Question

Q: Windows 10 clean install will not re-join Azure AD (Office365)

I have a laptop that has previously been joined to Azure AD (an Office 365 Business Premium license). It recently suffered an SSD failure and has been rebuilt with a clean install of Windows 10 and it simply will not allow joining to Azure AD again.

Have tried clean installs of Win 10 (Creators) and Win 10 (Anniversary) and they both fail the process.

Have tried doing the Join workplace (setup device as Organisation owned device) entering the email and password during the OOBE first-bootup and also skipping past and trying to do it via Settings -> System -> About -> Join work or school...

I know that the Email address and passwords are entered correctly, if either are entered incorrectly it present appropriate errors. But when they are correctly entered you see a "Just a moment..."  and spinning circle of dots... this flashes / redraws a few times and then eventually after several minutes it times out and just presents "Something, went wrong."

There is no indication of any issues anywhere in event log that I can find. It simply fails to connect.

From the Azure AD admit tool online - I have checked that the Device registration is enable (have tried toggling it off/back on) with no change.
User account and O365 license is fine. I've removed the old machine / device entry for the previously joined laptop from Devices.

This used to work, but it's now not re-joining and this is infuriating as there is simply no useful diagnostic information available.



* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi Partner,
 
Thank you for posting in Partner Support Community.
 
This is a quick note to let you know we are researching your issue and will update you ASAP. Also, if anyone else has the experience on this specific issue/scenario, please feel free to jump into and share your thoughts.
If anything is unclear, please feel free to let me know.
 
Have a nice day!
-----------------------------------------------------------
Best regards,
 
Jimmy Sun
Microsoft Partner Support Community Technical Support Engineer
Microsoft Global Partner Services
---------------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

Did this solve your problem?

Sorry this didn't help.


Hi Partner,

Thank you for your post. This is Jimmy and I will be assisting you in this post.

From your description, I assume that your issue is as following:

1. AAD join was successful before the OS rebuilt, but it always fails now.

2. The issue occurs no matter in a clean Win10 1703 (Creator Update) or Win10 1607 (Anniversary update).

3. AAD join fails no matter logging using a AAD account during the OOBE (first bootup after OSD build) or manually execute via navigating to Settings->Access work or school->Connect->Join this device  Azure AD after logging in using a local admin account. The WorkPlace join also fails on this computer. 

4. When the issue appears, it just throws out the "Something went wrong" page.

If I have any misunderstanding, please correct me. Thank you.

To narrow down the issue, could you please tell us the answer of the following questions based on your testing?

1. Does it works using the same AAD account to join another Win10 computer?

2. Does it works using a different AAD account to join the current Win10 Computer?

3. What is the OS edition you are using now? Win10 Pro or Win10 Enterprise?

 Based on my experiences about this issue, I think you may also have to check as the followings:

1.  Navigate to Azure AD portal (https://portal.azure.com)-> Azure AD->Users and groups->Device Settings, try to set all users can join devices to AAD and no join numbers limitation and re-join again.

2. Check if the issue is network related. For example,  check if the device registration URL enterpriseregistration.windows.net can be DNS resolved via nslookup.  Run cmd command dsregcmd.exe /status to check if the device now is AAD joined or Workplace joinied like below:

If anything is unclear, please feel free to let us know.

 

Have a nice day!
-----------------------------------------------------------
Best regards,

Jimmy Sun
Microsoft Partner Support Community Technical Support Engineer
Microsoft Global Partner Services
---------------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

Please Mark As Answer if this post is helpful to you. Thanks for your cooperation.

 

Did this solve your problem?

Sorry this didn't help.


Hi Jimmy,

Yes you have understood what I provided as the problem and experience to date.

However - This is not a full Azure AD tenant. It is an Office 365 tenant using the normal included/bundled (and limited) Azure AD functionality that is provided with that Office 365 subscription - which in the past, and for many other tenants we have works perfectly fine as a Join a workplace login.

To your questions:

1. I can't answer that, I don't have another machine to attempt this on and even if I did I'd then be in the position of having to clear that join and use the other machine for its intended customer. And I'm not going to break someones currently domain joined PC trying to Azure AD join it for fun. So I cannot test this.

2. This is also difficult to test, whilst I have other tenants to use - if this does work, I'm then stuck going through the process of clearing and retrying the Azure AD join - a process which to date is troublesome at best. I am currently waiting for the join attempt to timeout so I can re-attempt it - I will try another user at that point but I'm suspecting it will fail. I will update once tested.

3. It is currently Windows 10 Pro. (1607)

And in response to your suggestions -

1. Users may join devices is already set to "All"  I  have previously attempted changing this to the specific user I wanted, and changed back to ALL. Neither setting changes the outcome.

   Maximum number of devices was set to 20, I have changed that to Unlimited. Setting didn't make any difference. Device still fails.

2. Device can correctly DNS resolve the enterprise registrations address. 

    Device can communicate as mentioned before if I provide an invalid email address for the join attempt it tells me it's not a valid email/type of account. And if I use the incorrect password it informs me of this specifically as a failure to authenticate. That to me clearly indicates it is able to communicate at some level to the MS Online account services to user/pass auth checking. It is the steps following this that appear to fail.

The output of the dsregcmd /status currently shows the Device and User State sections with all NO responses. And the Ngc Prerequisite Check section shows:

IsUserAzureAD: NO, 

PolicyEnabled: YES

DeviceEligible: YES

SessionIsNotRemote: YES

CertEnrolment : none

PreReqResult :  WillNotProvision

This last line is a little interesting - running dsregcmd /debug just indicates the command needs to run as NT AUTH\SYSTEM. Helpful.

Did some digging on this, some people have suggested doing a BIOS Security settings and TPM reset helps - HAve done both of these and so far no change. The process to join Azure AD still spins for several minutes and results in a "Something went wrong" error message.

Did this solve your problem?

Sorry this didn't help.


Just following up on this with regard to trying a different user to join.

I used my own Office365 account and I get a fairly quick response of "Something went wrong" "Looks like the MDM terms of use endpoint is not correctly configured" - This is a quick reply, and I suspect it will be correct as my account won't be setup to allow device registrations etc.

Thanks.

Did this solve your problem?

Sorry this didn't help.


Hi Partner,

Thanks for the update.

Could you please build a VM in your lab and try if this machine can be joined to AAD use this account? After testing, you can simply disconnect from AAD on this VM.

Additionally, does the "Something went wrong" error page also throws any other error messages or error code for troubleshooting? If not, could you please share the AAD operational event log for us to troubleshoot further? (for example you can upload the log to Onedrive) Thanks.

If anything is unclear, please feel free to let us know.

Best regards,
Jimmy Sun

Microsoft Partner Support Community Technical Support Engineer
Microsoft Global Partner Services
------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights
Please Mark As Answer if this post is helpful to you. Thanks for your cooperation.

Did this solve your problem?

Sorry this didn't help.


Hi,

Okay built a new VM, it's running a clean install of Win 10 Ent 1703. 

The OOBE on first boot up offers to connect to a work account, I've entered that information and like before the screen offers a "Just a moment..." rotator, briefly fades (goes from brighter blue to a darker shade of blue with no images on it) the screen, represents the "Just a moment" rotator... and fades again, then "Just a moment..."   for a few minutes then ends in a "Something went wrong" "You can try again, or skip this for now." screen.

So it fails.

I clicked 'Skip', on the following screen on who's going to use this machine, there is a link back to "Or better yet, use an online account" so I've re-tried the O365 account - still fails. 

To your question - No the error screen provides absolutely nothing else, no useful debugging information, no error codes, no hint as to why it fails, it just fails.

I've hit 'Skip' again, and created a basic local user to login so I can sit through the welcome message and check event logs...

The Microsoft -> AAD -> Operational event log is completely empty. (this is the same on the physical machine I'm having the original problem on) there are NO logs where you'd expect to find them.

Attempting the join Azure AD via Settings -> System -> About  also fails on the VM.

Still no logs in AAD -> Operational

Did this solve your problem?

Sorry this didn't help.


Hi Partner,

Thanks for the update.

Well, since before the AAD join can complete, your device will need to be registered into AAD against the Azure AD DRS (Device Registration Service). I doubt that there might be something wrong in the device registration process

There're related admin/debug event logs under path: Applications and Services logs->Microsoft->Windows->User Device Registration->Admin & Debug (assume that you have enabled "Show Analytic and Debug logs" option). Enable the Debug logs and then go to system settings to do AAD join. After the failure appears, go back to the event viewer and examine the device registration logs.

Hope it helps!

Have a nice day!
 
Best regards,
 
Jimmy Sun
Microsoft Partner Support Community Technical Support Engineer
Microsoft Global Partner Services
---------------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

Did this solve your problem?

Sorry this didn't help.


Hi,

Okay I've enabled the Debug logs as indicated. And re-run the Azure AD join attempt.

Here's the sequence of debug events recorded are: 

ID 503:

 DeviceRegistrationStateApi::IsJoine - hr: 0x00000001

ID 503:

 DeviceRegistrationStatApi::GetJoinCertificate - hr: 0x00000001

ID 503: 

 DeviceRegistrationStatApi::GetJoinCertificatee: RegistrationCertStatus::GetDeviceCertificate returned CRYPT_E_NOT_FOUND.Returning S_FALSE

ID 503:

 RegistrationCertStatus::GetDeviceCertificate - hr: 0x80092004

ID 503:

 RegistrationCertStatus::GetCertificate - hr: 0x80092004

ID 503:

 RegistrationCertStatus::GetCertificate: CertificateUtil::FindCertificateByOidValue didn't find any certificate so returning CRYPT_E_NOT_FOUND.

ID 503: 

 CertificateUtil::FindCertificateByOiDValue: Will try to find the OID: '1.2.840.113556.1.5.284.7' and value: '1'

ID 503: 

 IsWinPEHost: Cannot open reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT. Assuming the host is NOT WinPE. RegOpenKeyExW error code: 0x00000002.

Nothing in UDR - Admin log.

Did this solve your problem?

Sorry this didn't help.


Hi Partner,

Thanks for your update.

Before the device registration can success, the device will generate a key pair locally and send the CSR to Azure DRS to request the device certificate which will provide the client identity to Azure AD during the later communication. The more detailed AAD join process can be found in this blog:

https://jairocadena.com/2016/02/01/azure-ad-join-what-happens-behind-the-scenes/

And this is the client auth cert sample in my test device, if the cert request doesn't happen or cannot succeed then the device registration will fail.

    

From your logs, we can only see that the device certificate wasn't found local, but nothing about the cert request or anything else. Are these log snippets the entire logs? If not, could you please share the complete saved event logs to me via the Private Message?  Thanks for your help.

By the way. Is the test account a federated account (federated with ADFS) or a normal account? Did you integrate your AAD with MDM (Intune) in your tenant? 

Have a nice day!

Best regards,
Jimmy Sun

Microsoft Partner Support Community Technical Support Engineer
Microsoft Global Partner Services
------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights
Please Mark As Answer if this post is helpful to you. Thanks for your cooperation.

Did this solve your problem?

Sorry this didn't help.


Hi,

Logs are as I typed them, that's it nothing more.

(I've uploaded a fresh log grab for you to see in private message)

As for the test account. It is NOT federated. It is a local on device account, created during the OOBE screens when the join process failed, and I skipped it by making a local account.

Again, the tenant is an Office365 tenant with Bus Prem licenses - there are NO other special, premium or upgraded licenses in terms of Azure AD at play here. Never have been. There is no access to InTune or MDM in Azure AD portal in this tenant because of it's license level.

This has never been an issue in the past - this process has worked numerous times for other similar level licensed tenants and from my understanding, should be supported.

The lacking of access to the MDM / Intune control panels in Azure AD portal simply means I am unable to customise anything, but nothing there has changed - the only change is that the device had a failed hard drive, got-rebuilt from scratch and it's unable to join Azure AD in the normal manner whic has previously worked without issue.

This failure is consistent on a test VM, also running a clean install of the OS. So I don't believe it's the device. It's either the software or the back end not working as expected.

Cheers,

-A

Did this solve your problem?

Sorry this didn't help.


* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
Question Info

Views: 1,515 Last updated: July 11, 2018 Applies to: