Forum Discussion
Windows Autopilot Hybrid Azure AD join fails
Hi my fellow engineers,
Autopilot Hybrid Azure AD join used to work fine in our environment but since 02/22 we are unable to make it work consistently.
Once the user provide its credentials the device gets stuck at “Please wait while we configure your device” for 25 minutes then it displays an error code 80070774, those 25 minutes mean the device was unable to join the domain.
After reboot we notice the device keeps its default name, instead of applying the one configured in our Intune Domain Join profile, and appears in the Intune console but neither in Azure AD nor in ADDS.
We checked the whole workflow provided by Michael Niehaus in his https://blogs.technet.microsoft.com/mniehaus/2018/11/22/trying-out-windows-autopilot-user-driven-hybrid-azure-ad-join/ and we deducted the Intune ODJ Connector service never gets the Intune request for the ODJ Blob as there are no other events than 30121 and 30150 within the ODJ Connector service event logs.
We uninstalled and reinstalled our Intune Connector but Hybrid AAD join still does not work even if the service seems healthy.
We also checked our Intune Domain Join configuration profile and everything is OK, the delegation is correctly applied to the target OU.
One more thing to notice, we don’t know if it is related but we set up an Express Route and created our first Server 2016 DC in Azure (IaaS) on 02/22. Our network team checked the route and firewall logs but didn't see anything.
I can provide the Autopilot and Device Management event logs from a failing device as well as the Intune Connector Service event logs from the server if needed.
I have a Premier ticket opened but if you have any idea...
Thanks
10 Replies
Kind of into a similar situation
During autopilot machine gets stuck on the 'network' screen forever, checking on Intune portal
Device is added to dynamic group
Both the groups for the users and devices are added to the 'MDM user scope' and 'WIP user scope'
Intune connector is active
configuration profile for anything other than hybrid domain join is a success
Device shows under devices, enrolled and complaint
User has Intune license
but this computer just wouldn't join the domain, this device was assigned to another user before trying to have this user who is a new employee log in.
Any help would be highly appreciated
Connectors and tokens | Windows enterprise certificate under tenant administration is empty
Eventvwr on the DC has a log that says, "agent certificate renew was requested by: expirationHi
I've observed this behaviour before, I found that if I rebuilt an existing device (already built by Autopilot) it would fail to get the Hybrid Join configuration policy (dynamic group membership issue I think). I now completely delete the device from Intune and AAD every time I rebuild, including removing the HWID. Then re-import the HWID.
Regards
- Those operations take time, we lose all the benefits of Autopilot deployment if we have to perform such actions every time we have to repurpose a device.
For the moment it still works fine, the only thing I do is deleting computer object from ADDS during wipe.Unfortunately it still does not work...
Premier support has no idea why it is failing, I'm going crazy!
This week-end we found out if we launch an Hybrid Autopilot process, let it fail once the 25 minutes timeout happens (0x80070774) then wait 24 hours the machine becomes domain joined! But I still have to reset it since the autopilot process failed...
Both ADDS computer object "whencreated" property and the ODJConnector event IDs (30130 + 30140) show that it happened 24 hours later, 24 hours too late... Why?
How can get rid of it? Any idea? Michael Niehaus maybe?
It turns out everything went back to normal. We don't know why yet but I'll update this thread with my findings.
Strange, let us know what it ended up being if you figure it out.
