Error 0x80070774 during Autopilot Hybrid AD Join enrollment – Intune enrollment successful but device not joined to domain

Daniel TASSA 0 Reputation points
2025-05-06T13:31:34.11+00:00

I’m encountering an issue with an Autopilot deployment in Hybrid Azure AD Join mode. The enrollment seems to complete successfully in Intune, but the device fails to join the on-premises domain, and I receive the following error:

"We encountered a problem. Confirm that you are using the correct credentials. try again or contact your system administrator
Code Error 0x80070774

Context and details:

Autopilot profile assigned and applied (visible in Intune > Windows Autopilot Devices)

Profile status in Intune: Assigned

Enrollment status: Enrolled

Device is visible in Intune and Microsoft Entra ID

Device had recent last contact (05/05/2025)

Autopilot profile assigned since 21/03/2025

The device shows as properly enrolled in Intune, associated with its profile, and visible in Entra ID. However, no computer object is created in the on-premises Active Directory.

In Intune > Devices > Device Configuration > Autopilot Hybrid Join (which is the policy I created) > View Report > WindowsDomainJoinConfiguration, I see the following error:

Parameter error

Parameter: WindowsDomainJoinConfiguration

Status: Error

Profile source: Autopilot Hybrid Join

Error code: 0x8fffffff

Environment:

I have an on-premises Active Directory, synchronized with Azure AD via AD Connect

Hybrid Azure AD Join is already working (existing AD-joined machines are correctly syncing to Azure AD and Intune)

I’m using Intune Connector for Active Directory, and it shows as connected and active in Intune

I have multiple Intune Connectors installed and appearing in Intune

During OOBE, the machine can reach the domain controller (ping and nslookup successful)

No computer object is created in the target OU (checked directly in AD)

No critical errors found in the event logs of the server hosting the Intune Connector

I’m using an Active Directory Kerberos Trust, and my DNS/AD environment is healthy (tests with nltest, ping, etc., are successful)

The connector is properly installed and services are running

Ping and DNS resolution between the Connector server and the domain controllers are working

Questions or ideas:

Has anyone encountered this situation before?

Could error 0x80070774 be related to a Kerberos delegation issue misconfigured for the Intune Connector?

Is there a way to force additional diagnostics or enable more detailed logging of the machine account creation attempt in AD?

Thank you in advance for your help or any insights!I’m encountering an issue with an Autopilot deployment in Hybrid Azure AD Join mode. The enrollment seems to complete successfully in Intune, but the device fails to join the on-premises domain, and I receive the following error:

"We encountered a problem. Confirm that you are using the correct credentials, that the network is accessible, and that the domain can be contacted."

Context and details:

Autopilot profile assigned and applied (visible in Intune > Windows Autopilot Devices)

Profile status in Intune: Assigned

Enrollment status: Enrolled

Device is visible in Intune and Microsoft Entra ID

Device had recent last contact (05/05/2025)

Autopilot profile assigned since 21/03/2025

The device shows as properly enrolled in Intune, associated with its profile, and visible in Entra ID. However, no computer object is created in the on-premises Active Directory.

In Intune > Devices > Device Configuration > Autopilot Hybrid Join (which is the policy I created) > View Report > WindowsDomainJoinConfiguration, I see the following error:

Parameter error

Parameter: WindowsDomainJoinConfiguration

Status: Error

Profile source: Autopilot Hybrid Join

Error code: 0x8fffffff

Environment:

I have an on-premises Active Directory, synchronized with Azure AD via AD Connect

Hybrid Azure AD Join is already working (existing AD-joined machines are correctly syncing to Azure AD and Intune)

I’m using Intune Connector for Active Directory, and it shows as connected and active in Intune

I have multiple Intune Connectors installed and appearing in Intune

During OOBE, the machine can reach the domain controller (ping and nslookup successful)

No computer object is created in the target OU (checked directly in AD)

No critical errors found in the event logs of the server hosting the Intune Connector

I’m using an Active Directory Kerberos Trust, and my DNS/AD environment is healthy (tests with nltest, ping, etc., are successful)

The connector is properly installed and services are running

Ping and DNS resolution between the Connector server and the domain controllers are working

Questions or ideas:

Has anyone encountered this situation before?

Could error 0x80070774 be related to a Kerberos delegation issue misconfigured for the Intune Connector?

Is there a way to force additional diagnostics or enable more detailed logging of the machine account creation attempt in AD?

Thank you in advance for your help or any insights!

Microsoft Security | Intune | Configuration Manager | Deployment
{count} votes

1 answer

Sort by: Most helpful
  1. Daniel TASSA 0 Reputation points
    2025-05-07T12:31:13.2333333+00:00

    Cause: The issue was related to insufficient permissions for the account/service used by the Intune Connector.

    When a specific OU was defined in the Intune profile, the account did not have the necessary rights to create computer objects in that OU ➔ causing the Hybrid Azure AD Join to fail.

    • However, when I left the target OU field empty, the device was successfully created in the default Computers container, confirming that the connector itself was working properly.

    Solution: I adjusted the permissions on the target OU:

    I granted the Intune Connector account the following permissions (via Delegation of Control wizard or advanced ACLs):

         Create and delete computer objects
         
               Read and write necessary attributes (like servicePrincipalName, etc.)
               
               After applying these changes, the Hybrid Azure AD Join worked as expected, and the devices were correctly created in the specified OU.
               
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.