First off check this awesome blog post before reading mine. To give credit where due that is an exhaustive list of things to try.
Additionally there’s this blog post from Microsoft. Lastly, there’s also my earlier post on some notes about Azure AD.
The blog post you are currently reading is more for me to note down things I encounter because I happen to fix issues and then forget what I did and the next time it happens I spend time reinventing the wheel. If not already obvious 1) I have a poor memory and 2) the sole purpose of this blog is for me to go back and read what I did in the past. 🙃 I also have a short attention span and poor eyes so sometimes I don’t manage to read my own posts as I find them long and rambling… oh well, can’t keep everyone (including myself) happy. 😎
Benchmark Output
Here’s the output of dsregcmd /status just as a benchmark when things are working:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
+----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : YES EnterpriseJoined : NO DomainJoined : YES DomainName : CONTOSO +----------------------------------------------------------------------+ | Device Details | +----------------------------------------------------------------------+ DeviceId : 126cafbf-18e6-47a8-ad06-d5affe132b36 Thumbprint : 6422A23183864B4BF99F9282715F5C9D6C881776 DeviceCertificateValidity : [ 2020-11-16 18:55:24.000 UTC -- 2030-11-16 19:25:24.000 UTC ] KeyContainerId : 5fad6f12-9a31-448d-87f3-0eb6a24033fd KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES +----------------------------------------------------------------------+ | Tenant Details | +----------------------------------------------------------------------+ TenantName : Contoso TenantId : ad8e1d4f-5295-4df7-b18a-1d85b4195a17 Idp : login.windows.net AuthCodeUrl : https://login.microsoftonline.com/fade1d4f-5295-4df7-b18a-1d85b4195a17/oauth2/authorize AccessTokenUrl : https://login.microsoftonline.com/fade1d4f-5295-4df7-b18a-1d85b4195a17/oauth2/token MdmUrl : MdmTouUrl : MdmComplianceUrl : SettingsUrl : JoinSrvVersion : 1.0 JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/ JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net KeySrvVersion : 1.0 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/ KeySrvId : urn:ms-drs:enterpriseregistration.windows.net WebAuthNSrvVersion : 1.0 WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/fade1d4f-5295-4df7-b18a-1d85b4195a17/ WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net DeviceManagementSrvVer : 1.0 DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/fade1d4f-5295-4df7-b18a-1d85b4195a17/ DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO WorkplaceJoined : YES WorkAccountCount : 1 WamDefaultSet : YES WamDefaultAuthority : organizations WamDefaultId : https://login.microsoft.com WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd) +----------------------------------------------------------------------+ | SSO State | +----------------------------------------------------------------------+ AzureAdPrt : YES AzureAdPrtUpdateTime : 2021-02-25 09:14:32.000 UTC AzureAdPrtExpiryTime : 2021-03-11 13:07:08.000 UTC AzureAdPrtAuthority : https://login.microsoftonline.com/fade1d4f-5295-4df7-b18a-1d85b4195a17 EnterprisePrt : NO EnterprisePrtAuthority : +----------------------------------------------------------------------+ | Work Account 1 | +----------------------------------------------------------------------+ WorkplaceDeviceId : fd11fa9e-3324-4266-8bd2-d16bb19c975a WorkplaceThumbprint : 83FB67C7CA7A2B12F6DF62E380E85F24BDF68B5D DeviceCertificateValidity : [ 2020-09-10 13:46:37.000 UTC -- 2030-09-10 14:16:37.000 UTC ] KeyContainerId : fe24021a-cfa6-401c-b9b5-f7a48ad4cbb6 KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES WorkplaceIdp : login.windows.net WorkplaceTenantId : fade1d4f-5295-4df7-b18a-1d85b4195a17 WorkplaceTenantName : Contoso WorkplaceMdmUrl : WorkplaceSettingsUrl : NgcSet : NO +----------------------------------------------------------------------+ | Diagnostic Data | +----------------------------------------------------------------------+ AadRecoveryEnabled : NO KeySignTest : PASSED +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsDeviceJoined : YES IsUserAzureAD : YES PolicyEnabled : NO PostLogonEnabled : YES DeviceEligible : NO SessionIsNotRemote : NO CertEnrollment : none PreReqResult : WillNotProvision |
I always ignore the Ngc Pre-req check section as that’s for Windows Hello for Business and I haven’t used that yet.
The first section of Device State is what I usually look at. That tells me if a device is Azure AD joined or not (and if it’s both Azure AD joined and Domain joined then it’s implicitly Azure AD Hybrid joined).
The Tenant details has my Azure AD tenant ID and name. The Device details has the Device ID (which should match with Azure AD – more on this below). The SSO State section tells if I have a Primary Refresh Token (PRT) – required for Seamless SSO (i.e. when using (Hybrid) Azure AD). So far so good.
Broken Output
Here’s an example output when this is broken:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
+----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : NO EnterpriseJoined : NO DomainJoined : YES DomainName : CONTOSO +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO WorkplaceJoined : NO WamDefaultSet : NO AzureAdPrt : NO +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsUserAzureAD : NO PolicyEnabled : YES DeviceEligible : YES SessionIsNotRemote : NO X509CertRequired : NO PreReqResult : WillNotProvision |
Again, ignore Ngc. (So difficult to ignore it though – when there’s an error and I see the WillNotProvision as that’s at the end of the output my first instinct is “aha! that’s broken”).
Older version (and somewhat broken) Output
The “benchmark” output format I pasted above can change depending on your Windows version. The above output is from Windows 10 2004 but things were slightly different with older version. For instance, the output a colleague sent me for one of his machines (Windows 10 1607 I think) looked like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
+----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : NO EnterpriseJoined : NO DeviceId : 0ec68cdb-9e17-426a-b055-ab6655b9927c Thumbprint : 951B90D7D23FA46960091C67E28181B4CB4ECEEB KeyContainerId : fe316364-a4fc-4b31-bf7f-1614efec79b3 KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES KeySignTest: : MUST Run elevated to test. Idp : login.windows.net TenantId : fade1d4f-5295-4df7-b18a-1d85b4195a17 TenantName : Contoso AuthCodeUrl : https://login.microsoftonline.com/fade1d4f-5295-4df7-b18a-1d85b4195a17/oauth2/authorize AccessTokenUrl : https://login.microsoftonline.com/fade1d4f-5295-4df7-b18a-1d85b4195a17/oauth2/token MdmUrl : MdmTouUrl : MdmComplianceUrl : SettingsUrl : JoinSrvVersion : 1.0 JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/ JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net KeySrvVersion : 1.0 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/ KeySrvId : urn:ms-drs:enterpriseregistration.windows.net WebAuthNSrvVersion : 1.0 WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/fade1d4f-5295-4df7-b18a-1d85b4195a17/ WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/fade1d4f-5295-4df7-b18a-1d85b4195a17/ DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net DomainJoined : YES DomainName : CONTOSO +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO WorkplaceJoined : YES WorkplaceDeviceId : 0ec68cda-7e17-426a-b055-ab6655b9927c WorkplaceThumbprint : 952B90C7D33FA46960091C67E28181B4CB4ECEEB WorkplaceIdp : login.windows.net WorkplaceTenantId : fade1d4f-5295-4df7-b18a-1d85b4195a17 WorkplaceTenantName : Contoso WorkplaceMdmUrl : WorkplaceSettingsUrl : WamDefaultSet : NO AzureAdPrt : NO AzureAdPrtAuthority : NO EnterprisePrt : NO EnterprisePrtAuthority : NO +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsUserAzureAD : NO PolicyEnabled : NO DeviceEligible : YES SessionIsNotRemote : NO CertEnrollment : none AadRecoveryNeeded : NO PreReqResult : WillNotProvision |
Notice the Device State, Device Details, and Tenant Details were all together. No mention of SSO here – that’s not a limitation of the older output, it’s a symptom of the error in this case.
The above is an example of something I wanted to record here. In this case my colleague was getting the following error: 
If I looked in Azure AD I could see his machine but it had a Pending status. And in the output above while it looked good at first glance (had more URLs and Tenant info than the broken version) it too said the device wasn’t Azure AD joined… and the SSO section was missing as I noticed above.
Looking more into this I realized that the Device ID in the dsregcmd /status output was different to the Device ID of the same device in Azure AD. Not sure why. So I asked him to do a dsregcmd /leave, reboot the machine and login as usual… and that fixed the issue. I wasn’t sure this would work and whether I will have to remove the device entry from Azure AD, but dsregcmd /leave removed and re-added I think. Nice!
Device ID
So what is the Device ID? This is the GUID of the machine in Azure AD. It is tied to the state of the machine too – so a machine that is Azure AD registered has one Device ID, when the same machine becomes Azure AD hybrid joined for instance the Device ID changes (this is why you’ll see the same machine twice in Azure AD sometimes – the older one will be automatically removed).
The Device ID is stored in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo.
A thing to remember is that when cloning machines that are already (Hybrid) Azure AD joined, tools like sysprep won’t delete the Device ID. This in itself may not be a problem because when the cloned machine rejoins Azure AD it can generate a new Device ID – but this is something to bear in mind. Try and not clone (Hybrid) Azure AD joined machines as sysprep isn’t aware of this.
Hybrid join failing
And this is a good segue into the issue I ran across today. A colleague had cloned a bunch of Hybrid Azure AD joined machines. Users on these machines were having trouble because conditional access was kicking in and stopping them from using Teams etc. as it required a Hybrid Azure AD joined machine. These machines however were not appearing in Azure AD at all, and dsregcmd /status had the broken output I showed at the beginning of this post (the second of my outputs at the top).
To troubleshoot I took a look at Microsoft-Windows-User Device Registration/Admin in the Event Viewer and found the following Event ID 304 error:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
Automatic registration failed at join phase. Exit code: Keyset does not exist. Server error: empty. Debug Output:\r\n joinMode: Join drsInstance: azure registrationType: sync tenantType: managed tenantId: fade1d4f-5295-4df7-b18a-1d85b4195a17 configLocation: undefined errorPhase: join adalCorrelationId: undefined adalLog: undefined adalLog: undefined adalResponseCode: 0x0 . |
So it was failing due to a Keyset does not exist error. This seems to be related to the private keys used by Windows and while there’s a lot of Google hits I finally found the blog post I referenced at the top of this post and there it said this error could be to do with TPM (see that post for fixes) or because of cloning. Since the latter was my issue, the fix was the delete C:\ProgramData\Microsoft\Crypto\Keys and try registration again. I deleted the folder.
Next I wanted to try a manual join. You can’t really do that as the dsregcmd /join command requires to be run under the SYSTEM account when an Azure AD synced account logs in (you could workaround using something like psexec -i -s cmd.exe to launch a command prompt under the SYSTEM account and then do dsregcmd /join). An easier way to handle this though is to use the Scheduled Task created by Windows that automatically attempts a Hybrid Join (under the SYSTEM account) when an Azure AD synced user logs in. To do this open Task Scheduler and go to Microsoft\Windows\Workplace Join, select the Automatic-Device-Join task and run it. Additionally kick a delta sync for Azure AD too (Start-ADSyncSyncCycle -PolicyType delta) and now if you login as an Azure AD joined user it will be Hybrid joined.
When a machine registers with Azure AD it has certificates added to its certificate store and also to the userCertificate attribute in AD. When you then do an Azure AD sync it looks to this attribute before syncing those objects to Azure AD and only syncs the ones that have a userCertificate. Hence what I did above of doing a join and then the delta sync.