Microsoft has released a new feature in Intune called “Intune Connector for Active Directory” which currently is a preview release feature. This feature is used to join devices to the on-premise Active Directory domain (using ODJ – Offline Domain Join) and the Azure AD tenant within Intune, during Autopilot device enrollment. This creates a Hybrid domain joined scenario for client devices to process local group policy and be managed by Intune. This is particularly useful as many customers have on-premise services such as, group policy, mapped network drives and printers that must authenticate from the local AD domain controllers. While testing this feature in my lab and working with a customer, I have seen “Server Error Code 80180005” or “Error code 80070774” on client devices. It turns out in my experience, this error was occurring because the computer name prefix was incorrectly configured.
Others in the IT community and Microsoft TechNet forums linked here have noticed this or similar errors with different results on the client devices. In this blog post, I will outline my experience with this issue, and what Intune settings are needed to resolve this issue. I’ll also show examples of the correct computer name prefix for Intune Hybrid domain join, and what you can and cannot currently use. This feature is still in “Preview” so Microsoft may make improvements later after feedback from the IT community.
Table of Contents
Feature: Intune Connector for Active Directory (Preview) – Console View
Environment Setup & Configuration Requirements
Here is the setup for both the lab I used and the customer’s environment for the testing performed that produced the same errors during Autopilot Hybrid domain join (aka ODJ – Offline Domain Join).
Lab Environment
- For Hybrid Domain Join, a “Domain Join (Preview)” device configuration profile created in Intune that includes computer name, Domain, and OU.
- Windows Server 2016 (hosting the Intune Connector for AD)
- Domain / Forest Functional Level = Server 2016
- Windows 10 1809 x64 ISO media pre-patched using OSDeploy.com OSBuilder
- Client VM devices connected to BOTH the local LAN and the internet. If the device is not able to connect to the local LAN, your local domain login will fail.
Customer Environment
- For Hybrid Domain Join, a “Domain Join (Preview)” device configuration profile created in Intune that includes computer name, Domain, and OU.
- Windows Server 2016 (hosting the Intune Connector for AD)
- Domain / Forest Functional Level = Server 2008 R2
- Windows 10 1809 x64 ISO media pre-patched using OSDeploy.com OSBuilder
- Client laptops/desktops connected to BOTH the local LAN and the internet. if the device is not able to connect to the local LAN, your local domain login will fail.
Issue Description
One of the Autopilot deployment profile options for this feature is Computername prefix. When you mouse over the information icon it says “Computers are assigned 15 characters long name. Specify a prefix, rest of 15 characters will be random.” Typically in Intune, you can use %SERIAL% to ensure the computer name uses the serial number as a prefix or %RAND%. However, this causes a problem for Hybrid Domain Join currently. For the Hybrid Domain Join preview feature you currently cannot use any variables, but only a simple Prefix such as W10-, XYZ- or ABC-with or without a dash. If you attempt to use a variable, you will get “Server Error Code 80180005” or “Error code 80070774” as mentioned before on the client devices during the Autopilot enrollment phase. Let’s see the details of the of the mis-configuration.
Incorrectly Set Computer Name Prefix
Although the green checkmark appears when you enter a variable as a prefix, the net result is an error and failure on the Autopilot client device. This makes sense since a computer cannot use the % character as part of the computer name.
In addition, in Event Viewer of the Intune Connector server, you will see other failure errors and the Computername prefix as a variable, and not the actual devices serial number as expected. Navigate to “Applications and Services Log” > “ODJ Connector Services” (Offline Domain Join) to see the events registered by the client device and one of the error messages as mentioned before on the client device during OOBE.
Unfortunately, in Event Viewer on the Intune Connector server, we don’t get see a descriptive reason WHY the failure occurs. As a result, after logging into the client device during Autopilot enrollment, we get the error below as mentioned after some time passes. The client device will show an error that says “Something went wrong. There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code 80180005”.
Solution (How To Fix it)
To resolve this issue, the computer name prefix needs to simply be a prefix. For example, ABC- or ABC or WIN10- to name a few. Microsoft allows variable prefixes for the standard “Azure AD joined” Autopilot deployment profile type but not currently for the “Domain Join (Preview)” device configuration profile type. Change the settings as shown here for the “Device Configuration profile” you previously created. Even though the screen shows a green check box if you enter a variable, it will fail.
Correctly Set Computer Name Prefix Steps
Login to Azure and navigate to your Hybrid Domain Join device configuration profile in Intune, and remove the %SERIAL% variable (or any other variable) and use a simple prefix as shown below.
Microsoft Intune > Device configuration – Profiles > NAME OF YOUR AZURE HYBRID JOIN PROFILE – Properties > Domain Join (Preview)
NOTE: Make sure you Active Directory domain name (Full FQDN that users login to) and Organizational Unit (Full path)are correct and properly formatted or you will get different errors.
When you re-run the Autopilot process on the device and log in, you will see the Event Viewer ODJ Connector Service log (Offline Domain Join) shows the domain join blob was successful. The Autopilot device enrollment will continue the process as normal and the devices’s Active Directory computer object will be listed in the OU used by the Intune Connector hosted by your on-premise 2016 server.
After all of this, you still may see this error below because there currently is an issue with the USER enrollment status page (ESP). If you get this error on the “Account Setup” page as shown below, review the Microsoft blog post from Michael Niehaus about how to disable the USER enrollment status page using a custom OMA-URI. That’s not ideal but the best workaround currently until the issue is resolved by Microsoft.
Disable SkipUserStatusPage enrollment page using the steps outlined here. I’ve tested this and it works pretty well but again, not ideal for production.
This concludes this blog post about the Intune Hybrid Domain Join Error 80180005.
I hope you found this helpful. Let me know if you have questions by commenting below (no login required).
References
“Trying out Windows Autopilot User-Driven Hybrid Azure AD Join” blog post by Michael Niehaus: Linked here.
“Intune – Hybrid Domain Join Error” Microsoft TechNet forum discussion: Linked here.
/ / Filed Under: Azure, Azure AD, Azure Preview, Cloud, Domain Join, Intune /
This is very useful information. Thank you for taking the time to write it up. The biggest issue with this is that the customers computer naming standards are going to go out the window. Most of them tend to use a variety of prefixes with everything including office codes or countries, typically along with the asset tag. Even if the wildcards were allowed that’s likely to be an issue. We could get around some of it with a bunch of different profiles and groups to assign them to, but that likely isn’t manageable. In SCCM we accomplish this through injecting… Read more »
Yea. The Intune process as is doesn’t seem to have an option like that. I think Microsoft might add the ability to use variables for serial number at least since that exist for standard Azure AD join but not for Hybrid which is just weird.
Hi Nathan, I see you are using a nonroutable domain name .local, are you using ADFS as well? I thought hybrid autopilot did not work for .local domains. Please let me know.
Correct. Not publicly routable but does work with Autopilot. I’ve also seen this same issue with a recent customer who was for sure using a routable domain. That .local is one of my labs and I’m not using ADFS.
Soooo, we are gettting the 80180005 error, with the refence to the mdmerros page, but we are not using variables in the PC name, and there are no errors visible in the ODJ log
the PC Name is configed as SGPC000000
I can see the ad connect updated itself back on the 8 april.
but that is all i can.
what the h…
What is the domain join look like for the Intune profile? You have a screenshot? Also, are you seeing the computer object in the AD OU or is it empty? If you’re not seeing an computer object in the OU path, it could be a firewall/ proxy issue.
Its been working up until, approx 14 days ago, I was on vacation, so I dont know the exact time. Yes i have screen shots, but I cant upload them here ? Its like the OOBE doesnt kick in, cause i get a windows end users licenes agreement prompt too. the OOBE settings are EULA = HIDE Privacy and change account type = HIDE User Account type = Standard While the Actualy AD Config is Computer Name Prefix = DKPC000000 domain name = xxx.xxxxxxx.com ORG unit OU=YYYYY,OU=YYYYYY,DC=xxx,DC=xxxxxxx,DC=com So it all looks right, and as i said it has been working.… Read more »
So computer prefix is “DKPC-“? Minus the quotes. Should not be longer than a few characters. That 801xxxx error can mean multiple things (issues) I believe too.
This Hybrid domain is still preview so I’m expecting issues unfortunately. I’d stick to the legacy profile until this gets worked out or try to open a case with Microsoft to help debug what’s going on.
Hi Nathan Just wanted to touch base with you regarding my Auto Pilot experiences and Hybrid domain join So we have setup a lab to start this process off and test and from a Auto Pilot point of view it all works a treat and I am 90% complete in my full build. That is until I introduced Hybrid domain join and everything breaks. So we have a DC and Server in Azure. The server is 2016 with the Hybrid connector working and linked to Intune showing a green tick. When I start off a build I get the Device… Read more »
And you’re sure the pc is on both the local lan Ethernet and internet connection is allowed? This Hybrid ad is still in preview so I’m expecting bugs still.
~Yeah tbh taken same view as that that its in preview. It was more to see if I had missed anything. The VM sits on my laptop on my LAN at work but with DC in azure I think I know the problem is DNS. Going to spin up a Windows 10 on same subnet in Azure and retest. Will let you know how I go.
Thanks for the reply