Troubleshooting Azure AD Hybrid Join and Intune AutoEnrollMDM

Working for a number of clients recently and we were deploying Self-Service Password Reset from a Windows 10 logon screen (https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windowsand we came across was the machines would not Hybrid Join. using dsregcmd /status we could see the AzureAdJoined still had a value of No so we went through the following checklist:



https://passwordreset.microsoftonline.com
https://ajax.aspnetcdn.com
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com


  • Check the appropriate SCP had been created within AD:
$scp = New-Object System.DirectoryServices.DirectoryEntry;
$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=domain,DC=local";

$scp.Keywords; 



  • Checked the event log for clues, Services / Microsoft /Windows / User Device Registration / Admin
(Sergii Cherkashyn has blogged a lot about the relevant event IDs at - https://s4erka.wordpress.com/tag/hybrid-azure-ad-registration/ )

We found the following error:


Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          16/04/2019 10:04:51
Event ID:      204
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      TEST01.DOMAIN.LOCAL
Description:
The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c03f2. 
Activity Id: 9fead58a-b202-4df0-9d23-79bb72994e67 
The server returned HTTP status: 400 
Server response was: {"ErrorType":"DirectoryError","Message":"The device object by the given id (33e8585e-14dc-4057-b857-8e5d31b019b2) is not found.","TraceId":"9fead58a-b202-4df0-9d23-79bb72994e67","Time":"04-16-2019 9:05:06Z"}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Device Registration" Guid="{23B8D46B-67DD-40A3-B623-D43E50552C6D}" />
    <EventID>204</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-04-16T09:04:51.789587100Z" />
    <EventRecordID>1035</EventRecordID>
    <Correlation />
    <Execution ProcessID="5124" ThreadID="9608" />
    <Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
    <Computer>TEST01.DOMAIN.LOCAL</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="ExitCode">-2145647630</Data>
    <Data Name="ActivityId">9fead58a-b202-4df0-9d72-79bb72994e67</Data>
    <Data Name="HttpStatus">400</Data>
    <Data Name="ServerResponse">{"ErrorType":"DirectoryError","Message":"The device object by the given id (12e8585e-14dc-4057-b857-8e5d31b019b2) is not found.","TraceId":"9fead58a-b202-4df0-9d72-79bb72994e67","Time":"04-16-2019 9:05:06Z"}</Data>
  </EventData>
</Event>

Having seen the device object is not found, the penny dropped. This was resolved by simply checking the synchronisation Options within Azure AD Connect and making sure the OU where the computer object was synchronised.

After adding the OU and performing a delta synchronisation (Start-ADSyncSyncCycle -PolicyType Delta) we rebooted the device and found the registration completed:



Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          16/04/2019 11:13:42
Event ID:      105
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      TEST01.DOMAIN.LOCAL
Description:
The complete join response operation was successful.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Device Registration" Guid="{23B8D46B-67DD-40A3-B623-D43E50552C6D}" />
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-04-16T10:13:42.596813200Z" />
    <EventRecordID>1099</EventRecordID>
    <Correlation ActivityID="{A06D9E2A-F43C-0002-D4AB-6DA03CF4D401}" />
    <Execution ProcessID="9580" ThreadID="9708" />
    <Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
    <Computer>TEST01.DOMAIN.LOCAL</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  </EventData>

</Event>


Example of Hybrid Join Proxy Issues

Another error I have found is when devices cannot register as Hybrid Join Devices with Azure AD due to proxy issues. Once again we checked the event log for clues, Services / Microsoft /Windows / User Device Registration / Admin and found the following:



Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          12/06/2019 10:47:05
Event ID:      233
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      TEST01.DOMAIN.LOCAL
Description:
The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: 2097152. Error: Unknown Win32 Error code: 0x80072efd
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Device Registration" Guid="{23B8D46B-67DD-40A3-B636-D43E50552C6D}" />
    <EventID>233</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-06-12T09:47:05.289933900Z" />
    <EventRecordID>162</EventRecordID>
    <Correlation />
    <Execution ProcessID="2280" ThreadID="5096" />
    <Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
    <Computer>TEST01.DOMAIN.LOCAL</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="StatusCode">2097152</Data>
    <Data Name="ErrorCode">2147954429</Data>
  </EventData>
</Event>






Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          12/06/2019 11:27:57
Event ID:      201
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      TEST01.DOMAIN.LOCAL
Description:
The discovery operation callback failed with exit code: Unknown HResult Error code: 0x80072efd. The server returned HTTP status: 0. 
Server response was:

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Device Registration" Guid="{23B8D46B-67DD-40A3-B636-D43E50552C6D}" />
    <EventID>201</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-06-12T10:27:57.461752300Z" />
    <EventRecordID>174</EventRecordID>
    <Correlation />
    <Execution ProcessID="2124" ThreadID="4708" />
    <Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
    <Computer>TEST01.DOMAIN.LOCAL</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="ExitCode">-2147012867</Data>
    <Data Name="HttpStatus">0</Data>
    <Data Name="ServerMessage">
    </Data>
  </EventData>
</Event>






Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          12/06/2019 11:27:57
Event ID:      309
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      TEST01.DOMAIN.LOCAL
Description:
Failed to discover the Azure AD DRS service. Exit code: Unknown HResult Error code: 0x801c0021.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Device Registration" Guid="{23B8D46B-67DD-40A3-B636-D43E50552C6D}" />
    <EventID>309</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-06-12T10:27:57.461889200Z" />
    <EventRecordID>175</EventRecordID>
    <Correlation />
    <Execution ProcessID="2124" ThreadID="9132" />
    <Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
    <Computer>TEST01.DOMAIN.LOCAL</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="ExitCode">-2145648607</Data>
  </EventData>
</Event>





Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          12/06/2019 11:27:57
Event ID:      304
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      TEST01.DOMAIN.LOCAL
Description:
Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0x801c0021. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Device Registration" Guid="{23B8D46B-67DD-40A3-B636-D43E50552C6D}" />
    <EventID>304</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-06-12T10:27:57.461919000Z" />
    <EventRecordID>176</EventRecordID>
    <Correlation />
    <Execution ProcessID="2124" ThreadID="9132" />
    <Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
    <Computer>TEST01.DOMAIN.LOCAL</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="ExitCode">-2145648607</Data>
    <Data Name="ServerErrorMessage">empty</Data>
    <Data Name="TenantName">joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0
</Data>
  </EventData>
</Event>



When running dsregcmd /status we could see the AzureAdJoined had a value of No so




The error we could see was 'DrsBeginDiscover failed. 0x80072efd' & 'Discover failed with error code 0x801c0021

To check this was the proxy causing the issue we used NETSH to set the proxy for the system account using the following commands (and PSEXEC)

Run a command prompt as the System account psexec -i -s cmd.exe 
Set the proxy using netsh winhttp set proxy PROXY01:8080
retried the the join using dsregcmd /debug /join and this complete successfully:




Auto Enroll MDM Fails 


We check the GPO had applied by ensuring the registry key had been created:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\MDM\ AutoEnrollMDM (REG_DWORD = 1)

(https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.MDM::MDM_JoinMDM_DisplayName)

We ensure the schedule task 'Schedule created by enrollment client for automatically enrolling in MDM from AAD' which can be found in the task scheduler : Microsoft -> Windows -> EnterpriseMgmt



Checked the event log for clues, Services / Microsoft /Windows / DeviceManagement-Enterprise-Diagnostics-Provider / Admin

You may find see the following Error message EVENT ID 76 “Auto MDM Enroll Failed (Unknown Win32 Error code 0x8018002b)” but that’s normal (great article by TimmyIT here - https://timmyit.com/2018/12/17/mdm-join-an-already-azure-ad-joined-windows-10-pcs-to-intune-with-a-provisioning-package/, if it continues.... please ensure that the user who is logged onto the machine has an Intune license assigned..... (Ouch)

After logging on with the correct user we got the expect EVENT ID 58




Export MSOL Devices 

We used the following to export all details of the devices to CSV and review:



#Set-ExecutionPolicy
Set-ExecutionPolicy Unrestricted -Scope Process -Force
Connect-MsolService
Get-MsolDevice -All | Select * | Export-Csv MSOLDevices.csv -NoTypeInformation 


Comments

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hi Neil,

    I'm getting Event ID 201 - But mine says :

    The discovery operation callback failed with exit code: Unknown HResult Error code: 0x801c000c. The server returned HTTP status: 403.

    Certificate verification error
    src="https://enterpriseregistration.windows.net/%24%24%24%26%3f%26%3f%24%24%24?cmd=get_file&arg=images/block.png&sid=6D00652E4C6D781DBF0BACB3405E3C1ABB9654C6">
    Certificate verification error

    Access denied. Certificate validation failed for the following URL: enterpriseregistration.windows.net

    this is then followed by 309 and then 304.

    Any ideas?

    ReplyDelete
    Replies
    1. Sounds like your root CA certicates are not up to date on the device. Make sure you've patched your machines with the latest Windows Updates.

      Delete

Post a Comment