsoft-windows-user device registration-admin.evtx log does not show any errors explaining why users are unable to sign in.
  
  Our Intune connector for active directory is up to date (version 6.2505.2001.2)

Please any suggestions on additional steps we can take?

Thanks

biggingerdazza​  We ran into the same problem and fixed it.  Its because your Intune Connector for Active Directory is in error mode.  As of the 4th December, if you were using the old connector, it won't process anymore AD joins/computer object creations.

Go to Intune, Devices, Enrolment, Windows, Intune Connector for AD.  You'll see its in an error state.  You'll see a link above to an Intune blog with instructions.

Effectively...

1. Uninstall old legacy connector on Windows server
2. Install new connector on Windows server (can be the same machine)
3. Within the connector, login with an account which has Intune Admin minimum AND Intune license.
4. This is new - OU placement via script - if you want the process to place new computer objects into specific OU
5. This is new - create a new managed service account which will do the ODJ