Share via

Error 0x80070643 while installing Microsoft Entra Provisioning Agent (AADConnectProvisioningAgent)

Jessica Fraga 0 Reputation points
2026-03-26T19:41:43.57+00:00

User's image I'm trying to install the Microsoft Entra Provisioning Agent (AADConnectProvisioningAgentSetup.exe) on a Windows 10 x64 machine.

The installation always fails with Error 0x80070643 when executing the MSI Microsoft.SCIM.Provisioning.Setup.msi.

Environment

  • OS: Windows 10 x64 (Build 22631)
  • Installer version: 5.0.2.0
  • .NET Framework: Installed (condition NETFRAMEWORK45 >= 461808 evaluates to true)
  • Installation executed as local administrator
  • Windows Update enabled

Expected behavior

The provisioning agent should install successfully.

Actual behavior

The MSI installation fails with error 0x80070643 and rolls back.

Relevant log excerpt (sanitized)

i301: Applying execute package: Microsoft.SCIM.Provisioning.Setup.msi e000: Error 0x80070643: Failed to install MSI package. e000: Error 0x80070643: Failed to execute MSI package. e000: Error 0x80070643: Failed to configure per-machine MSI package.

The full installer runs without UI (WixStdBASuppressOptionsUI=1). No additional error is shown on screen.

Has anyone encountered this issue with the Entra Provisioning Agent? Are there known prerequisites, permissions, or Windows components that could cause this MSI error during installation?

Any guidance would be appreciated. ``

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-26T19:42:44.29+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Error 0x80070643 during installation of the Microsoft Entra Provisioning Agent usually indicates that the MSI could not complete because the Windows service account for the agent could not be created or started, or because a previous/partial installation is blocking setup.

    Based on the documented agent issues, focus on these areas:

    1. Verify prerequisites
      • Ensure all prerequisites for Microsoft Entra Connect cloud sync are met on the Windows 10 machine, including TLS 1.2 and required components. The provisioning agent setup assumes these are in place.
    2. Check for previous/partial agent installations
      • Open Services.msc and look for:
        • Microsoft Entra Provisioning Agent
        • Microsoft Entra Connect Agent Updater
      • If they exist but are not running or are stuck in Starting, this can cause MSI failures. In that case:
        1. Uninstall any existing Microsoft Entra Provisioning Agent from Apps & Features.
        2. Confirm the services are removed.
        3. Reboot and then rerun the installer.
    3. Group Policy / “log on as a service” rights
      • The installer creates a local service account NT SERVICE\AADConnectProvisioningAgent and grants it Log on as a service. If local or domain Group Policy prevents this, the service cannot start and the MSI fails.
      • On the machine:
        1. Run secpol.mscLocal PoliciesUser Rights AssignmentLog on as a service.
        2. Ensure the entry NT SERVICE\ALL SERVICES is present. If it is missing, add it and apply policy.
      • If the policy is controlled by a domain GPO, adjust the GPO so that NT SERVICE\ALL SERVICES (or at least the agent service account) is allowed.
    4. Manually set the service logon account (if the service is created but fails to start)
      • If the MSI gets far enough to create the service but it fails to start:
        1. Open Services.msc.
        2. Open Microsoft Entra Provisioning AgentLog On tab.
        3. Change This account to a domain administrator account.
        4. Apply and start the service, then rerun the installer if it rolled back.
    5. Domain controller / policy considerations
      • If this Windows 10 machine is a domain controller or has DC-like policies applied, the same restrictions that affect DC installations can apply (for example, policies blocking local service accounts). In such cases, either:
        • Relax the policy to allow the service account as above, or
        • Install the provisioning agent on a non‑DC server that meets the prerequisites.
    6. Review the detailed MSI log
      • In addition to the bootstrapper log you already have, review the MSI log for Microsoft.SCIM.Provisioning.Setup.msi for entries about:
        • Failure to grant Log on as a service
        • Failure to start AADConnectProvisioningAgent
      • These messages typically confirm that policy or service‑startup issues are the root cause.

    After ensuring prerequisites are met, removing any stale installation, and confirming NT SERVICE\\ALL SERVICES has Log on as a service rights (or assigning a domain admin account to the service), rerun the provisioning agent installer; in the documented cases, the wizard then completes successfully.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.