Windows Autopilot Error 80070002 typically occurs during Hybrid Azure AD Join deployments when the Offline Domain Join (ODJ) process fails. This error indicates that the Intune Connector was unable to apply the domain join blob correctly, often due to misconfigured OU permissions, trailing spaces in computer name prefixes, or connector communication issues. For IT administrators, this can halt device provisioning and frustrate end users, making it essential to quickly identify the root cause and apply the right fix
Issue
While provisioning a device with Microsoft Intune Windows Autopilot Hybrid Join, you enter your corporate credentials on the company branding screen after OOBE. The process then stalls at the “Please wait while we set up your device” screen for about 20–30 minutes before eventually displaying the following error.
Something went wrong: Confirm you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the error code 80070002.
Cause 1: Incorrect OU Permission
Background
The environment was correctly configured, and Windows Autopilot hybrid join provisioning worked fine. However, it suddenly stopped working. Since this issue is mostly related to incorrect permissions on the Active Directory OU, we focus our investigation on that.
This error usually happens when the device does not receive an offline domain join blob from the Intune connector. The device waits for the offline domain join blob information when it gets Intune’s offline domain join profile. Once the Intune connector receives an ODJ request, it creates a computer account on the On-premises domain. The device receives the details at the next sync. If the autopilot device does not receive the details, then it keeps waiting for the details, and the device provisioning times out.
Step 1: Check Event Logs
You need to review the logs on the Intune connector servers to identify the exact issue. If you have more than one Intune connector server in your environment, then you need to navigate to all servers one by one to know which server handled the offline domain join request.
Step 1.1 Log in to the Intune ODJ connector server
Step 1.2: Open Event Viewer and navigate to Event Viewer → Applications and Services Logs → Microsoft → Windows → ODJConnectorService → Admin
Step 1.3: Review the recent logs to see if any errors were reported for the device.
We found the following error in the ODJConnectorService event log on the Intune connector server.
The ODJConnectorService event was showing a “Failed to call NetProvisionComputerAccount machineName=xxxx” error message.
Event viewer logs:
RequestOfflineDomainJoinBlob_Failure: Failed to generate ODJ blob
RequestId: xxxx
DeviceId: xxxx
DomainName: xxxx
RetryCount: 0
ErrorDescription: Failed to call NetProvisionComputerAccount machineName=xxxx
InstanceId: xxxx
DiagnosticCode: 268435455
WinErrorCode: 8557
DiagnosticText: We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."] [Exception Message: "Failed to call NetProvisionComputerAccount machineName=xxxx"]Steps 2: Check Netsetup Log
The NetSetup.log records detailed information about domain join operations performed by Windows. By looking into the log, you can identify any domain join-related issues quickly.
Step 2.1: Open File Explorer
Step 2.2: Navigate to c:\windows\debug folder and open Netsetup.log
The Netsetup.log file “c:\windows\debug\Netsetup.log “on the Intune connector server was showing the following error. As per the error in the log file, the Intune connector server was unable to create a computer object in AD, which also indicates that the permission assigned to the OU was not appropriate.
NetpMapGetLdapExtendedError: Parsed [0x216d] from server extended error string: 0000216D: SvcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM), data 0
NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x216d
NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x216d
NetpProvisionComputerAccount: LDAP creation failed: 0x216d
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0x216d.
NetProvisionComputerAccount: status: 0x216dStep 3: Check OU Permission
Step 3.1: Open the “Active Directory Users and Computers” console
Steps 3.2: Expand the Domain tree and locate the OU
Step 3.3: Right-click on the OU and select properties. Validate the object permission for the OU.
We checked the permission assigned to the Intune connector server computer account on the Active Directory OUs created for hybrid join devices. The Intune connector server should have full control (for Computer objects) on the OU & all child containers where the computer account is to be created. The correct permission was assigned earlier. However, it was changed to “This object only” for an unknown reason.
Solution
Assign the correct permissions to the OU for the ODJ connector server computer account. You can follow this Microsoft article for the steps to delegate OU permission to the Intune connector server.
Once the permission was changed to “This object and all child objects”, the issue got fixed, and the Autopilot build started working fine.
Cause 2
The Netsetup.log file “c:\windows\debug\Netsetup.log “on the Intune connector server was showing the error 0x2558. The computer object was not created on the Domain controller.
OS Version: 6.2
Build number: 9200 (20348.fe_release.210507-1500)
SKU: Windows Server 2022 Standard
Architecture: 64-bit (AMD64)
NetProvisionComputerAccount:
lpDomain: techuisitive.local
lpMachineName: Desktop- 9i65i
lpMachineAccountOU: OU=Mumbai, OU=India,dc=techuisitive, dc=local
lpDcName: (NULL)
dwOptions: 0x0
NetProvisionComputerAccount: requesting text encoded blob
NetProvisionComputerAccount: status: 0x2558
Upon further investigation, we identified that the issue was being reported for a physical location. The Windows Autopilot was working fine for other sites.
The error 0x2558 translates to DNS_ERROR_INVALID_NAME_CHAR. When we carefully checked the Offline Domain Join profile, then noticed a blank space at the end of the computer prefix. That leads to the computer name ending with a white character and results in a device provisioning failure.
Solution
We removed the trailing zero from the computer name prefix. The Autopilot worked fine after removing the white space.
Related Posts
- Windows Autopilot Device Preparation – Step-by-Step Guide
- Windows 10 Autopilot Deployment Guide | Intune
- Intune – Configure Enrollment Status Page (ESP)
- Intune – Windows 10 MDM- Basic troubleshooting
- Bulk enrollment of Windows 10/ 11 Device to Intune using Provisioning Package
- Enroll Windows 11 Device to Intune through Azure AD Join method
- Windows 11 enrollment with Provisioning package failed with error code 0x800700b7
- How to Obtain Hardware Hash for Manually Registering Devices with Windows Autopilot
- Dynamic Group Based on Enrollment Profile in Intune.
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.