Share via

Autopilot to add a computer to our domain from home

Garman WA, Gary 0 Reputation points
2026-03-04T13:51:01.54+00:00

Having an issue trying to get computers connected to our domain when the computer is not connected to the domain. We are able to import the has for the computer. Autopilot connects thru the "intune Connector" and adds the computer to AD. Then offers to log in with the e-mail. Once enter the e-mail ESP then installs GlobalProtect just fine. The computer then continues on and offers a login prompt. Try logging and gives a trust relationship error. It offers a GlobalProtect sign in option at the login screen, but still gives the same error. Autopilot woks fine when connected directly to the domain (In the office). Any help would be greatly appreciated. Please let me know if you have any questions.

Windows for business | Windows Server | Networking | Network connectivity and file sharing
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 29,510 Reputation points Independent Advisor
    2026-03-06T09:13:02.2+00:00

    Hi Garman WA, Gary,

    How is your issue going? Has it been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

    VP

    0 comments
  2. VPHAN 29,510 Reputation points Independent Advisor
    2026-03-04T14:33:19.67+00:00

    Hi Garman WA, Gary,

    To resolve this, your GlobalProtect client must be configured to establish a Pre-Logon machine tunnel. This is different from a standard user tunnel and requires configuring Intune to push a machine certificate to the device during the initial Device Enrollment Status Page phase. You also need to ensure the VPN configuration is correctly injected into the system registry during installation. Specifically, your portal address must be defined in the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup registry path so the GlobalProtect client knows exactly where to connect before a user profile is ever created.

    Once the VPN client installs and reads that registry key, it uses the Intune-deployed machine certificate to silently build a secure tunnel in the background at the lock screen. You must also ensure your Autopilot deployment profile has the option to skip the Active Directory connectivity check configured to yes. This prevents the setup process from failing if the background tunnel takes a few extra seconds to establish. With the machine tunnel active at the login screen, the computer can securely reach the domain controller, validate the domain trust, and process the initial user login without errors.

    Hope this answer brought you some useful information, if it did, please hit "accept answer". Should you have any questions, feel free to leave a comment.

    VP

    0 comments
  3. Q&A Assist
    2026-03-04T13:51:19.5633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The described symptoms match a classic hybrid Autopilot/domain-join trust problem: the device account is created in on-premises AD by the Intune Connector, but at first logon from home the machine cannot contact a domain controller to validate the secure channel, so Windows reports a trust relationship error.

    Key points from the scenario:

    • Hash is imported and Autopilot profile applies.
    • Intune Connector for Active Directory creates the computer account in on-premises AD.
    • ESP runs and installs GlobalProtect successfully.
    • At the first domain logon (from home), a trust relationship error appears even if GlobalProtect is available at the logon screen.
    • Works fine when the device is on-premises (directly on the domain network).

    From the provided context, the following items should be verified and corrected:

    1. Ensure the correct domain/connector alignment
      If the Intune Connector for Active Directory is installed in one AD domain but the Autopilot domain join profile targets another domain, hybrid join will fail in subtle ways. Error 0x80070774 is specifically called out for a domain mismatch, but the underlying issue is the same: the connector must be in the same AD domain where the device account is created.
      • Confirm that:
        • The Intune Connector for Active Directory server is joined to the same on-premises AD domain specified in the Autopilot domain join profile.
        • The OU configured in the domain join profile is in that same domain.
      • If there is any mismatch, reinstall/configure the Intune Connector in the correct domain and re-run Autopilot.
    2. Verify the Intune Connector for Active Directory is healthy and active
      • In the Microsoft Intune admin center, go to Devices → Windows → Enrollment → Intune Connector for Active Directory and confirm:
        • The connector server shows under Connector name.
        • Status is Active.
        • Version is at least 6.2501.2000.5 for the updated connector.
      • If the connector is not active or not visible, fix that first (reinstall or re-enroll the connector) and then re-test Autopilot.
    3. Confirm the MSA and OU permissions are correct
      The Intune Connector uses a Managed Service Account (MSA) msaODJ##### to create computer objects in the target OU. If this account cannot properly create or update the computer object, the resulting machine account may not be usable at logon.
      • On the connector server, identify the MSA used by the Intune ODJConnector for Active Service (check the Log On As column in Services).
      • In Active Directory Users and Computers (DSA.msc), on the OU where Autopilot is joining devices:
        • Open Properties → Security → Advanced → Add.
        • Add the MSA as a principal (Object type: Service Accounts).
        • Set Applies to: This object only.
        • Grant only Create Computer objects.
      • This ensures the connector can create the computer account correctly and not hit the default “10 computer” join limit.
    4. Network/VPN timing at first logon
      Even when GlobalProtect is installed, the device must have a working VPN tunnel to a domain controller before the user attempts the first domain logon. If the VPN only comes up after logon, or if the pre-logon configuration is not correct, Windows cannot validate the secure channel and shows a trust relationship error.
      • Verify that GlobalProtect is configured for pre-logon (machine tunnel) so that:
        • At the Ctrl+Alt+Del screen, the device already has connectivity to on-premises domain controllers.
        • DNS resolution for the AD domain and DCs works over the VPN.
      • Test by pressing Ctrl+Alt+Del → Network icon (if available) or using GlobalProtect’s pre-logon status to confirm the tunnel is established before entering domain credentials.
    5. Re-run Autopilot after fixing connector/domain issues
      After confirming:
      • Connector is active and in the correct domain.
      • MSA has proper permissions on the target OU.
      • VPN is available at logon.
      Reset or reimage one test device and run Autopilot again from home. Confirm that:
      • The computer account is created in the expected OU.
      • Hybrid join completes.
      • First domain logon succeeds once the pre-logon VPN is connected.

    If Autopilot continues to work on-premises but fails only from home, focus on:

    • Domain/connector mismatch (per the documented 0x80070774 scenario).
    • Pre-logon VPN connectivity to domain controllers.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.