Forum Discussion

Copper Contributor

Dec 08, 2025

Issues with Windows 11 Autopilot Hybrid Joined Since last Week

Hi all, as of Thursday 4th December our Windows 11 Autopilot (Hybrid Joined) has ceased functioning. On the very first step, after the user attempts to enter their username&password, we can see th...

Autopilot

Intune

Simone_Termine

Brass Contributor

Dec 16, 2025

Hi biggingerdazza , error 80004005/800004005 at the point where the Autopilot profile downloads but ODJ never starts usually means the Hybrid Join “offline domain join blob” can’t be generated/returned. Since this started suddenly around Dec 4, I’d check two things that have impacted multiple tenants recently:

1. Intune Connector for Active Directory (ODJ connector)

In Intune: Devices > Enrollment > Windows > Intune Connector for Active Directory (bottom page)
If it shows Error/Inactive, and/or you’re still on the legacy connector, Hybrid Autopilot ODJ will stop working.
Fix: uninstall the old connector and install the latest MSA-based connector, then sign in during setup with a properly privileged Intune admin account that also has an Intune license (new requirement).

2. Firewall/network allowlisting changes (Azure Front Door)

Microsoft announced Intune endpoint changes starting on/after Dec 2, 2025 (Azure Front Door IPs). If your firewall is strict, enrollment/ODJ calls can fail even though things worked for months. Verify outbound allowlisting per the Intune guidance. Support tip: Upcoming Microsoft Intune network changes | Microsoft Community Hub

If you confirm:

Connector status (Active vs Error) + connector version
Whether you have strict outbound filtering
…we can narrow it down quickly, but in most “stopped on Dec 4” cases it’s the connector upgrade and/or new Intune network endpoints.

biggingerdazza
Copper Contributor
Dec 16, 2025
We have explored all of this already. Several third party experts have checked it all too, and confirmed it should all work. They profile is getting downloaded but then everything stops. No blob even attempted. But if we run Pre-Prov it works. Also, if we run a SSO kerberos Entra key rotation the next Autopilot device works, then the rest fail after that. Microsoft have this with their product team... they seem to think it may be a bug (perhaps related to new endpoints). We see other customers having same issue on reddit forum
https://www.reddit.com/r/Intune/comments/1ph9lse/issues_with_windows_autopilot_hybrid_joined/
Convinced this is a Microsoft back-end issue.
- Simone_Termine
  Brass Contributor
  Dec 18, 2025
  The fact that Pre-Provisioning works doesn’t rule this out, it just means the failure is likely in the post-credential user-driven leg (different calls/endpoints than technician flow).
  What I’d suggest adding to your MS case (to speed escalation):
  Screenshot of Intune > Devices > Enrollment > Windows > Intune Connector for AD showing status + version
  Connector logs from the connector server (ODJConnectorSvc.log etc.) around a failed attempt
  Autopilot diagnostics + correlation ID/time from a failing device at the “Something went wrong” screen
  As an interim workaround, you already found the most practical one: use Pre-Provisioning until MS confirms the root cause, but I’d still re-check connector currency + AFD allowlisting because many “backend-looking” cases ended up being one of those two.
  
  And just to clarify: the ODJConnectorEnrollmentWizard XML file is fine with permissions?