Forum Discussion
Windows Autopilot Hybrid Join failing with OOBE error 80004005
Hello everyone,
We’re facing a consistent issue with Windows Autopilot user‑driven Microsoft Entra hybrid join where devices are provisioned using a Hybrid Join Autopilot profile, but Hybrid Join does not complete.
Setup (High level)
- Windows Autopilot (user‑driven)
- Autopilot profile: Microsoft Entra hybrid joined
- Only one Autopilot profile
- Domain Join profile configured (domain + OU)
- Entra Connect: Hybrid Join + device writeback enabled
- Intune Connector for Active Directory installed and healthy
- MDM auto‑enrollment enabled
Issue
During Autopilot OOBE, the device frequently shows:
“Something went wrong”
Error code: 80004005
Despite this, Autopilot continues and completes.
Resulting Device State
After provisioning:
- Device appears in Entra ID as Microsoft Entra joined (not Hybrid)
- Device is enrolled into Intune and shows compliant
- Device‑scoped Intune MDM policies do not apply
- dsregcmd confirms Hybrid Join never completed
Understanding So Far
From correlating the OOBE error, dsregcmd output, and final device state:
- Hybrid Join starts but fails mid‑process
- Windows does not roll back provisioning
- Device falls back to Entra ID Join
- Join type is finalized for that run
- Resetting without fixing the root cause repeats the behavior
This explains why devices look healthy but are not Hybrid Joined and why device‑based policies don’t reflect.
Questions
- Is 80004005 during Autopilot OOBE a known indicator of Hybrid Join / Offline Domain Join failure?
- Is fallback from Hybrid Join → Entra ID Join expected when Hybrid Join prerequisites fail?
- Once a device ends up Entra joined, is wipe + reprovision the only supported recovery after fixing the root cause?
- Public Wi‑Fi / offsite scenario:
Has anyone successfully completed Hybrid Autopilot using pre‑logon VPN / device tunnel (Always On VPN, GlobalProtect, AnyConnect, etc.) to provide DC line‑of‑sight? - Which logs are most useful to confirm the exact failure point (ODJ, dsreg, Intune Connector, ESP)?
Thanks in advance for any insights or field experience.
5 Replies
I know what you are trying to achieve here, if you want to join devices to local AD from outside the company you must configure autopilot to do ODJ (Offline domain join) with SSL VPN.
Is 80004005 a known indicator of Hybrid Join failure?
Yes. In Autopilot HAADJ, it is strongly associated with ODJ failure, DC connectivity issues, and Domain join failure during ESP/OOBE.
Is fallback to Entra Join expected?
Not an intentional fallback. But Yes, this resulting behavior is expected. Autopilot does not block completion if Hybrid fails.
Is wipe + reprovision required?
Yes — this is the only supported recovery. There is no supported in-place conversion during Autopilot lifecycle
Offsite / Public Wi-Fi scenario
Requirement: Hybrid Join requires DC line-of-sight during OOBE
From design part, I recommend avoiding hybrid autopilot unless strictly required. I recommend Entra Joined and native cloud management instead of hybrid autopilot.
Side note, if you could check these logs you will get more clarity:
C:\Windows\Panther\UnattendGC\setupact.log
C:\Windows\Panther\UnattendGC\setuperr.log
C:\Windows\Debug\NetSetup.log
Event Viewer:
Applications and Services Logs
→ Microsoft
→ Windows
→ User Device Registration
Error code 0x80004005 is a generic “Unspecified Error” in Windows, typically caused by permission issues, blocked file access, or network errors. Please review the article below to verify whether the Intune Connector server has the required access for computer account creation. While the article addresses a different scenario, the reference logs may still help in identifying the root cause.
Could you also confirm whether this issue is occurring across all devices or only randomly? Additionally, how many Intune Connector servers are present in your environment?
https://techuisitive.com/how-to-fix-autopilot-error-80070002/
This is occurring on all devices tested so far, as we are currently in the testing phase and have checked 4-5 devices. Additionally, there is one Intune Connector in our environment, and its status is healthy.
What should be done in the Entra-joined scenario, how can this be converted to a Hybrid Azure AD joined setup? Lastly, I know this is a stupid question, but is there a way to join a device to Active Directory without being connected to the LAN or company Wi-Fi?
Hi uzairahmad
If the below steps helps to resolve the issue, please mark the comment as the solution. Thank you!
Follow the below steps.
Step 1 ) Login to the server where Intune Connector for Active Directory is installed and open services. Restart Service "Intune Connector for Active Directory".
Step 2) Go To Intune Admin center --> Windows --> Enrollment --> Windows Autopilot Section and Devices --> Search for the serial number and click on it.
Step 3) On the properties page Click on Associated Intune Device and Delete. No need to delete the Associated Microsoft Entra Device.
Step 4) Connect the test device to your organization network and start the autopilot process.
Step 5) If you receive error again please follow below steps and share the screenshot.- ClickShift + F10 or Shift + Fn + F10 it will open a Command prompt as Administrator.
- Type powershellto open a powershell session inside CMD.
- Type“Install-Script Get-AutopilotDiagnostics -Force” and click enter. Upon Agreements prompt type "Y" and click on enter. Wait for the script to get install.
- Type“Get-AutopilotDiagnostics.ps1” and read the details line by line.
- send the powershell output and error photo.
