Issue Azure AD Join

Question

The end result is to be able to use Hello for Business. Not doing anything with FS.

Have a DC, that is linked to AAD through Connect using HASH.

All devices currently show Azure AD registered.

Have gone in the AAD Connect configuration and done this process to enable SCP - https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains.

It has been left to percolate for a couple hours, and nothing has changed for the device status, and not changing to Hybrid AAD Joined.

If I run dsregcmd /status, it shows it is just domain joined. There is an error listed in the discover step.
Error Phase: discover
Client ErrorCode: 0x801c001d

https://enterpriseregistration.windows.net - If I go through my browser, it fails to connect saying endpoint not found. There is though nothing blocking outbound traffic.
https://login.microsoftonline.com - Works fine
https://device.login.microsoftonline.com - Error about not being able to sign in. If I open in private mode, it wants a certificate, which I only have one, and it fails on it.

I am kind of stuck, and having to jump around through 20 different Microsoft Doc's is not helping.

Answer 1

We couldn't login with the pin, since that feature after Hybrid Azure AD joining them came up with a new message saying basically unable to sign-in because it didn't recognize the network. It also wasn't InTune joined, just standard AD joined. After trying different things, and talking with our consultant, it was found by their suggestion, that suspending, and then clearing out the TPM after AAD Connect had done its thing, was needed to be able to setup the Hello features. After that, was able to setup the pin without any issue.

Basically had to make sure the computers OU was selected in AAD connect, and then it would convert to a Hybrid AAD join status so that the Hello system knew of the computer. Then for whatever reason (certificates is my guess) had to suspend, and clear out the TPM to get rid of the unable to sign-in message with Hello Pin in our case, and after the reboot, was able to add it.

The only thing I am wondering about, is it didn't ask for a second factor when setting up the pin. We setup people with phone authentication, but all it asked for during the setup of the pin was the login password.

Now to deal with InTune.

Answer 2

Were you login to the device using PIN before it become HAADJ?. Do you have this device Intune managed?

Answer 3

@Jon Mercer - Yes, you don't need admin right to clear NGC container via "certutil -deleteHelloconatiner" user can run this in normal prompt. it clears immediately any previously stored credentials. you can want to automate via logon script as well .
Caution: this would be a one time operation. if you repeat that command after provisioning WHFB PIN/Bio. This will clear up WHFB cred as well. Then user will end up in loop of provisioning and deletion upon logout and login back.

Answer 4

Are you facing discover issue with multiple devices or specific device: Multiple Devices

Which version of Windows facing registration issue: Windows 10 1909 and newer

Can you confirm, do you have Single forest AD or multi-forest environment: Single forest AD

When I run this in PS, nothing comes up, just goes to the command prompt. Changed the DC to our information, which was verified correct with the get-adrootdse command.

$scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com";

$scp.Keywords;

Farther down with this, there isn't a AdPrep folder on my system.

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";

$aadAdminCred = Get-Credential;

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;

One thing I have wondered is an issue, is that our domain is not .com, but .local, and if that could cause an issue.

For the PSExec command, I had to go to https://learn.microsoft.com/en-us/sysinternals/downloads/psexec and then download, extract, and then go to its location in command prompt, then the command you posted ran.

It looks like it worked.

https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svcurn:ms-drs:enterpriseregistration.windows.net1.0https://login.microsoftonline.com/16434642-8eaf-485f-a032-99937cbe0a74/oauth2/authorizehttps://login.microsoftonline.com/16434642-8eaf-485f-a032-99937cbe0a74/oauth2/tokenhttps://login.microsoftonline.com/ulsonline.net/wsfedhttps://enterpriseregistration.windows.net/EnrollmentServer/device/urn:ms-drs:enterpriseregistration.windows.net1.0https://login.microsoftonline.com/https://device.login.microsoftonline.com/https://enterpriseregistration.windows.net/https://enterpriseregistration.windows.net/EnrollmentServer/key/urn:ms-drs:enterpriseregistration.windows.net1.0

Running the PS script under https://learn.microsoft.com/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/ was successful.

Running the DSRegTool and got the following:

Test 1 was successful

Test 2 was successful

Test 3 (Hybrid AD Join) failed in two areas:
Testing if connected to AzureAD - device is NOT connected to Azure AD
Testing Tenant ID - Tenant ID is not configured correctly, and gave the same registry location as in test 4.

Test 4 (verify SCP) Failed: Says the Tenant ID is not configured correctly and to make sure it is configured correctly in the registry.

Test 5 (verify health of device) failed with the same device is NOT connected to Azure AD, though it offers to go through the procedure of adding it by running dsregcmd /join, then run test 3.

Test 6 (verify PRT) passed for the PRT registry value

Ran the dsregcmd /join, and then tried test 3 again, and it still fails saying it isn't joined, and not happy with a registry entry.

Something changed at some point though, because when I run dsregcmd /status. The diagnostic data has changed to:
Error Phase - Pre-Check
Client ErrorCode - 0x1
It has a line of site to the domain, because I can login, and access network shared locations.

Answer 5

So I fixed this issue. We had done a selective number of people for AAD Connect, but had not added the computers. Once that was done, those computers switched to Hybrid AAD Join. Though after that, Hello stopped working. Seems there is an issue with the PRT.