I’m encountering an issue with an Autopilot deployment in Hybrid Azure AD Join mode. The enrollment seems to complete successfully in Intune, but the device fails to join the on-premises domain, and I receive the following error:
"We encountered a problem. Confirm that you are using the correct credentials. try again or contact your system administrator
Code Error 0x80070774
Context and details:
Autopilot profile assigned and applied (visible in Intune > Windows Autopilot Devices)
Profile status in Intune: Assigned
Enrollment status: Enrolled
Device is visible in Intune and Microsoft Entra ID
Device had recent last contact (05/05/2025)
Autopilot profile assigned since 21/03/2025
The device shows as properly enrolled in Intune, associated with its profile, and visible in Entra ID. However, no computer object is created in the on-premises Active Directory.
In Intune > Devices > Device Configuration > Autopilot Hybrid Join (which is the policy I created) > View Report > WindowsDomainJoinConfiguration, I see the following error:
Parameter error
Parameter: WindowsDomainJoinConfiguration
Status: Error
Profile source: Autopilot Hybrid Join
Error code: 0x8fffffff
Environment:
I have an on-premises Active Directory, synchronized with Azure AD via AD Connect
Hybrid Azure AD Join is already working (existing AD-joined machines are correctly syncing to Azure AD and Intune)
I’m using Intune Connector for Active Directory, and it shows as connected and active in Intune
I have multiple Intune Connectors installed and appearing in Intune
During OOBE, the machine can reach the domain controller (ping and nslookup successful)
No computer object is created in the target OU (checked directly in AD)
No critical errors found in the event logs of the server hosting the Intune Connector
I’m using an Active Directory Kerberos Trust, and my DNS/AD environment is healthy (tests with nltest, ping, etc., are successful)
The connector is properly installed and services are running
Ping and DNS resolution between the Connector server and the domain controllers are working
Questions or ideas:
Has anyone encountered this situation before?
Could error 0x80070774 be related to a Kerberos delegation issue misconfigured for the Intune Connector?
Is there a way to force additional diagnostics or enable more detailed logging of the machine account creation attempt in AD?
Thank you in advance for your help or any insights!I’m encountering an issue with an Autopilot deployment in Hybrid Azure AD Join mode. The enrollment seems to complete successfully in Intune, but the device fails to join the on-premises domain, and I receive the following error:
"We encountered a problem. Confirm that you are using the correct credentials, that the network is accessible, and that the domain can be contacted."
Context and details:
Autopilot profile assigned and applied (visible in Intune > Windows Autopilot Devices)
Profile status in Intune: Assigned
Enrollment status: Enrolled
Device is visible in Intune and Microsoft Entra ID
Device had recent last contact (05/05/2025)
Autopilot profile assigned since 21/03/2025
The device shows as properly enrolled in Intune, associated with its profile, and visible in Entra ID. However, no computer object is created in the on-premises Active Directory.
In Intune > Devices > Device Configuration > Autopilot Hybrid Join (which is the policy I created) > View Report > WindowsDomainJoinConfiguration, I see the following error:
Parameter error
Parameter: WindowsDomainJoinConfiguration
Status: Error
Profile source: Autopilot Hybrid Join
Error code: 0x8fffffff
Environment:
I have an on-premises Active Directory, synchronized with Azure AD via AD Connect
Hybrid Azure AD Join is already working (existing AD-joined machines are correctly syncing to Azure AD and Intune)
I’m using Intune Connector for Active Directory, and it shows as connected and active in Intune
I have multiple Intune Connectors installed and appearing in Intune
During OOBE, the machine can reach the domain controller (ping and nslookup successful)
No computer object is created in the target OU (checked directly in AD)
No critical errors found in the event logs of the server hosting the Intune Connector
I’m using an Active Directory Kerberos Trust, and my DNS/AD environment is healthy (tests with nltest, ping, etc., are successful)
The connector is properly installed and services are running
Ping and DNS resolution between the Connector server and the domain controllers are working
Questions or ideas:
Has anyone encountered this situation before?
Could error 0x80070774 be related to a Kerberos delegation issue misconfigured for the Intune Connector?
Is there a way to force additional diagnostics or enable more detailed logging of the machine account creation attempt in AD?
Thank you in advance for your help or any insights!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 61%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
