Issue Azure AD Join

Question

Issue Azure AD Join

Jon Mercer 1,026

The end result is to be able to use Hello for Business. Not doing anything with FS.

Have a DC, that is linked to AAD through Connect using HASH.

All devices currently show Azure AD registered.

Have gone in the AAD Connect configuration and done this process to enable SCP - https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains.

It has been left to percolate for a couple hours, and nothing has changed for the device status, and not changing to Hybrid AAD Joined.

If I run dsregcmd /status, it shows it is just domain joined. There is an error listed in the discover step.
Error Phase: discover
Client ErrorCode: 0x801c001d

https://enterpriseregistration.windows.net - If I go through my browser, it fails to connect saying endpoint not found. There is though nothing blocking outbound traffic.
https://login.microsoftonline.com - Works fine
https://device.login.microsoftonline.com - Error about not being able to sign in. If I open in private mode, it wants a certificate, which I only have one, and it fails on it.

I am kind of stuck, and having to jump around through 20 different Microsoft Doc's is not helping.

Accepted answer

9 additional answers

Your answer

Answer 1

We couldn't login with the pin, since that feature after Hybrid Azure AD joining them came up with a new message saying basically unable to sign-in because it didn't recognize the network. It also wasn't InTune joined, just standard AD joined. After trying different things, and talking with our consultant, it was found by their suggestion, that suspending, and then clearing out the TPM after AAD Connect had done its thing, was needed to be able to setup the Hello features. After that, was able to setup the pin without any issue.

Basically had to make sure the computers OU was selected in AAD connect, and then it would convert to a Hybrid AAD join status so that the Hello system knew of the computer. Then for whatever reason (certificates is my guess) had to suspend, and clear out the TPM to get rid of the unable to sign-in message with Hello Pin in our case, and after the reboot, was able to add it.

The only thing I am wondering about, is it didn't ask for a second factor when setting up the pin. We setup people with phone authentication, but all it asked for during the setup of the pin was the login password.

Now to deal with InTune.

Siva-kumar-selvaraj 15,721 Reputation points

2021-10-28T16:42:22.597+00:00

Glad that you were able to isolate the issue also thanks for leveraging Microsoft Q&A forum.

Answer 2

Nagappan Veerappan 651 Microsoft Employee

Thanks, Saw your post over the mail. But its not yet reflected here.

Yes, you were using convenience PIN, which won't work once your device become HAADJ (once you synced to AAD). you need to clear TPM or clear NGC container via certutil -deleteHellocontainer
You will be able to get WHFB provisioned. MFA used if you login with password during provisioning. if you already use Phone sign-in to authenticate on the device it carry MFA signal and help you to satisfy the MFA requirement to provision WHFB.

Answer 3

Nagappan Veerappan 651 Microsoft Employee

WHFB login here after with PIN/Bio - treated as MFA's Sign-in (strong authentication credentials aka NGC credentials). so no more MFA prompts from that machine for that user.

Jon Mercer 1,026 Reputation points

2021-10-28T16:26:11.437+00:00

It was more of it didn't ask for MFA when setting up the WHFB pin, which I was expecting, not just for it to ask for just the login password.

Pin was not setup on any system until after they were Hybrid AAD joined, so not sure why we have to clear the TPM if that is the cause. It isn't to much of an issue for our local people, but will be a bit of a pain for our remote since they don't have admin rights.

If I do the PowerShell command certutil -deleteHellocontainer command, does bitlocker need to be suspended first? From what I am finding, it doesn't look like it, but just want to verify, so I don't have to deal with the 48 digit recovery key. If this doesn't have to be run as command prompt/PowerShell admin, that would be nice.

Answer 4

Not sure why my post didn't come through, had moved it to the general discussion.

We couldn't login with the pin, since that feature after Hybrid Azure AD joining them came up with a new message saying basically unable to sign-in because it didn't recognize the network. It also wasn't InTune joined, just standard AD joined. After trying different things, and talking with our consultant, it was found by their suggestion, that suspending, and then clearing out the TPM after AAD Connect had done its thing, was needed to be able to setup the Hello features. After that, was able to setup the pin without any issue.

Basically had to make sure the computers OU was selected in AAD connect, and then it would convert to a Hybrid AAD join status so that the Hello system knew of the computer. Then for whatever reason (certificates is my guess) had to suspend, and clear out the TPM to get rid of the unable to sign-in message with Hello Pin in our case, and after the reboot, was able to add it.

The only thing I am wondering about, is it didn't ask for a second factor when setting up the pin. We setup people with phone authentication, but all it asked for during the setup of the pin was the login password.

Now to deal with InTune.

Nagappan Veerappan 651 Reputation points Microsoft Employee

2021-10-28T16:22:28.347+00:00

Thanks, Now I see here. My answers are already there above. Please let me know if any further help needed

Answer 5

Hello @Jon Mercer ,

Thanks for reaching out.

Are you facing discover issue with multiple devices or specific device? which version of Windows facing registration issue? also can you confirm, do you have Single forest AD or multi-forest environment because if devices are across from multiple Active Directory forests then you must create the SCP object in each forest root as explained over here.

Generally, we would get discover error when device couldn't retrieve SCP information or it could retrieve SCP information from local AD, but device failed to establish connection with Azure AD service endpoint for device registration.

First, verify if SCP keywords can be retrieved from domain joined device using PowerShell as explained in this article , outcome should look similar to below example and the field names are case-sensitive. Make sure that they are exactly azureADName: and azureADId:

azureADName:contoso.com  
azureADId:62f988bf-####-####-####-############

The value for azureADName: can be any of the custom or default domain names configured in Azure AD, such "contoso.onmicrosoft.com" or "contoso.com" domain name since you are using Pass Hash Synchronization not AD FS federation. azureADId: is tenant ID of your Azure Active Directory Tenant.

Second, verify these service endpoints accessible in System Context (In computer account) not user context . You can test this by doing the following:

open a command prompt as System using: psexec -i -s cmd.exe
Then launch internet explorer: "c:\Program Files\Internet Explorer\iexplore.exe"
Then try to navigate to the discovery url: https://enterpriseregistration.windows.net/verifiedDomain/enrollmentserver/contract?api-version=1.2

Note: Where verifiedDomain is the customers domain name. E.g. Contoso.com or Contoso.onmicrosoft.com. If it is working you will see response similar to:

Alternatively, you could use following script Registration Connectivity script and Device Registration Troubleshooter Tool which is very straight forward and help us in validating all prerequisite for device registration as these script validate internet connectivity under the system context also, it checks for SSL/TLS handshake and report as failure if any.

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Issue Azure AD Join

9 additional answers

Your answer