Hybrid Azure AD Join Failure - Error Missing Device

Question

We have successfully set Hybrid Azure AD from our on premise AD to our Azure AD tenant via Intune Connector. On the surface all works fine. On one machine I changed OU so that we could enroll the device into Intune. However the device, which was already in Azure AD as Hybrid Azure AD join type, got DELETED.

Now the device cannot log into Microsoft services and can no longer either enroll into Intune or show in the devices list in Azure AD. Everything looks right - AD connect working, Intune Connector working, etc. It is only affecting this device. I have already done a dsregcmd /debug /leave - this made no difference. I have taken the device off the domain (twice) and renamed the device - still the same issue. If anyone can assist or shed any light what is going on here, it would be much appreciated. Here's the dsregcmd /status:

Microsoft Windows [Version 10.0.19042.804]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>dsregcmd /status

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

         AzureAdJoined : NO
      EnterpriseJoined : NO
          DomainJoined : YES
            DomainName : MXXXXXXXXXXXXXP
           Device Name : MACF-SP4-0010.mxxxxxxxxxxxxxp.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                NgcSet : NO
       WorkplaceJoined : NO
         WamDefaultSet : ERROR

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

            AzureAdPrt : NO
   AzureAdPrtAuthority : NO
         EnterprisePrt : NO
EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

 Diagnostics Reference : www.microsoft.com/aadjerrors
          User Context : SYSTEM
           Client Time : 2021-02-25 08:00:11.000 UTC
  AD Connectivity Test : PASS
 AD Configuration Test : PASS
    DRS Discovery Test : PASS
 DRS Connectivity Test : PASS
Token acquisition Test : SKIPPED
 Fallback to Sync-Join : ENABLED

 Previous Registration : 2021-02-25 07:59:11.000 UTC
     Registration Type : sync
           Error Phase : join
      Client ErrorCode : 0x801c03f3
      Server ErrorCode : invalid_request
   Server ErrorSubCode : error_missing_device
      Server Operation : DeviceRenew
        Server Message : The device object by the given id (dcf25f7e-32a2-4353-9c94-55e73da71456) is not found.
          Https Status : 400
            Request Id : e3845944-6aad-4a2f-ba45-d92d319699d2

+----------------------------------------------------------------------+
| IE Proxy Config for System Account |
+----------------------------------------------------------------------+

  Auto Detect Settings : YES
Auto-Configuration URL :
     Proxy Server List :
     Proxy Bypass List :

+----------------------------------------------------------------------+
| URL Specific Proxy Config |
+----------------------------------------------------------------------+

Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94

Executing Account Name : MxxxxxxxxxxxxxP\MACF-SP4-0010$, MACF-SP4-0010$@mxxxxxxxxxxxxxp.net

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

  Auto Detect Settings : YES
Auto-Configuration URL :
     Proxy Server List :
     Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

           Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

        IsDeviceJoined : NO
         IsUserAzureAD : NO
         PolicyEnabled : NO
      PostLogonEnabled : YES
        DeviceEligible : YES
    SessionIsNotRemote : YES
        CertEnrollment : none
          PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors
C:\WINDOWS\system32>

Answer 1

Hello @Martin Godfrey ,

Thanks for reaching out.

Could you please confirm, how you configured Hybrid device registration for your environment ? with federated domain or managed domain ? also could you confirm device operating system which is having issue?

In case of managed environment, could you verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see Organizational unit–based filtering as I see following error from above logs, which indicate device object is not found.

Server ErrorSubCode : error_missing_device  
       Server Operation : DeviceRenew  
         Server Message : The device object by the given id (dcf25f7e-32a2-4353-9c94-55e73da71456) is not found.  
           Https Status : 400  
             Request Id : e3845944-6aad-4a2f-ba45-d92d319699d2  

Before you make above changes, please verify if working devices are synchronized and belong to OUs that's part of sync scope in Azure AD connect, because this is not mandatory in case federated domain environment setup.

If you experience issues completing hybrid Azure AD join for domain-joined Windows devices, see: https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#step-3-find-the-phase-in-which-join-failed-and-the-errorcode

------------------------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

OK so I put the device in a new OU on our Active Directory on premise tenant and setup synchronisation with AD Connect so that the OU syncs with Azure AD. The device is now Azure AD joined. However - Microsoft Teams and Microsoft Outlook will no longer function.

Answer 3

Hello @Martin Godfrey ,

In addition to that, why Microsoft Teams and Microsoft Outlook not functioning, is due to device is not received EnterprisePrt for the user , you can confirm this by running same cmdlet dsregcmd /status and confirm EnterprisePrt is set to YES under SSO State.

additionally, I see WamDefaultSet : ERROR and PAC (Proxy Auto-Configuration) related error in above logs, are you using PAC for your environment ?if so see Troubleshoot automatic detection.

If you don't use WPAD, but your organization requires access to the internet via an outbound proxy, then use WinHTTP cmdlet to set proxy for device manually.

Run this command on working as well on non-working device and verify both settings must match:

netsh winhttp show proxy

You can also import the settings from the Internet Settings Control Panel, but bear in mind the WinHTTP Services do not support the use of Scripts (like PAC or DAT files). For such behavior you can use following command:

netsh winhttp import proxy source=ie

for more information about WinHTTP, read WinHTTP Proxy Settings.

Hope this helps.

------------------------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 4

Thanks for reaching out. Here's the answers to your questions.
After running dsregcmd /status
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

            AzureAdPrt : NO
   AzureAdPrtAuthority :
         EnterprisePrt : NO
EnterprisePrtAuthority :

I'm also not aware we are using Proxy auto-configuration. I haven't come across it so far.

Also..
C:\WINDOWS\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

Direct access (no proxy server).

C:\WINDOWS\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

Direct access (no proxy server).

I am verified that my colleague has the same WinHTTP settings.

By the way my colleague is also set to EnterprisePRT NO and her Teams and Outlook works fine!

Regards
Martin

Answer 5

I think the reason that the OU the machine was in not being sync'd with AD Connect is correct. I had done a successfully trial, but maybe didn't appreciate some of the finer points involved when moving OUs, syncing to Azure AD, etc. Anyway all of sudden Teams and Outlook starting working. I appreciate your thoughts on this matter.

Regards Martin