Windows Autopilot Error 80070002 typically occurs during Hybrid Azure AD Join deployments when the Offline Domain Join (ODJ) process fails. This error indicates that the Intune Connector was unable to apply the domain join blob correctly, often due to misconfigured OU permissions, trailing spaces in computer name prefixes, or connector communication issues. For IT administrators, this can halt device provisioning and frustrate end users, making it essential to quickly identify the root cause and apply the right fix
Windows Autopilot Hybrid Azure AD Join error 80070002
While provisioning a device using Microsoft Intune Windows Autopilot Hybrid Azure AD Join, you enter your corporate credentials on the company branding screen after completing the Out‑of‑Box Experience (OOBE). The enrollment process then stalls at the “Please wait while we set up your device” screen for approximately 20–30 minutes before eventually failing with Autopilot error 80070002.
Something went wrong: Confirm you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the error code 80070002.
Cause 1: Incorrect OU Permission
Background
The environment was initially configured correctly, and Windows Autopilot Hybrid Azure AD Join provisioning worked without issues. However, the process suddenly stopped functioning. Since this error is often linked to incorrect Active Directory OU permissions, our investigation focuses on that area.
This problem typically occurs when the device fails to receive an Offline Domain Join (ODJ) blob from the Intune Connector. During provisioning, the device expects the ODJ blob after receiving Intune’s offline domain join profile. Once the Intune Connector processes the ODJ request, it creates a computer account in the on‑premises Active Directory domain. The device then receives these details at the next sync. If the Autopilot device does not receive the blob, it continues waiting indefinitely, causing the Hybrid Join provisioning to stall and eventually time out with Autopilot error 80070002.
Step 1: Check Event Logs
To identify the root cause, you need to review the Intune Connector server logs. If your environment has multiple Intune Connector servers, you must check each one individually to determine which server processed the Offline Domain Join (ODJ) request. This step is essential because the Autopilot Hybrid Azure AD Join provisioning process depends on the connector that handled the ODJ blob creation, and only by reviewing all servers can you pinpoint where the failure occurred.
Step 1.1 Log in to the Intune ODJ connector server
Step 1.2: Open Event Viewer and navigate to Event Viewer → Applications and Services Logs → Microsoft → Windows → ODJConnectorService → Admin
Step 1.3: Review the recent logs to see if any errors were reported for the device.
We found the following error in the ODJConnectorService event log on the Intune connector server.
The ODJConnectorService event was showing a “Failed to call NetProvisionComputerAccount machineName=xxxx” error message.
Event viewer logs:
RequestOfflineDomainJoinBlob_Failure: Failed to generate ODJ blob
RequestId: xxxx
DeviceId: xxxx
DomainName: xxxx
RetryCount: 0
ErrorDescription: Failed to call NetProvisionComputerAccount machineName=xxxx
InstanceId: xxxx
DiagnosticCode: 268435455
WinErrorCode: 8557
DiagnosticText: We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."] [Exception Message: "Failed to call NetProvisionComputerAccount machineName=xxxx"]Steps 2: Check Netsetup Log
The NetSetup.log file provides detailed records of all domain join operations performed by Windows. By reviewing this log, administrators can quickly identify domain join‑related issues, such as failures in the Offline Domain Join (ODJ) process, misconfigured Active Directory OU permissions, or errors linked to Windows Autopilot Hybrid Azure AD Join provisioning.
Step 2.1: Open File Explorer
Step 2.2: Navigate to c:\windows\debug folder and open Netsetup.log
The NetSetup.log file is located at C:\Windows\Debug\NetSetup.log On the Intune Connector server, the following error was displayed. According to the log entry, the connector was unable to create a computer object in Active Directory, which strongly indicates that the OU permissions assigned were not configured correctly. This failure in the Offline Domain Join (ODJ) process is a common cause of Windows Autopilot Hybrid Azure AD Join error 80070002.
NetpMapGetLdapExtendedError: Parsed [0x216d] from server extended error string: 0000216D: SvcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM), data 0
NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x216d
NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x216d
NetpProvisionComputerAccount: LDAP creation failed: 0x216d
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0x216d.
NetProvisionComputerAccount: status: 0x216dStep 3: Check OU Permission
Step 3.1: Open the “Active Directory Users and Computers” console
Steps 3.2: Expand the Domain tree and locate the OU
Step 3.3: Right-click on the OU and select properties. Validate the object permission for the OU.
We reviewed the permissions assigned to the Intune Connector server computer account on the Active Directory OUs designated for Hybrid Azure AD Join devices. For successful provisioning, the Intune Connector must have Full Control (for Computer objects) on the OU and all child containers where new computer accounts are created. Although the correct permissions were originally configured, they were later changed to “This object only” for unknown reasons. This misconfiguration prevented the connector from creating computer objects during the Offline Domain Join (ODJ) process, resulting in Windows Autopilot error 80070002.
Solution
Assign the correct Active Directory OU permissions to the Intune Connector server computer account to ensure successful Offline Domain Join (ODJ) provisioning. You can follow the official Microsoft documentation for step‑by‑step guidance on delegating OU permissions to the Intune Connector server.
Once the permission was updated to “This object and all child objects”, the issue was resolved, and the Windows Autopilot Hybrid Azure AD Join build completed successfully without triggering error 80070002.
Cause 2
The NetSetup.log file located at C:\Windows\Debug\NetSetup.log on the Intune Connector server reported the error code 0x2558. This entry indicated that the connector was unable to create a computer object on the Domain Controller, pointing to a likely Active Directory OU permission misconfiguration during the Offline Domain Join (ODJ) process. Such failures are a common root cause of Windows Autopilot Hybrid Azure AD Join error 80070002.
OS Version: 6.2
Build number: 9200 (20348.fe_release.210507-1500)
SKU: Windows Server 2022 Standard
Architecture: 64-bit (AMD64)
NetProvisionComputerAccount:
lpDomain: techuisitive.local
lpMachineName: Desktop- 9i65i
lpMachineAccountOU: OU=Mumbai, OU=India,dc=techuisitive, dc=local
lpDcName: (NULL)
dwOptions: 0x0
NetProvisionComputerAccount: requesting text encoded blob
NetProvisionComputerAccount: status: 0x2558
Upon further investigation, we discovered that the issue was isolated to a specific physical site, while Windows Autopilot Hybrid Azure AD Join provisioning continued to work correctly at other locations.
The error code 0x2558 translates to DNS_ERROR_INVALID_NAME_CHAR. A closer review of the Offline Domain Join (ODJ) profile revealed a trailing blank space at the end of the computer name prefix. This extra whitespace caused the generated computer name to end with an invalid character, resulting in a device provisioning failure and triggering Autopilot error 80070002.
Solution
We resolved the issue by removing the trailing whitespace from the computer name prefix in the Offline Domain Join (ODJ) profile. Once the prefix was corrected, the Windows Autopilot Hybrid Azure AD Join provisioning process completed successfully, and the devices were enrolled without triggering error 80070002.
Related Posts
- Windows Autopilot Device Preparation – Step-by-Step Guide
- Windows 10 Autopilot Deployment Guide | Intune
- Intune – Configure Enrollment Status Page (ESP)
- Intune – Windows 10 MDM- Basic troubleshooting
- Bulk enrollment of Windows 10/ 11 Device to Intune using Provisioning Package
- Enroll Windows 11 Device to Intune through Azure AD Join method
- Windows 11 enrollment with Provisioning package failed with error code 0x800700b7
- How to Obtain Hardware Hash for Manually Registering Devices with Windows Autopilot
- Dynamic Group Based on Enrollment Profile in Intune.
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.