Forum Discussion
Windows Autopilot Hybrid Join failing with OOBE error 80004005
Error code 0x80004005 is a generic “Unspecified Error” in Windows, typically caused by permission issues, blocked file access, or network errors. Please review the article below to verify whether the Intune Connector server has the required access for computer account creation. While the article addresses a different scenario, the reference logs may still help in identifying the root cause.
Could you also confirm whether this issue is occurring across all devices or only randomly? Additionally, how many Intune Connector servers are present in your environment?
https://techuisitive.com/how-to-fix-autopilot-error-80070002/
This is occurring on all devices tested so far, as we are currently in the testing phase and have checked 4-5 devices. Additionally, there is one Intune Connector in our environment, and its status is healthy.
What should be done in the Entra-joined scenario, how can this be converted to a Hybrid Azure AD joined setup? Lastly, I know this is a stupid question, but is there a way to join a device to Active Directory without being connected to the LAN or company Wi-Fi?
Hi Uzair_Ahmad
A few things worth adding:
A healthy connector only confirms the computer object and the ODJ blob got created on the server. It says nothing about whether the device reached a domain controller, and that handoff is where this is breaking.
On converting the Entra-joined devices: there's no in-place path, so the question I'd ask first is what's actually forcing hybrid. If it's Group Policy, Settings Catalog covers most of it. If it's Kerberos SSO, Microsoft Entra Kerberos with Windows Hello for Business cloud trust. If it's cert auth, Cloud PKI or SCEP. If nothing hard-requires a domain-joined object, going Entra native makes this whole failure go away and you stop fighting DC reachability at provisioning.
On joining AD off-LAN: yes, it's doable, and the part that trips people up is that ODJ creates the object without the device contacting a DC, but first user sign-in still needs a path to a DC to finish the secure channel and hybrid registration. So the tunnel matters at first logon and after, even though the blob itself doesn't need it. Always On VPN device tunnel is the cleanest fit since it's machine-cert based and connects before logon. Cisco Secure Client SBL or GlobalProtect pre-logon also work, with more overhead.
To pin the exact stage, run dsregcmd /status at OOBE (Shift+F10) and check the ODJ Connector logs on the connector server itself, those two will tell you fast whether it's the blob or the DC reach.
Happy to go deeper on the VPN-before-logon piece if it helps.
Hi Uzair_Ahmad
If the below steps helps to resolve the issue, please mark the comment as the solution. Thank you!
Follow the below steps.
Step 1 ) Login to the server where Intune Connector for Active Directory is installed and open services. Restart Service "Intune Connector for Active Directory".
Step 2) Go To Intune Admin center --> Windows --> Enrollment --> Windows Autopilot Section and Devices --> Search for the serial number and click on it.
Step 3) On the properties page Click on Associated Intune Device and Delete. No need to delete the Associated Microsoft Entra Device.
Step 4) Connect the test device to your organization network and start the autopilot process.
Step 5) If you receive error again please follow below steps and share the screenshot.- ClickShift + F10 or Shift + Fn + F10 it will open a Command prompt as Administrator.
- Type powershellto open a powershell session inside CMD.
- Type“Install-Script Get-AutopilotDiagnostics -Force” and click enter. Upon Agreements prompt type "Y" and click on enter. Wait for the script to get install.
- Type“Get-AutopilotDiagnostics.ps1” and read the details line by line.
- send the powershell output and error photo.
