Windows 10 Device registration can not be performed on Windows Hello for Business with on-premises only

  • Thread starter Thread starter Masayuki.Ozawa
  • Start date Start date
M

Masayuki.Ozawa

Guest
Hi.

We are verifying Windows Hello for Business in Windows Server 2016 (Windows Update executed) + Windows 10 1703 Enterprise Edition (Windows Update already executed) environment.
(Windows Server 2016 : AD + AD FS + AD CS)

We are implementing the procedure of Windows Hello for Business Deployment Guide.
Windows Hello for Business Deployment Guide - Microsoft 365 Security

Even if you execute the procedure in one step and execute the job of Automatic-Device-Join in Windows 10 1703, device registration via AD FS will result in an error.

The result of executing dsregcmd / debug with LOCAL SYSTEM is as follows.

dsregcmd::wmain logging initialized.
DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:domain.local forest:domain.local domainController:\\WHfB-AD.domain.local isDcAvailable:true }
PreJoinChecks Complete.

preCheckResult: Join

isPrivateKeyFound: undefined

isJoined: undefined

isDcAvailable: YES

isSystem: YES

keyProvider: undefined

keyContainer: undefined

dsrInstance: undefined

elapsedSeconds: 0

resultCode: 0x0

Automatic device join pre-check tasks completed.

TenantInfo::Discover: Join Info { TenantType = Federated; AutoJoinEnabled = 1; TenandID = 383a3889-5bc9-47a3-846c-2b70f0b7fe0e; TenantName = whfb-ad.domain.local }
DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
GetComputerTokenForADRS: Get token for enterprise DRS
GetComputerTokenForADRS: Token request authority: "https://login.microsoftonline.com/common"
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuthEnterprise ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: HRESULT: 0x4aa90010
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0xcaa9002c
AdalMessage: ADALUseWindowsAuthenticationNonHybrid failed, unable to preform integrated auth
AdalError: authentication_failed
AdalErrorCode: 0xcaa9002c
AdalCorrelationId: {C3F5EF0B-7922-4383-8FF3-057F2567EC9F}
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0x4aa90010
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuthEnterprise ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: HRESULT: 0xcaa1000e
wmain: Unable to retrieve access token 0x80004005.
DSREGCMD_END_STATUS
AzureAdJoined : NO
EnterpriseJoined : NO

If this is the case, what kind of countermeasures should be taken?


Regards,

More...
 
Back
Top