Troubleshoot Microsoft Entra hybrid joined devices

Microsoft Entra hybrid join enables seamless integration between on-premises Active Directory (AD) and Microsoft Entra ID (formerly Azure AD), supporting scenarios like Conditional AccessWindows Hello for Business, and Enterprise State Roaming. However, issues can arise during the hybrid join process. This guide provides a structured approach to troubleshooting common problems.


Step 1: Verify Join Status

Run the following command in an elevated Command Prompt:

cmd

Copy

dsregcmd /status

Key Fields to Check

FieldExpected ValueDescription
AzureAdJoinedYESDevice is joined to Microsoft Entra ID.
DomainJoinedYESDevice is joined to on-premises AD.
WorkplaceJoinedNODevice should not be registered as a personal device.
AzureAdPrtYESPrimary Refresh Token (PRT) is active.

🔹 If AzureAdJoined is NO, proceed to troubleshoot the join failure.


Step 2: Identify the Join Failure Phase

For Windows 10/11 1803+

Check the “Previous Registration” section in dsregcmd /status:

plaintext

Copy

Previous Registration : 2024-07-08 10:00:00 UTC  
Registration Type : sync  
Error Phase : join  
Client ErrorCode : 0x801c03f2  
Server ErrorCode : DirectoryError  

For Older Windows Versions

Check Event Viewer under:
Applications and Services Logs > Microsoft > Windows > User Device Registration

  • Event ID 304, 305, 307: Indicate join failures.

Step 3: Common Join Errors & Fixes

1️⃣ Precheck Phase Failures

❌ Possible Causes:

  • No line of sight to a domain controller.
  • Incorrect Service Connection Point (SCP) configuration.

✅ Solutions:

  • Ensure the device is on the corporate network/VPN.
  • Verify SCP is correctly configured in AD.

2️⃣ Discovery Phase Failures

❌ Error Codes:

  • DSREG_AUTOJOIN_ADCONFIG_READ_FAILED (0x801c001d) → SCP misconfigured.
  • DSREG_AUTOJOIN_DISC_FAILED (0x801c0021) → Discovery endpoint unreachable.

✅ Solutions:

  • Confirm https://enterpriseregistration.windows.net is accessible.
  • Check proxy settings if outbound traffic is restricted.

3️⃣ Authentication Phase Failures (Federated Domains Only)

❌ Error Codes:

  • ERROR_ADAL_PROTOCOL_NOT_SUPPORTED (0xcaa90017) → WS-Trust not enabled.
  • ERROR_ADAL_WSTRUST_TOKEN_REQUEST_FAIL (0xcaa90006) → Federation service error.

✅ Solutions:

  • Ensure WS-Trust is enabled on the federation server.
  • Check AD FS logs for authentication failures.

4️⃣ Join Phase Failures

❌ Error Codes:

  • DSREG_E_DIRECTORY_FAILURE (0x801c03f2) → Sync issue with Microsoft Entra ID.
  • NTE_BAD_KEYSET (0x80090016) → TPM-related failure.

✅ Solutions:

  • Wait for Microsoft Entra Connect sync to complete.
  • Clear TPM (if applicable) and retry.

Step 4: Post-Join Authentication Issues

If users can’t sign in after hybrid join, check PRT status:

cmd

Copy

dsregcmd /status

🔹 If AzureAdPrt: NO, investigate:

  • Network connectivity to login.microsoftonline.com.
  • Proxy/firewall blocking authentication.
  • Incorrect UPN (ensure it matches Microsoft Entra ID).

Step 5: Collect Logs for Microsoft Support

  1. Run diagnostics:powershellCopy.\start-auth.ps1 -vAuth -accepteula
  2. Reproduce the issue.
  3. Stop tracing and zip logs:powershellCopy.\stop-auth.ps1

Final Tips

✔ Use the Device Registration Troubleshooter Tool for automated diagnostics.
✔ Check Microsoft Docs for updated guidance.
✔ Ensure Windows updates are applied (minimum: Windows 10 1709+).

Need further help? Contact Microsoft Support with collected logs! 🚀


Summary: Hybrid join issues often stem from misconfigured SCP, network problems, or sync delays. Follow this guide to diagnose and resolve common errors efficiently.

Reference : https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current

Leave a Reply

Your email address will not be published. Required fields are marked *