Issue
You are trying to provision a device using Microsoft Intune Windows autopilot hybrid join setup. You enter your corporate credentials on the company branding screen after OOBE. The autopilot device provisioning gets stuck at the “please wait while we set up your device” screen for approximately 20-30 minutes and then shows the following error.
Something went wrong: Confirm you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the error code 80070002.
Cause 1
The environment was correctly configured and Windows autopilot hybrid join provisioning worked fine. However, it suddenly stopped working. Since this issue is mostly related to incorrect permissions on the Active Directory OU, we focus our investigation on that.
This error usually happens when the device does not receive an offline domain join blob from the Intune connector. The device waits for the offline domain join blob information when it gets Intune’s offline domain join profile. Once the Intune connector receives an ODJ request, it creates a computer account on the On-premises domain. The device receives the details at the next sync. If the autopilot device does not receive the details then it keeps waiting for the details and device provisioning time out.
You need to look into the logs on the Intune connector servers to identify the exact issue. If you have more than one Intune connector server in your environment then you need to navigate to all servers one by one to know which server handled the offline domain join request.
We found the following error on the ODJConnectorService event log on the Intune connector server.
The ODJConnectorService event was showing a “Failed to call NetProvisionComputerAccount machineName=xxxx” error message.
Event viewer logs:
RequestOfflineDomainJoinBlob_Failure: Failed to generate ODJ blob
RequestId: xxxx
DeviceId: xxxx
DomainName: xxxx
RetryCount: 0
ErrorDescription: Failed to call NetProvisionComputerAccount machineName=xxxx
InstanceId: xxxx
DiagnosticCode: 268435455
WinErrorCode: 8557
DiagnosticText: We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."] [Exception Message: "Failed to call NetProvisionComputerAccount machineName=xxxx"]The Netsetup.log file “c:\windows\debug\Netsetup.log “on the Intune connector server was showing the below error. As per the error in the log file, the Intune connector server was unable to create a computer object in AD which indicates that permission assigned to OU was not appropriate.
NetpMapGetLdapExtendedError: Parsed [0x216d] from server extended error string: 0000216D: SvcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM), data 0
NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x216d
NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x216d
NetpProvisionComputerAccount: LDAP creation failed: 0x216d
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0x216d.
NetProvisionComputerAccount: status: 0x216dWe further checked the permission assigned to the Intune connector server computer account on the Active Directory OUs created for hybrid join devices. The Intune connector server should have full control (for Computer objects) on OU & all child containers where the computer account to be created. The correct permission was assigned earlier. However, it was changed to “This object only” due to an unknown reason.
You can follow this Microsoft article to for the steps to delegate OU permission to the Intune connector server.
Solution
Once the permission was changed to “This object and all child objects”, the issue got fixed and the Autopilot build started working fine.
Cause 2
The Netsetup.log file “c:\windows\debug\Netsetup.log “on the Intune connector server was showing the error 0x2558. The computer object was not created on Domain controller.
OS Version: 6.2
Build number: 9200 (20348.fe_release.210507-1500)
SKU: Windows Server 2022 Standard
Architecture: 64-bit (AMD64)
NetProvisionComputerAccount:
lpDomain: techuisitive.local
lpMachineName: Desktop- 9i65i
lpMachineAccountOU: OU=Mumbai, OU=India,dc=techuisitive, dc=local
lpDcName: (NULL)
dwOptions: 0x0
NetProvisionComputerAccount: requesting text encoded blob
NetProvisionComputerAccount: status: 0x2558
Solution
The error 0x2558 translates to DNS_ERROR_INVALID_NAME_CHAR. When we carefully checked the Offline Domain Join profile then noticed a blank space at end of the computer prefix. The Autopilot worked fine after removing the white space from computer name suffix.
Related Posts
- Windows 10 Autopilot Deployment Guide | Intune
- Intune – Configure Enrollment Status Page (ESP)
- Intune – Windows 10 MDM- Basic troubleshooting
- Bulk enrollment of Windows 10/ 11 Device to Intune using Provisioning Package
- Enroll Windows 11 Device to Intune through Azure AD Join method
- Windows 11 enrollment with Provisioning package failed with error code 0x800700b7
- How to Obtain Hardware Hash for Manually Registering Devices with Windows Autopilot
- Dynamic Group Based on Enrollment Profile in Intune.
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.