D
DMAS_Exchange
Guest
I'm having issues trying to device register a Win10 client into Azure AD using DRS through ADFS. The option seems to be removed in my version of Win10.
Having seen this post Azure AD Join button missing it seems like it's an easy fix, however you see here it's not there....
Bit of background to the issue:
Event ID 331
Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: undefined
isSystem: NO
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 0
resultCode: 0x1
Event ID 233
The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: 2097152. Error: Unknown Win32 Error code: 0x80072ee2
Event ID 201
The discovery operation callback failed with exit code: Unknown HResult Error code: 0x80072ee2. The server returned HTTP status: 0.
Server response was:
Event ID 309
Failed to discover the Azure AD DRS service. Exit code: Unknown HResult Error code: 0x801c0021.
Does anyone have ANY suggestions here?? I'm clutching at straws and feel I've been pretty comprehensive.
Event ID 333
Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.
Does anyone have suggestions for me here? I feel I've been pretty thorough in my investigations, but I'm clutching at straws now!
Thanks in advance!!
More...
Having seen this post Azure AD Join button missing it seems like it's an easy fix, however you see here it's not there....
Bit of background to the issue:
- Windows 10 Pro (winver: 1607 Build 14393.693)
- Windows 10 updates fully completed
- Windows 10 client is domain joined to a local Active Directory (please ignore the fact the image above says "join this device..." I've had the issue for a few days now and I'm testing if re-joining solves the issue.)
- ADFS 3.0 configurations and claims rules updated to include new DRS claims rules (as per Azure article Configure DRS)
- SCP is in place for Azure AD
- Windows 7 client can device register to Azure AD Join fine and works. Running Get-MsolDevice -All presents all clients currently registered and Win7 client is there along with the federated user who registered the device. So basically, DRS config is working well from what I can see. I can also add a personal device using a federated domain account and this also registers the device into Azure AD and again you can this in the Get-MSolDevice output, so it does work.
E.g.
- GPO is configured on the AD OU containing the Win10 device to automatically join to Azure AD. This is working as the computers RSOP present this option as Enabled. (Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain joined computers as devices, and then select Edit. Then set Enable).
- If you run dsregcmd /status in a cmd prompt you get AzureADJoined: NO and other "NO's" relating to Azure AD Join too. I've gone through the Troubleshooting DRS and FAQs articles too. Nothing is mentioned about the client itself not able to Azure Ad Join.
- I also have several Event logs showing that the device is trying to Azure AD Join, so the GPO is working and the scheduled task created by the GPO tries to run dsregcmd.exe, but it errors back as below:-
Event ID 331
Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: undefined
isSystem: NO
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 0
resultCode: 0x1
Event ID 233
The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: 2097152. Error: Unknown Win32 Error code: 0x80072ee2
Event ID 201
The discovery operation callback failed with exit code: Unknown HResult Error code: 0x80072ee2. The server returned HTTP status: 0.
Server response was:
Event ID 309
Failed to discover the Azure AD DRS service. Exit code: Unknown HResult Error code: 0x801c0021.
Does anyone have ANY suggestions here?? I'm clutching at straws and feel I've been pretty comprehensive.
Event ID 333
Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.
Does anyone have suggestions for me here? I feel I've been pretty thorough in my investigations, but I'm clutching at straws now!
Thanks in advance!!
More...