[MSDN Redirect] Azure Hybrid Join

Samara Soucy - MSFT 5,051 Reputation points
2020-02-25T18:01:26.16+00:00

Hybrid join configured and devices sync to Azure but showing pending.

Seeing error in event log, anyone see this before?

The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c03f2.
Activity Id: 9efcbaec-15da-4f36-a9d5-13d36bdc8543
The server returned HTTP status: 400
Server response was: {"ErrorType":"DirectoryError","Message":"The public key user certificate is not found on the device object with id: (1c069c7b-d5f2-48f2-9bea-e60c15c39c92).","TraceId":"9efcbaec-15da-4f36-a9d5-13d36bdc8543","Time":"02-25-2020 12:41:11Z"}

Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c03f2
Server error: The public key user certificate is not found on the device object with id: (1c069c7b-d5f2-48f2-9bea-e60c15c39c92).
Tenant type: Federated
Registration type: fallback_sync
Debug Output:
joinMode: Join
drsInstance: azure
registrationType: fallback_sync
tenantType: Federated
tenantId: b5da5f35-6442-4f5a-9622-92ec6a535127
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0

Source: https://social.msdn.microsoft.com/Forums/en-US/59d020db-f7ce-4afe-8b5f-54ed939a09a4/azure-hybrid-join?forum=azureappconfiguration

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,453 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KAREDD-MSFT 406 Reputation points Microsoft Employee
    2020-02-25T19:15:15.447+00:00

    It looks like the federated Hybrid join flow is failing "azure registrationType: fallback_sync".

    So, if you have Windows 10 clients which are 1803 and above, then when the federated flow fails, the client will automatically try the managed method. In this method, the computer object needs to be in sync scope.

    Based on the error, it looks like the user certificate object populated on the computer object in AD is not yet synced to the cloud.

    If you want the federated method to work, I would start with the ADFS claim rules and also check if you are getting this error across multiple devices?

    For the fallback method to work, let the sync cycles run and then restart your device once. This should trigger another device registration request.

    Update: I checked the device and the certificate is populated now. If you restart or logout/login again , Device registration should complete now.