Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 23, 2017 9:28 PM
I'm having issues trying to device register a Win10 client into Azure AD using DRS through ADFS. The option seems to be removed in my version of Win10.
Having seen this post Azure AD Join button missing it seems like it's an easy fix, however you see here it's not there....
Bit of background to the issue:
-
- Windows 10 Pro (winver: 1607 Build 14393.693)
- Windows 10 updates fully completed
- Windows 10 client is domain joined to a local Active Directory (please ignore the fact the image above says "join this device..." I've had the issue for a few days now and I'm testing if re-joining solves the issue.)
- ADFS 3.0 configurations and claims rules updated to include new DRS claims rules (as per Azure article Configure DRS)
- SCP is in place for Azure AD
- Windows 7 client can device register to Azure AD Join fine and works. Running Get-MsolDevice -All presents all clients currently registered and Win7 client is there along with the federated user who registered the device. So basically, DRS config is working well from what I can see. I can also add a personal device using a federated domain account and this also registers the device into Azure AD and again you can this in the Get-MSolDevice output, so it does work.
-
- GPO is configured on the AD OU containing the Win10 device to automatically join to Azure AD. This is working as the computers RSOP present this option as Enabled. (Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain joined computers as devices, and then select Edit. Then set Enable).
-
- If you run dsregcmd /status in a cmd prompt you get AzureADJoined: NO and other "NO's" relating to Azure AD Join too. I've gone through the Troubleshooting DRS and FAQs articles too. Nothing is mentioned about the client itself not able to Azure Ad Join.
I also have several Event logs showing that the device is trying to Azure AD Join, so the GPO is working and the scheduled task created by the GPO tries to run dsregcmd.exe, but it errors back as below:-
Event ID 331
Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: undefined
isSystem: NO
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 0
resultCode: 0x1
Event ID 233
The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: 2097152. Error: Unknown Win32 Error code: 0x80072ee2
Event ID 201
The discovery operation callback failed with exit code: Unknown HResult Error code: 0x80072ee2. The server returned HTTP status: 0.
Server response was:
Event ID 309
Failed to discover the Azure AD DRS service. Exit code: Unknown HResult Error code: 0x801c0021.
Does anyone have ANY suggestions here?? I'm clutching at straws and feel I've been pretty comprehensive.
Event ID 333
Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.
Does anyone have suggestions for me here? I feel I've been pretty thorough in my investigations, but I'm clutching at straws now!
Thanks in advance!!
All replies (11)
Friday, February 24, 2017 1:24 AM
Hi DMAS_Exchange,
"Windows 10 client is domain joined to a local Active Directory "
I have checked the symptom on my side. I found that those options will be not available if the machine is joined to a domain. We could remove the machine from the domain then join to Azure AD again.
If the machine has been joined to a domain, we could refer to the following link to configure automatic registration of Windows domain joined devices with Azure Active Directory.
How to configure automatic registration of Windows domain joined devices with Azure Active Directory
/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, February 24, 2017 10:05 AM
Hi MeipoXu
The problem from my post is that the Automatic registration GPO doesn't work from a Win10 machine. DRS is obviously working as I can Azure AD Join "automatically" a Win7 machine via the scheduled task and .exe. So if you don't use the GPO for Win10 devices, how do you perform a manual sync? Simply run dsregcmd.exe I guess? Which also doesn't work sadly...
Thanks for the article link, I haven't seen that one. The one's i linked in my original post above are extremely similar in title, so that's very confusing to have those articles in various areas. I'll work through it and come back to let you know how i get on.
Thanks!
Friday, February 24, 2017 5:10 PM
Hi
I've realised one of the pre-reqs is to update AADC to the latest version, so will be doing this shortly.
However, please could you describe the differences between the ADFS claims rules in these two articles:
AND
Both articles are titled exactly the same, with a small difference... one is a US article and the other a GB article. Our DRS environment is configured using the GB claims rules (link 2.) whereas looking at the US article (link 1.) the claims rules logic of building the claim token is totally different.
Which one is actually correct?? This surely needs to align, as it's terribly confusing to implement this service.
Thanks
Monday, February 27, 2017 8:15 AM
Would you please point out more details of the differences(A screenshot will be very useful, upload the picture to OneDrive and paste the link here)?
I didn`t notice any differences between them.
Considering this issue is related to the Azure AD, we could try to ask for help from our Azure AD forum at the same time.
Azure Active Directory
https://social.msdn.microsoft.com/Forums/azure/en-US/home?forum=windowsazuread
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, February 27, 2017 9:58 AM
Hi
It looks like they are NOW in fact identical. I configured our environment with DRS ADFS claims rules using the old GB article. However, it looks like its been updated and the whole DRS approach and logic to claims rules has now changed since last week. The claims rules in the old article are attached below and if you compare them to the current article they are in fact different.
Whether or not this new approach will fix my Win10 device registration issue I'm not sure. I will have to try it and then re-visit this over the next couple of days.
Thanks for the link to the Azure AD forum, it might be worth a shot in there too. I'll see how I'm looking once I've worked out how to change our existing ADFS claims rules into the new ones.
Thanks
<#
| Modify the Azure AD Relying Party to include the claims needed
| for DomainJoin++. The rules include:
| -ObjectGuid
| -AccountType
| -ObjectSid
+#>
$VerifiedDomain = 'domain.com' # Replace example.com with one of your verified domains
$rule1 = '@RuleName = "Issue object GUID"
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] &&
c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query = ";objectguid;{0}", param = c2.Value);'
$rule2 = '@RuleName = "Issue account type for domain joined computers"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");'
$rule3 = '@RuleName = "Pass through primary SID"
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] &&
c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(claim = c2);'
$rule4 = '@RuleName = "Issue AccountType with the value User when its not a computer account"
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "DJ"])
=> add(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "User");'
$rule5 = '@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[Type == "http://schemas.xmlsoap.org/claims/UPN"] &&
c2:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "User"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c1.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));'
$rule6 = '@RuleName = "Update issuer for DJ computer auth"
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "DJ"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = "http://'+$VerifiedDomain+'/adfs/services/trust/");'
$existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules
$updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4+ $rule5+ $rule6
$crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
Tuesday, February 28, 2017 7:38 AM
I am glad to be of help. I am looking forward to your good news.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, March 1, 2017 6:22 PM
Hi
Bad news sadly :-(
- Azure AD Connect upgraded to 1.1.380 (latest build)
- ADFS claim rules updated using the updated article
- Can login to portal.office.com and user gets redirected to ADFS correctly for authentication.
All other settings remain intact as before (SCP is in place, wia is enabled, endpoints in ADFS are enabled and proxy too)
I've logged in to the Win10 machine and I'm presented with exactly the same errors in the event log and dsregcmd /status displays "Azure AD Joined: NO".
Is there somewhere I can support with this?
Thanks!
Thursday, March 2, 2017 8:27 AM
This issue is beyond the support level of community forum. You may consider to open a premier support ticket here.
Premier Support
https://support.microsoft.com/en-us/premier
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 12, 2017 7:18 AM
Hi Everyone,
Has anyone found the solution to this problem, I am having similar issues.
We configured the Azure AD Sync, ADFS claim rules , SCP up to the mark and we can also join the Azure AD runing the scheduled task which means DRS is working and configuration is fine but it doenst work when we try to do the join using group policy.
I also tried to see if policy is applying yes it is applying and the value in registry is set to 1 which means it should trigger.
Please help if anyone knows anything about this.
Our error is Cloud API failed to intialize event 1104
Thursday, July 18, 2019 7:36 PM
Any news on This? I have the same issue? Please help!
Thursday, August 8, 2019 1:23 AM
anyone have any luck on this?