SOLVED

Starting Wait for ODJ Blob

Brass Contributor

This is the status where I am having problems joining the device to Hybrid Autopilot domain. Not sure whether this is a connectivity issue between the laptop to the INTUNE connector? I can ping the domain controller from Intune connector and no problem. 

 

Screenshot 2022-08-11 165029.jpg

41 Replies
best response confirmed by oryxway390 (Brass Contributor)
Solution
The laptop has a connection to Endpoint Manager, gets the enrollment profile and the Intune connector is listening for Hybrid Join events. If needed, it will do an Offline Domain Join by sending the computer account blob to Endpoint Manager which sends it to the client. There is no direct connection between the laptop and Intune Connector needed,

Does the server which runs the Intune Connector have internet access to all the URLs mentioned in the deployment guide?

@Harm_Veenstra This time after ensuring that the service account is all set correct and tried again and I got this error message.

 

Screenshot 2022-08-12 084900.jpg

Screenshot 2022-08-12 085605.jpg

Does the server that runs the connector have internet access? Does the ODJ event log show anything?

No, it does not have Internet access. Only opened to those URLs that were mentioned in the network requirements. Should it have Internet access? Ain't we exposing this then to the Internal network?

Yes, Harm. We followed the Network Requirements documents

https://docs.microsoft.com/en-us/mem/autopilot/networking-requirements

https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints


Other than that nothing. Only Microsoft location it goes to everything else is denied. I also see that this is there in the certificateConnectors event log

 

CertificateConnector:

 

Failed to retrieve URL

 

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

   at System.Net.HttpWebRequest.GetResponse()

   at Microsoft.Management.Services.ConnectorCommon.ServiceLocator.RetrieveServiceLocations(Uri LocationServiceUri)

   at Microsoft.Management.Services.ConnectorCommon.ServiceLocator..ctor(String serviceBaseUrl, X509Certificate2 channelEncryptionCert, IWebProxy proxy)

   at Microsoft.Management.Services.ConnectorCommon.UrlManager.GetUrlCallback()

 

 

 

Should this server have Internet access? Isn't it not risky to do this.
It should have at least access to the URLs mentioned in the installation instructions. Are you sure that they are all open, firewall logs show nothing when trying to deploy a machine?

Could also be that TLS1.2 is not enabled on the server...
I do see that it is enabled TLS1.2\Client\ Enabled

Do you use SSL inspection on the firewall or have an antivirus solution blocking things?
I think I found out where the issue is, I am going to correct that. Under Domain Join profile, I gave it as just the path for Organizational Unit. I should specify like OU=XXX, OU=XXX,OU=XXX

I think this s where the problem could be and I am hoping
Yes, it has to be in the ou=computers,ou=corp,dc=domain,dc=local format. Hope that fixes it for you
Hi Harm

The problem was with the Organizational Unit. I corrected it and it worked like a charm. But, I need to make sure that the laptop completes the process and the Win32 apps gets installed through Intune.
The machine in the domain and I can see it in the OU, But still I get the same error where the laptop does not complete the process. "Something went wrong"

No error code?
Yes Error code is 80004005

So, at this point didn't the Blob file download and complete the process of domain join? Why would it stop finishing the process? I am kind of wondering.
The user you're using to enroll the machine does have an Intune license? And do you see logs in the server running the Intune Connector (Eventlog/ODJ log)

Yes, I do see I am sorry have too many stuff going on. I see that there is event ids

30122 OdjRequestHandlingDownloadPipe
30132 OdjRequestBlobFailure

30122
ODJRequestHandlingPipelineDownload_Failure: Failed to download ODJ requests.
InstanceId:We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."] [Exception Message: "DiagnosticException: 0x0000040C. HTTP connection timed out. Check Firewall ports or Proxy settings if exist."] [Exception Message: "odjHttp.Call failed. activityId=c434c6dd-0ba0-416a-9e61-b257eb259cca parameters={"options":{"batchSize":null,"connectorBuildVersion":"6.2204.38.3","connectorName":"INCONSERVER"}}"] [Exception Message: "Failed to send http request to uri=https://fef.amsua0202.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessO... method=POST"] [Exception Message: "An error occurred while sending the request."] [Exception Message: "Unable to connect to the remote server"] [Exception Message: "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.37.153.1:443"],

DiagnosticCode:CBEB90D3-5A20-4109-B8C9-CF3D6B32BF71,
DiagnosticText:Unknown_Error


30132
RequestOfflineDomainJoinBlob_Failure: Failed to generate ODJ blob

RequestId: b47e2875-71ef-4f36-b844-c63861bae6b9

DeviceId: e8a92cc9-c1cd-4b27-98f2-1a23fb49952d

DomainName: xyz.local

RetryCount: 0

ErrorDescription: Failed to call NetProvisionComputerAccount machineName=COMPUTERNAME
InstanceId: CBEB90D3-5A20-4109-B8C9-CF3D6B32BF71
DiagnosticCode: 2050
WinErrorCode: 87
DiagnosticText: Failed to get the ODJ Blob. A parameter is incorrect. [Exception Message: "DiagnosticException: 0x00000802. Failed to get the ODJ Blob. A parameter is incorrect."] [Exception Message: "Failed to call NetProvisionComputerAccount machineName=computername"]

 

I think I found the solution below. So, I am wondering whether it is the CONFIG file in ODJConnetorEnrollmentWizard.exe.config or is it the ODJCOnnectorSvc.exe.config. I need to read through this more. But, I have my INTUNE CONNECTORS appearing fine there was no issues when I installed it.

 

I think this URL is not there and we are trying to add it now.

 

https://fef.amsua0202.manage.microsoft.com/

 

Maybe this should fix it.

 

Symptoms

After you install the Intune Connector for Active Directory, it doesn't appear in Intune. Additionally, the following error entry is logged in the ODJ Connector Service event log on the server that hosts the connector:

"DiagnosticText": "We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \"DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again.\"] [Exception Message: \"Failed to get a value for Key: OdjServiceBaseUrl\"] [Exception Message: \"The given key was not present in the dictionary.\"]"

 Note

The ODJ Connector Service event logs are located under Application and Services Logs > ODJ Connector Service in the Event Viewer.

Cause

This issue usually occurs when you use a proxy server in your environment. Additional configuration settings are required on the proxy so that the Intune Connector can communicate with the Intune service.

Solution

To fix the issue, add the required proxy configuration to the following files:

  • %ProgramFiles%\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config
  • %ProgramFiles%\Microsoft Intune\ODJConnector\ODJConnectorUI\ODJConnectorUI.exe.config

To do this, follow these steps:

  1. Open the .config file. You can see the following lines at the top of the file:

    XMLCopy
     
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    
  2. Add the following lines after <configuration>, then save the file.

    XMLCopy
     
    <system.net>
       <defaultProxy>
          <proxy usesystemdefault="false" proxyaddress="http://<proxy server address>:<port>" />
       </defaultProxy>
     </system.net>
    
  3. Restart the Intune ODJConnector Service.

Hope this works, internet connectivity is very important for the Intune Connector. Otherwise, keep the monitor firewall logging while enrolling a device.
When you say Internet connectivity is important, do people open up these Intune servers to the INTERNET? Would it not affect the security?
1 best response

Accepted Solutions
best response confirmed by oryxway390 (Brass Contributor)
Solution
The laptop has a connection to Endpoint Manager, gets the enrollment profile and the Intune connector is listening for Hybrid Join events. If needed, it will do an Offline Domain Join by sending the computer account blob to Endpoint Manager which sends it to the client. There is no direct connection between the laptop and Intune Connector needed,

Does the server which runs the Intune Connector have internet access to all the URLs mentioned in the deployment guide?

View solution in original post