question

MartinGodfrey-9163 avatar image
0 Votes"
MartinGodfrey-9163 asked MathieuVM commented

Hybrid Azure AD Join Failure - Error Missing Device

We have successfully set Hybrid Azure AD from our on premise AD to our Azure AD tenant via Intune Connector. On the surface all works fine. On one machine I changed OU so that we could enroll the device into Intune. However the device, which was already in Azure AD as Hybrid Azure AD join type, got DELETED.

Now the device cannot log into Microsoft services and can no longer either enroll into Intune or show in the devices list in Azure AD. Everything looks right - AD connect working, Intune Connector working, etc. It is only affecting this device. I have already done a dsregcmd /debug /leave - this made no difference. I have taken the device off the domain (twice) and renamed the device - still the same issue. If anyone can assist or shed any light what is going on here, it would be much appreciated. Here's the dsregcmd /status:

Microsoft Windows [Version 10.0.19042.804]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>dsregcmd /status

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

          AzureAdJoined : NO
       EnterpriseJoined : NO
           DomainJoined : YES
             DomainName : MXXXXXXXXXXXXXP
            Device Name : MACF-SP4-0010.mxxxxxxxxxxxxxp.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                 NgcSet : NO
        WorkplaceJoined : NO
          WamDefaultSet : ERROR

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

             AzureAdPrt : NO
    AzureAdPrtAuthority : NO
          EnterprisePrt : NO
 EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

  Diagnostics Reference : www.microsoft.com/aadjerrors
           User Context : SYSTEM
            Client Time : 2021-02-25 08:00:11.000 UTC
   AD Connectivity Test : PASS
  AD Configuration Test : PASS
     DRS Discovery Test : PASS
  DRS Connectivity Test : PASS
 Token acquisition Test : SKIPPED
  Fallback to Sync-Join : ENABLED

  Previous Registration : 2021-02-25 07:59:11.000 UTC
      Registration Type : sync
            Error Phase : join
       Client ErrorCode : 0x801c03f3
       Server ErrorCode : invalid_request
    Server ErrorSubCode : error_missing_device
       Server Operation : DeviceRenew
         Server Message : The device object by the given id (dcf25f7e-32a2-4353-9c94-55e73da71456) is not found.
           Https Status : 400
             Request Id : e3845944-6aad-4a2f-ba45-d92d319699d2

+----------------------------------------------------------------------+
| IE Proxy Config for System Account |
+----------------------------------------------------------------------+

   Auto Detect Settings : YES
 Auto-Configuration URL :
      Proxy Server List :
      Proxy Bypass List :

+----------------------------------------------------------------------+
| URL Specific Proxy Config |
+----------------------------------------------------------------------+

 Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94

 Executing Account Name : MxxxxxxxxxxxxxP\MACF-SP4-0010$, MACF-SP4-0010$@mxxxxxxxxxxxxxp.net

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

   Auto Detect Settings : YES
 Auto-Configuration URL :
      Proxy Server List :
      Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

            Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

         IsDeviceJoined : NO
          IsUserAzureAD : NO
          PolicyEnabled : NO
       PostLogonEnabled : YES
         DeviceEligible : YES
     SessionIsNotRemote : YES
         CertEnrollment : none
           PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors
C:\WINDOWS\system32>

azure-ad-connect
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

5 Answers

sikumars avatar image
0 Votes"
sikumars answered MathieuVM commented

Hello @MartinGodfrey-9163 ,

Thanks for reaching out.

Could you please confirm, how you configured Hybrid device registration for your environment ? with federated domain or managed domain ? also could you confirm device operating system which is having issue?

In case of managed environment, could you verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see Organizational unit–based filtering as I see following error from above logs, which indicate device object is not found.

 Server ErrorSubCode : error_missing_device
        Server Operation : DeviceRenew
          Server Message : The device object by the given id (dcf25f7e-32a2-4353-9c94-55e73da71456) is not found.
            Https Status : 400
              Request Id : e3845944-6aad-4a2f-ba45-d92d319699d2

Before you make above changes, please verify if working devices are synchronized and belong to OUs that's part of sync scope in Azure AD connect, because this is not mandatory in case federated domain environment setup.

If you experience issues completing hybrid Azure AD join for domain-joined Windows devices, see: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#step-3-find-the-phase-in-which-join-failed-and-the-errorcode

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MathieuVM avatar image MathieuVM ·

In addition, when the OU Sync part is done in Azure ADConnect, you can force an AD Sync with Start-ADSyncSyncCycle -PolicyType Delta (other wise you will have to wait max 30 min to enroll)

0 Votes 0 ·
MartinGodfrey-9163 avatar image
0 Votes"
MartinGodfrey-9163 answered

OK so I put the device in a new OU on our Active Directory on premise tenant and setup synchronisation with AD Connect so that the OU syncs with Azure AD. The device is now Azure AD joined. However - Microsoft Teams and Microsoft Outlook will no longer function.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered sikumars edited

Hello @MartinGodfrey-9163 ,

In addition to that, why Microsoft Teams and Microsoft Outlook not functioning, is due to device is not received EnterprisePrt for the user , you can confirm this by running same cmdlet dsregcmd /status and confirm EnterprisePrt is set to YES under SSO State.

additionally, I see WamDefaultSet : ERROR and PAC (Proxy Auto-Configuration) related error in above logs, are you using PAC for your environment ?if so see Troubleshoot automatic detection).

If you don't use WPAD, but your organization requires access to the internet via an outbound proxy, then use WinHTTP cmdlet to set proxy for device manually.

Run this command on working as well on non-working device and verify both settings must match:

netsh winhttp show proxy

You can also import the settings from the Internet Settings Control Panel, but bear in mind the WinHTTP Services do not support the use of Scripts (like PAC or DAT files). For such behavior you can use following command:

netsh winhttp import proxy source=ie

for more information about WinHTTP, read WinHTTP Proxy Settings.

Hope this helps.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MartinGodfrey-9163 avatar image
0 Votes"
MartinGodfrey-9163 answered

Thanks for reaching out. Here's the answers to your questions.
After running dsregcmd /status
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

             AzureAdPrt : NO
    AzureAdPrtAuthority :
          EnterprisePrt : NO
 EnterprisePrtAuthority :

I'm also not aware we are using Proxy auto-configuration. I haven't come across it so far.

Also..
C:\WINDOWS\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

 Direct access (no proxy server).

C:\WINDOWS\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

 Direct access (no proxy server).

I am verified that my colleague has the same WinHTTP settings.

By the way my colleague is also set to EnterprisePRT NO and her Teams and Outlook works fine!

Regards
Martin

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MartinGodfrey-9163 avatar image
0 Votes"
MartinGodfrey-9163 answered

I think the reason that the OU the machine was in not being sync'd with AD Connect is correct. I had done a successfully trial, but maybe didn't appreciate some of the finer points involved when moving OUs, syncing to Azure AD, etc. Anyway all of sudden Teams and Outlook starting working. I appreciate your thoughts on this matter.

Regards Martin

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.