AADLoginForWindows fails to join AAD with error-2145648525

Question

I'm using the AADLoginForWindows extension to try to domain join a VM to AAD (straight AAD, no hybrid AD). It looks from the output below that I'm not having connectivity problems, but am getting an error that the device cannot be enrolled. The error code -2145648525 does not yield anything in Google. There's nothing in \windows\system32\config\systemprofile\appdata\local\mdm, and there's nothing in the Event Viewer either.

Does anyone know what could be causing this error? I have MDM and MAM user scope set to All, and I have no policies in place that would restrict device enrollment.

2022-06-20T16:43:55.5556666Z	[Information]:	10.0.20348.1 (WinBuild.160101.0800)  
2022-06-20T16:43:55.5606702Z	[Information]:	Getting Dsregcmd capabilities.  
2022-06-20T16:43:55.5606702Z	[Information]:	Running Enable Action  
2022-06-20T16:43:55.5656708Z	[Information]:	Reporting handler status.  
2022-06-20T16:43:55.5656708Z	[Information]:	Detected Sequence number from environment: '1'  
2022-06-20T16:43:55.5756704Z	[Information]:	Handler Status: [{"status":{"code":0,"formattedMessage":{"lang":"en-US","message":"Running Enable Action"},"name":"Microsoft.Azure.ActiveDirectory.AADLoginForWindows","operation":"Enable","status":"transitioning","substatus":null},"timestampUTC":"\/Date(1655743435565)\/","version":"1"}]  
2022-06-20T16:43:55.5756704Z	[Information]:	Adding Registry Settings.  
2022-06-20T16:43:55.5756704Z	[Information]:	Getting device join info  
2022-06-20T16:43:55.5756704Z	[Information]:	Getting AADLogonForWindowsExtensionJoined registry setting  
2022-06-20T16:43:55.5806705Z	[Information]:	Configuration Folder Location: C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1\RuntimeSettings  
2022-06-20T16:43:55.5956700Z	[Information]:	Handler Settings: PublicSettings: {MdmId: 0000000a-0000-0000-c000-000000000000}  
2022-06-20T16:43:55.5956700Z	[Information]:	PublicSettings: MdmId: 0000000a-0000-0000-c000-000000000000  
2022-06-20T16:43:55.5956700Z	[Information]:	MDM ID: 0000000a-0000-0000-c000-000000000000  
2022-06-20T16:43:55.5956700Z	[Information]:	Started AAD Join process.  
2022-06-20T16:43:55.6006690Z	[Information]:	Reporting handler status.  
2022-06-20T16:43:55.6006690Z	[Information]:	Handler Status: [{"status":{"code":0,"formattedMessage":{"lang":"en-US","message":"Started AAD Join Process"},"name":"Microsoft.Azure.ActiveDirectory.AADLoginForWindows","operation":"Enable","status":"transitioning","substatus":null},"timestampUTC":"\/Date(1655743435600)\/","version":"1"}]  
2022-06-20T16:43:55.6456688Z	[Information]:	10.0.20348.1 (WinBuild.160101.0800)  
2022-06-20T16:43:55.6456688Z	[Information]:	Getting Dsregcmd capabilities.  
2022-06-20T16:43:55.6506681Z	[Information]:	Running AAD Join Process  
2022-06-20T16:43:55.6506681Z	[Information]:	Starting Dsregcmd with arguments  /AzureSecureVMJoin /debug /MdmId 0000000a-0000-0000-c000-000000000000  
2022-06-20T16:43:55.6556711Z	[Information]:	Reporting handler status.  
2022-06-20T16:43:55.6606691Z	[Information]:	Detected Sequence number from environment: '1'  
2022-06-20T16:43:55.6656707Z	[Information]:	Handler Status: [{"status":{"code":0,"formattedMessage":{"lang":"en-US","message":"Started Dsregcmd Process"},"name":"Microsoft.Azure.ActiveDirectory.AADLoginForWindows","operation":"AADJoin","status":"transitioning","substatus":null},"timestampUTC":"\/Date(1655743435660)\/","version":"1"}]  
2022-06-20T16:43:57.4321370Z	[Information]:	DsrCLI: logging initialized.  
2022-06-20T16:43:57.4321370Z	[Information]:	DsrCLI: ClientRequestId: -----redacted----- Checking device join status...  
2022-06-20T16:43:57.4321370Z	[Information]:	Joining device to Azure AD with MSI credential.  
2022-06-20T16:43:57.4321370Z	[Information]:	Getting Azure VM metadata.  
2022-06-20T16:43:57.4321370Z	[Information]:	Targeting host name:169.254.169.254, url path: /metadata/instance/compute?api-version=2017-12-01  
2022-06-20T16:43:57.4321370Z	[Information]:	Received Content (size 539):  
2022-06-20T16:43:57.4321370Z	[Information]:	{"location":"eastus","name":"vmss-my-environment-win-jump_0","offer":"WindowsServer" ... d_D2_v5","zone":""}  
2022-06-20T16:43:57.4321370Z	[Information]:	Azure resource Id:/subscriptions/-----redacted-----/resourceGroups/rg-my-environment-services/providers/Microsoft.Compute/virtualMachineScaleSets/vmss-my-environment-win-jump  
2022-06-20T16:43:57.4321370Z	[Information]:	Getting Tenant ID from MSI.  
2022-06-20T16:43:57.4321370Z	[Information]:	Targeting host name:169.254.169.254, url path: /metadata/identity/info?api-version=2018-02-01  
2022-06-20T16:43:57.4321370Z	[Information]:	Received Content (size 52):  
2022-06-20T16:43:57.4321370Z	[Information]:	{"tenantId":"-----redacted-----"}  
2022-06-20T16:43:57.4371371Z	[Information]:	Discover tenant info with Tenant ID -----redacted-----.  
2022-06-20T16:43:57.4371371Z	[Information]:	Getting MSI token for app urn:ms-drs:enterpriseregistration.windows.net.  
2022-06-20T16:43:57.4371371Z	[Information]:	Targeting host name:169.254.169.254, url path: /metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01  
2022-06-20T16:43:57.4371371Z	[Information]:	Received Content (size 1565):  
2022-06-20T16:43:57.4371371Z	[Information]:	{"access_token":"-----redacted-----" ... ken_type":"Bearer"}  
2022-06-20T16:43:57.4371371Z	[Information]:	Starting join process with MSI credential.  
2022-06-20T16:43:57.4371371Z	[Information]:	Join request ID: -----redacted-----   
2022-06-20T16:43:57.4371371Z	[Information]:	Join response time: Mon, 20 Jun 2022 16:43:56 GMT  
2022-06-20T16:43:57.4371371Z	[Information]:	Join HTTP status: 200  
2022-06-20T16:43:57.4371371Z	[Information]:	Starting MDM URLs discovery (MDM app ID is: 0000000a-0000-0000-c000-000000000000).  
2022-06-20T16:43:57.4371371Z	[Information]:	MDM Enrollment URL: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc  
2022-06-20T16:43:57.4371371Z	[Information]:	MDM resource ID: https://enrollment.manage.microsoft.com/  
2022-06-20T16:43:57.4371371Z	[Information]:	Access token for MDM enrollment acquired successfully.  
2022-06-20T16:43:57.4371371Z	[Information]:	Starting MDM enrollment...  
2022-06-20T16:43:57.4421368Z	[Information]:	AzureSecureVMJoinOperation: MDM enrollment (DeviceEnroller::EnrollToMdm) failed with error 0x801c0073. MDM logs may contain more details on the failure. Additional information: MDM CanEnroll call returned CannotEnroll value  
2022-06-20T16:43:57.4421368Z	[Information]:	Rolling back device join.  
2022-06-20T16:43:57.4421368Z	[Information]:	Unjoin request ID: -----redacted-----   
2022-06-20T16:43:57.4421368Z	[Information]:	Unjoin response time: Mon, 20 Jun 2022 16:43:56 GMT  
2022-06-20T16:43:57.4421368Z	[Information]:	Unjoin HTTP status: 200  
2022-06-20T16:43:57.4421368Z	[Information]:	Device successfully unjoined from Azure AD.  
2022-06-20T16:43:57.4471352Z	[Error]:	AAD Join failed with status code -2145648525.  
2022-06-20T16:43:57.4471352Z	[Information]:	Reporting handler status.  
2022-06-20T16:43:57.4471352Z	[Information]:	Handler Status: [{"status":{"code":-2145648525,"formattedMessage":{"lang":"en-US","message":"AAD Join failed."},"name":"Microsoft.Azure.ActiveDirectory.AADLoginForWindows","operation":"AADJoin","status":"error","substatus":null},"timestampUTC":"\/Date(1655743437447)\/","version":"1"}]  

Answer 1

I've had this issue before. It seems to have been caused by some previous registration. I attach the following TXT which can be run in an administrative PowerShell session which cleans up any previous registration.

Once run try joining to AzureAD again

213105-cleanup-adregistrations.txt