Autopilot hybrid domain join failure (80070002)

I just wanted to share a recent experience I had troubleshooting an issue with a customer. I had been working on a Windows Autopilot project where we had the machines perform an hybrid domain join through Intune/Endpoint Manager but it stopped working.

This join feature allows machines going through the autopilot process to create a machine account in the local Active Directory. This process requires software to be installed within the domain to receive and process the requests from Intune/Endpoint Manager and has to be granted specific permissions.

It had been working successfully for several days but then machines started failing, displaying error 80070002 on the enrolment status page when going through the Out-of-Box-Experience of setting up a new machine.

Having a look at the event log on the server running the connector we could see some errors. To make it easier we filtered out the 30121 and 30150 standard operational messages.

Event viewer showing connector service log with error 30132 slected
Event viewer showing connector service log

After a bit of head scratching we thought to double check the permissions required on the target OU. There should be permissions listed for the machine account of the server running the connector software, only they were missing!

Security settings of the OU storing the created machine accounts

It turns out someone had been through that part of AD and “tided” up permissions that they thought weren’t needed. We added the required permissions for the machine account running the connector software but it still didn’t work.

As we didn’t know what other permissions had been changed we created a new OU in its place, applied the permissions to that instead and changed the configuration profile. Afterwards the machines began joining the domain once more.

Hopefully this helps.

About the author