Windows 10 Device Registration - Azure AD Join option missing in Win10??

  • Thread starter Thread starter DMAS_Exchange
  • Start date Start date
D

DMAS_Exchange

Guest
I'm having issues trying to device register a Win10 client into Azure AD using DRS through ADFS. The option seems to be removed in my version of Win10.

Having seen this post Azure AD Join button missing it seems like it's an easy fix, however you see here it's not there....

Missing Azure AD Option


Bit of background to the issue:

    • Windows 10 Pro (winver: 1607 Build 14393.693)
    • Windows 10 updates fully completed
    • Windows 10 client is domain joined to a local Active Directory (please ignore the fact the image above says "join this device..." I've had the issue for a few days now and I'm testing if re-joining solves the issue.)
    • ADFS 3.0 configurations and claims rules updated to include new DRS claims rules (as per Azure article Configure DRS)
    • SCP is in place for Azure AD
    • Windows 7 client can device register to Azure AD Join fine and works. Running Get-MsolDevice -All presents all clients currently registered and Win7 client is there along with the federated user who registered the device. So basically, DRS config is working well from what I can see. I can also add a personal device using a federated domain account and this also registers the device into Azure AD and again you can this in the Get-MSolDevice output, so it does work.

    E.g.
    Win7 Azure AD Joined

    • GPO is configured on the AD OU containing the Win10 device to automatically join to Azure AD. This is working as the computers RSOP present this option as Enabled. (Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain joined computers as devices, and then select Edit. Then set Enable).
    • If you run dsregcmd /status in a cmd prompt you get AzureADJoined: NO and other "NO's" relating to Azure AD Join too. I've gone through the Troubleshooting DRS and FAQs articles too. Nothing is mentioned about the client itself not able to Azure Ad Join.
  • I also have several Event logs showing that the device is trying to Azure AD Join, so the GPO is working and the scheduled task created by the GPO tries to run dsregcmd.exe, but it errors back as below:-

Event ID 331

Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: undefined
isSystem: NO
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 0
resultCode: 0x1

Event ID 233

The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: 2097152. Error: Unknown Win32 Error code: 0x80072ee2

Event ID 201

The discovery operation callback failed with exit code: Unknown HResult Error code: 0x80072ee2. The server returned HTTP status: 0.
Server response was:

Event ID 309

Failed to discover the Azure AD DRS service. Exit code: Unknown HResult Error code: 0x801c0021.

Does anyone have ANY suggestions here?? I'm clutching at straws and feel I've been pretty comprehensive.

Event ID 333

Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.


Does anyone have suggestions for me here? I feel I've been pretty thorough in my investigations, but I'm clutching at straws now!

Thanks in advance!!

More...
 
Back
Top