In this blog we will continue the Autopilot Hybrid Join Troubleshooting Series
Offline domain join is a critical step in the Autopilot hybrid join process, it involves different technologies and components with Intune, like Intune connector for active director, Active directory and Entra AD connect
It is important to understand how Offline domain join process works during Autopilot hybrid join scenario to be able to solve and troubleshoot issues related to this process
In this blog , we will explore various troubleshooting techniques specific to Offline Domain Join during the Autopilot hybrid join scenario
Table of Contents
Autopilot Hybrid Join Offline Domain Join – The Flow
Offline domain join process starts once the user enter his credential on Entra AD sign-in screen “company branding” , then the device will complete enrollment to Intune and start Offline domain join
After logging in on the Entra AD Sign-in screen and up until the device reboots, end users will see the following screen
End user should only be presented with the above screen, which will be followed by a device reboot to finalize the domain join process and proceed to the Enrollment Status Page.
While the end users are presented with the message “Please wait while we set up your device”, the device and service quietly perform their tasks behind the scenes.
- The device enrolls in MDM
- The device begin waiting for the ODJ (Offline Domain Join) blob
- Intune start push profiles/policies to the device. Offline Domain Join is one of the profiles which is targeted to the device.
- The device receives the Offline Domain Join configuration profile and it requests an ODJ blob from Intune Service.
- Intune service prepares the ODJ blob request.
- Intune Connector for Active Directory downloads the ODJ blob request.
- Intune Connector for Active Directory requests and receives an ODJ blob from a Domain Controller.
- Intune Connector for Active Directory uploads the ODJ blob to Intune.
- Intune service delivers the ODJ blob to the client machine.
- If the “Skip DC connectivity check” in the Autopilot profile is set to “NO”, the device will do a ping for the domain controller and it should receive a response to continue the process
- Device reboots to complete the Active Directory domain join.
Autopilot Hybrid Join Offline Domain Join – What Logs required
To cover all steps, we need to collect Client-side and Server-side “Connector” logs
Client-Side
As the device completes the enrollment, it is easier to collect log from Intune portal directly, Please check the following doc to collect diagnostics logs
https://learn.microsoft.com/en-us/mem/intune/remote-actions/collect-diagnostics#collect-diagnostics
Server-side
Intune Connector for Active Directory logs
The ODJ Connector Service event logs are located under
Event Viewer > Application and Services Logs > Microsoft > Intune > ODJConnectorService.
Select Microsoft-Intune-ODJConnectorService/Admin And Microsoft-Intune-ODJConnectorService/Operational.
NetSetup log
The NetSetup log file is located in the connector server in following path
C:\Windows\debug\NetSetup.log
Autopilot Hybrid Join Offline Domain Join – Troubleshooting
For device enrollment troubleshooting, you can find all details here “Autopilot Hybrid Join Troubleshooting Series – Device Enrollment“
So we will start the troubleshooting after confirming that device complete the enrollment
The device begin waiting for the ODJ (Offline Domain Join) blob
After the device complete the enrollment successfully, it should automatically request and wait for an ODJ blob
From the event viewer log “DeviceManagement-Enterprise-Diagnostics-Provider/Admin Event 111 which happens just after the enrollment completes successfully (Event 72)
From this moment the device has 25 minutes to receive the blob
Note: How to confirm if DC connectivity is required or not?
From the same event “111”:
False: Skip DC connectivity check set to “Yes”, No PC ping needed
True: Skip DC connectivity check set to “No”, PC ping needed
Also you can check DC connectivity check needed or not from the Autopilot profile settings, which can be confirmed from JSON file “AutopilotDDSZTDFile.json” inside the client-side log
HybridJoinSkipDCConnectivityCheck”:0 = Skip AD connectivity check disabled
Device receives the Offline Domain Join configuration profile and Intune prepares the ODJ blob request
For steps 3,4 and 5
a Domain Join configuration profile needs to be assigned to the devicefor the Intune service to prepare the ODJ blob
check the following Microsoft doc for guidance in creating and assigning domain join profile
Enrollment for Microsoft Entra hybrid joined devices – Windows Autopilot | Microsoft Learn
Intune Connector for Active Directory downloads the ODJ blob request
The ODJ connector operates using a pull mechanism. It polls the Intune service every 5 seconds to check for any active blob requests. If it detects a request, it downloads it for processing. Consequently, when you have multiple active connector instances, you have no control over which connector will handle the request first. As a result, it is essential for all your active connectors to possess identical permissions on all the specified OUs in your Domain Join configuration profiles.
To verify this action, it is necessary to review the log for the server-side Intune connector for Active Directory.
From Event Viewer > Application and Services Logs > Microsoft > Intune > ODJConnectorService. Select Microsoft-Intune-ODJConnectorService/Admin check event 30120 and search with Intune Device ID
Intune Connector for Active Directory requests and receives an ODJ blob from a Domain Controller
For all the ODJ blob request downloaded, the connector will perform a request to the Domain Controller, trying to create a computer object on the corresponding DC and get an ODJ blob
You can check Check C:\Windows\debug\NetSetup.log on the connector server to see the requests:
Search with the NetProvisionComputerAccount and the timestamp you got from the event 30120
If the ODJ blob request is successful, it will exit with NetProvisionComputerAccount: status: 0x0:
A successful request corresponds to event 30130 in Event Viewer “Microsoft-Intune-ODJConnectorService/Operational.”
Note: A complete device name should be on this event
If there is a failure in blob request you will find even 30132 instead of 30130
Then for more details you will check NetSetup.log file on the connector server
Intune Connector for Active Directory uploads the ODJ blob to Intune
Check for event 30140 in Event Viewer “Microsoft-Intune-ODJConnectorService/Operational.”
Note: If the device name is empty so that’s mean the connector didn’t upload any blob to the service.
Intune service delivers the ODJ blob to the client machine
from the client machine, in “DeviceManagement-Enterprise-Diagnostics-Provider/Admin ” event viewer log, event “107” logged when the device receives and applies the blob
Blob information will be updated on the following registry on the client side
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\JoinDomain
If there is a failure happened during any of the mentioned steps or 25 minutes passed without receiving the blob you may get error like this one
Something went wrong. Confirm you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the error code xxxxxx
You can see different error codes like “80070774” or “80004005″
Device pings and receives a response from the Domain Controller.
This step only happens if Event 111 says Offline Domain Join: Starting wait for offline domain join blob.Domain controller connectivity required: (true). This happens during a hybrid Autopilot User-Driven enrollment when Skip AD connectivity check is disabled in the Autopilot profile
Device reboots to complete the Active Directory domain join
After receiving the ODJ blob (Event 107), and successfully pinging the DC if required, the device will reboot to consolidate the domain-join.
Leave a Reply