Windows Autopilot to enroll hybrid Azure AD-joined error

Posted on by

I came across this issue where joining the on-premise Active Directory failed during Windows Autopilot.

The full error message from the event viewer of the machine where the Intune Connector is installed.

Intune Connector event viewer error:

RequestOfflineDomainJoinBlob_Failure: Failed to generate ODJ blob
RequestId: 9d1e4614-3217-4d7c-87ef-df7fceb648c9
DeviceId: 83c83fd7-10c8-49c8-9c15-8489ff126eed
DomainName: Mydomain.LOCAL
RetryCount: 0
ErrorDescription: Failed to call NetProvisionComputerAccount machineName=AutoP-PFv5HetaE
InstanceId: C07C1188-586C-44BD-93C1-F236A633DA9B
DiagnosticCode: 268435455
WinErrorCode: 8557
DiagnosticText: We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: “DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again.”] [Exception Message: “Failed to call NetProvisionComputerAccount machineName=AutoP-PFv5HetaE”]

The Intune Connector for your Active Directory creates Microsoft Autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain.


Microsoft Autopilot error details continued…

Follow the guide to delegate control to the computer account hosting the Intune Connector. It solved the issue in this case, as the rights was misconfigured.

  1. Open Active Directory Users and Computers (DSA.msc).
  2. Right-click the organizational unit to use to create hybrid Azure AD-joined computers > Delegate Control.The Delegate Control command.
  3. In the Delegation of Control wizard, select Next > Add > Object Types.
  4. In the Object Types pane, select the Computers > OK.The Object Types pane.
  5. In the Select Users, Computers, or Groups pane, in the Enter the object names to select box, enter the name of the computer where the Intune Connector is installed with Windows Autopilot.The Select Users, Computers, or Groups pane.
  6. Select Check Names to validate your entry > OK > Next.
  7. Select Create a custom task to delegate > Next.
  8. Select Only the following objects in the folder > Computer objects.
  9. Select Create selected objects in this folder and Delete selected objects in this folder.The Active Directory Object Type pane.
  10. Select Next.
  11. Under Permissions, select the Full Control check box. This action selects all the other options.The Permissions pane.
  12. Select Next > Finish.

Conclusion, Windows Autopilot

Review the full prerequisites: https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

Feel free to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.