Guest DMAS_Exchange Posted July 18, 2019 Posted July 18, 2019 I'm having issues trying to device register a Win10 client into Azure AD using DRS through ADFS. The option seems to be removed in my version of Win10. Having seen this post Azure AD Join button missing it seems like it's an easy fix, however you see here it's not there.... https://social.technet.microsoft.com/Forums/getfile/1006846 Bit of background to the issue: Windows 10 Pro (winver: 1607 Build 14393.693) Windows 10 updates fully completed Windows 10 client is domain joined to a local Active Directory (please ignore the fact the image above says "join this device..." I've had the issue for a few days now and I'm testing if re-joining solves the issue.) ADFS 3.0 configurations and claims rules updated to include new DRS claims rules (as per Azure article Configure DRS) SCP is in place for Azure AD Windows 7 client can device register to Azure AD Join fine and works. Running Get-MsolDevice -All presents all clients currently registered and Win7 client is there along with the federated user who registered the device. So basically, DRS config is working well from what I can see. I can also add a personal device using a federated domain account and this also registers the device into Azure AD and again you can this in the Get-MSolDevice output, so it does work. E.g. https://social.technet.microsoft.com/Forums/getfile/1006861 GPO is configured on the AD OU containing the Win10 device to automatically join to Azure AD. This is working as the computers RSOP present this option as Enabled. (Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain joined computers as devices, and then select Edit. Then set Enable). If you run dsregcmd /status in a cmd prompt you get AzureADJoined: NO and other "NO's" relating to Azure AD Join too. I've gone through the Troubleshooting DRS and FAQs articles too. Nothing is mentioned about the client itself not able to Azure Ad Join. [*]I also have several Event logs showing that the device is trying to Azure AD Join, so the GPO is working and the scheduled task created by the GPO tries to run dsregcmd.exe, but it errors back as below:- Event ID 331 Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin isPrivateKeyFound: undefined isJoined: undefined isDcAvailable: undefined isSystem: NO keyProvider: undefined keyContainer: undefined dsrInstance: undefined elapsedSeconds: 0 resultCode: 0x1 Event ID 233 The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: 2097152. Error: Unknown Win32 Error code: 0x80072ee2 Event ID 201 The discovery operation callback failed with exit code: Unknown HResult Error code: 0x80072ee2. The server returned HTTP status: 0. Server response was: Event ID 309 Failed to discover the Azure AD DRS service. Exit code: Unknown HResult Error code: 0x801c0021. Does anyone have ANY suggestions here?? I'm clutching at straws and feel I've been pretty comprehensive. Event ID 333 Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM. Does anyone have suggestions for me here? I feel I've been pretty thorough in my investigations, but I'm clutching at straws now! Thanks in advance!! More... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.