Having enabled Hybrid Azure AD device join through the AD Connect Wizard (Seamless SSO and hash sync, no ADFS) and having deployed GPs I am seeing the following in the AAD event log
AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2
Device is not cloud domain joined: 0xC00484B2
PS C:Usersoffice365test1> dsregcmd /status
+———————————————————————-+
| Device State |
+———————————————————————-+
AzureAdJoined : NO
EnterpriseJoined : NO
DeviceId : 602d02e8-e435-4c6c-bdee-affea1723aab
Thumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
KeyContainerId : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
KeySignTest: : MUST Run elevated to test.
Idp : login.windows.net
TenantId : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TenantName : My Tenant Name
AuthCodeUrl : https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxx/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/oauth2/token
MdmUrl : https://wip.mam.manage.microsoft.com/Enroll
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl : biglongstring
JoinSrvVersion : 1.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/xxxxxxxxxxxxxxxxxxxxxxxx/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/xxxxxxxxxxxxxxxxxxxxxxxxx/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
DomainJoined : YES
DomainName : mydomain
+———————————————————————-+
| User State |
+———————————————————————-+
NgcSet : NO
WorkplaceJoined : YES
WorkplaceDeviceId : 602d02e8-xxxxxxxxxxxxxxxxxxxxxxxxxx
WorkplaceThumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxx
WorkplaceIdp : login.windows.net
WorkplaceTenantId : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
WorkplaceTenantName : my tenant name
WorkplaceMdmUrl : https://wip.mam.manage.microsoft.com/Enroll
WorkplaceSettingsUrl : biglongstring=
WamDefaultSet : NO
AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO
+———————————————————————-+
| Ngc Prerequisite Check |
+———————————————————————-+
IsUserAzureAD : NO
PolicyEnabled : NO
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
AadRecoveryNeeded : NO
PreReqResult : WillNotProvision
Jimmy White, MCSE Consultant Gigasoft Ltd.
- Remove From My Forums
-
Question
-
We are trying to automatically join my on-prem domain joined machines to Azure Active Directory.
According to this article this should be possible: https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-azureadjoin-devices-group-policy/Specifications:
The critical servers have the following versions.
Forest and domain functional domain level: 2003 minimum OS 2008 R2.
Domain Controllers run Windows 2008 or Windows 2012R2
Azure AD connect version: V1.1.110.
ConfigMgr: 1602 for Microsoft passport and Windows Hello (Hybrid Intune)
Windows 10 client: V1511 10586.104.Error message received: AAD Cloud AP Plugin initialize returned error: 0xc00484B2
My guess is the OS version of the Domain Controllers!Can anyone help or confirm my guess.
TIA
Any questions, just ask!
anatoly_neo, в логе видна задержка 20 секунд.
В стеке при этом Windows.Security.Authentication.Web.Core.dll — намекает на проблему с аутентификацией Office.
P.S. Для эксперимента удалите Касперского.
Последний раз редактировалось Petya V4sechkin, 10-02-2021 в 01:05 .
Сообщения: 52604
Благодарности: 15253
| Конфигурация компьютера | |
| Материнская плата: ASUS P8Z77-V LE PLUS | |
| HDD: Samsung SSD 850 PRO 256 Гб, WD Green WD20EZRX 2 Тб | |
| Звук: Realtek ALC889 HD Audio | |
| CD/DVD: ASUS DRW-24B5ST | |
| ОС: Windows 10 Pro x64 |
anatoly_neo, точного соответствия по симптомам нет (у вас же только Outlook тормозит), но проблема как-то связана с аутентификацией.
И это согласуется с вашей ситуацией: начиная с некоторых сборок Office 2016 и Windows 10 сменился способ аутентификации с ADAL на WAM (диспетчер учетных веб-записей).
Поищите в Журналах приложений и служб -> Microsoft -> Windows -> AAD -> события, по времени совпадающие с зависаниями.
P.S. Кстати, служба Диспетчер учетных веб-записей в Windows 10 не отключена, случайно?
Это сообщение посчитали полезным следующие участники:
P.S. Кстати, служба Диспетчер учетных веб-записей в Windows 10 не отключена, случайно? »
Поищите в Журналах приложений и служб -> Microsoft -> Windows -> AAD события, по времени соответствующие зависаниям. »
Поставил на новый ПК свежую винду и офис 2019. При попытке запустить офис в AAD 4 предупреждения:
1)
Error: 0x80070002 Не удается найти указанный файл.
Exception of type ‘class DSRegException’ at acquiretokencontext.cpp, line: 208, method: AcquireTokenContext::GetFallbackDomain.
Log: 0xcaac03f1 Failed to get the DC registration data. Cannot get the domain name.
Logged at acquiretokencontext.cpp, line: 208, method: AcquireTokenContext::GetFallbackDomain.
2)
Error: 0xCAA9004D Account type is unknown.
Exception of type ‘class Exception’ at aggregatedtokenrequest.cpp, line: 157, method: AggregatedTokenRequest::UseWindowsIntegratedAuth.
Logged at aggregatedtokenrequest.cpp, line: 159, method: AggregatedTokenRequest::UseWindowsIntegratedAuth.
Request: authority: https://login.microsoftonline.com/common, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: https://officeapps.live.com, correlation ID (request): 0fd253d0-d916-49bf-9161-9ebac2fce256
3)
Error: 0x80070002 Не удается найти указанный файл.
Exception of type ‘class DSRegException’ at acquiretokencontext.cpp, line: 208, method: AcquireTokenContext::GetFallbackDomain.
Log: 0xcaac03f1 Failed to get the DC registration data. Cannot get the domain name.
Logged at acquiretokencontext.cpp, line: 208, method: AcquireTokenContext::GetFallbackDomain.
4)
Error: 0xCAA9004D Account type is unknown.
Exception of type ‘class Exception’ at aggregatedtokenrequest.cpp, line: 157, method: AggregatedTokenRequest::UseWindowsIntegratedAuth.
Logged at aggregatedtokenrequest.cpp, line: 159, method: AggregatedTokenRequest::UseWindowsIntegratedAuth.
Request: authority: https://login.microsoftonline.com/common, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: https://api.office.net, correlation ID (request): dc98b904-73d5-49ed-8e7b-38232176dfd8
И такой же симптом, Outlook повисит секунд 20-30 и открывается.
Так же в AAD есть ошибки, но они возникают при запуске ПК:
1) Device is not cloud domain joined: 0xC00484B2
2) AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2
Источник
Aad cloud ap plugin call plugin initialize returned error 0xc00484b2
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
Having enabled Hybrid Azure AD device join through the AD Connect Wizard (Seamless SSO and hash sync, no ADFS) and having deployed GPs I am seeing the following in the AAD event log
AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2
Device is not cloud domain joined: 0xC00484B2
PS C:Usersoffice365test1> dsregcmd /status
AzureAdJoined : NO
EnterpriseJoined : NO
DeviceId : 602d02e8-e435-4c6c-bdee-affea1723aab
Thumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
KeyContainerId : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
KeySignTest: : MUST Run elevated to test.
Idp : login.windows.net
TenantId : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TenantName : My Tenant Name
AuthCodeUrl : https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxx/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/oauth2/token
MdmUrl : https://wip.mam.manage.microsoft.com/Enroll
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl : biglongstring
JoinSrvVersion : 1.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/xxxxxxxxxxxxxxxxxxxxxxxx/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/xxxxxxxxxxxxxxxxxxxxxxxxx/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
DomainJoined : YES
DomainName : mydomain
NgcSet : NO
WorkplaceJoined : YES
WorkplaceDeviceId : 602d02e8-xxxxxxxxxxxxxxxxxxxxxxxxxx
WorkplaceThumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxx
WorkplaceIdp : login.windows.net
WorkplaceTenantId : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
WorkplaceTenantName : my tenant name
WorkplaceMdmUrl : https://wip.mam.manage.microsoft.com/Enroll
WorkplaceSettingsUrl : biglongstring=
WamDefaultSet : NO
AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO
IsUserAzureAD : NO
PolicyEnabled : NO
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
AadRecoveryNeeded : NO
PreReqResult : WillNotProvision
Источник
- Remove From My Forums
-
Question
-
Hello,
I have Windows 10 1703 Enterprise edition, runs on VMware fusion.
Seems like it doesn’t support windows Hello for business — this sentence appears in settings>Account ‘Hello isn’t available on this device’
In addition, I can’t set up a Pin for domain users but for local users only.
I tried every solution I found on the web, including enable Biometrics, enable use of windows hello etc. I went through probably every solution is on the web. The only thing I didn’t do is to delete the NGC folder which I don’t have access
to.I know that Windows Hello can work with pin only, and it works on Fusion.
Is it related to version or build? I can go and buy a new OS, but before doing so, I want to make sure it can work (if I know why it doesn’t work, it will be helpful)
Thanks.
Introduction
In a Windows Azure environment, an Azure AD Connect call to plugin initialize returns an error with the error code 0xC00484B2. This is a common issue. It occurs when the user changes his password after successfully joining a station, or if he changes his username and password after changing the password. When this happens, the user is unable to authenticate until his or her profile is recreated.
What is the cause of this error?
The cause of this error is unknown. It may be a faulty configuration or some other issue. The best solution would be to install a fresh copy of the AAD Cloud API and try again. Once the aad-cloud API call is successful, you should receive the corresponding response. If you get the error message again, you can try reinstalling the AAD Connect service.
Generally, the Azure AD Cloud AP plug-in call will fail if the call is made without an access token. The access token is used to sign a device, which can also be registered or joined to Azure AD. The device object is the identifier for the device. The PRT token created using this device will inherit the value of the RegistrationAuthMethods. You can change the value of this parameter by using an AADInternal.
How to access Azure AD?
Upon joining a device, the Azure AD node will generate two keys: a Device key and a Transport key. These two keys are used to identify the device. When creating a PRT, the transport key will be used to decrypt the session key. Once the authentication process is complete, the AADInternals can use the PRT token to access the Azure AD.
Besides the error code, the aad cloud ap plugin initialize returned error 0xc00484b2 in the application’s code. The device object is the object used to identify the device. It is the key that controls access to the service. Then, the AADInternals will use the value of the PRT token to authenticate the user.
The registry key 0xc00484b2 means that the Azure AD is unable to initialize the device. The problem is in the Windows registry, which contains a key called Automatic-Device-Join. This task runs as a SYSTEM and queries Azure AD’s tenant information. Afterwards, it will create a PRT token that uses the device’s access token.
The aad cloud ap plugin’s initialization method should be set correctly. Then, it should register the device. The dkpriv value should be a valid certificate, as it will identify the device. When the user tries to join a computer, he or she should be signed into a service that enables the user to use the device.
When does the error occur?
This error occurs when a device attempts to register with Azure AD. The error code 0xc00484b2 is a result of a problem with the authentication process. The device is not connected to an Azure AD account. During the initialization process, it will register with the Azure AD and be signed in.
The error can be caused by several reasons. For example, the aad server may have detected that the device is registered in another country. Alternatively, the device may have been registered and is trying to sign in to the same domain. In this case, the aad server will request a certificate for this IP address. Then, it will ask the user for the access token.
Conclusion
Whether it is due to an AAD authentication failure or an issue with a password, the issue is related to the AAD authentication. If a device is not already registered in Azure AD, it will not be able to sign in. Moreover, the password will not be saved in the AAD. Ultimately, you must check whether the device’s certificate is valid and that it matches the AAD FS object.
Visit the rest of the site Updated Ideas for more useful and informative articles.
Thank you!
By understanding my previous posts:
- Hybrid Azure AD Join – How a computer device is recognized as Hybrid device ?
- Azure AD Connect: How to manually synchronize using import, syncronize, export?
Now it is easy to find out how to make hybrid join happen immediately:
- Setup the hybrid AAD auto join infrastructure, i.e. AAD, SCP configuration, rollout plan (by GPO), etc.
- Make sure the userCertificate attribute of the computer object existing.
- Delta import from on-premise AD (run Delta Import on the on-premise AD connector)
- Delta synchronize on the on-premise AD connector (run Delta Synchronization on the on-premise AD connector)
- Export to AAD (run Export on AAD connector)
About Error: AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2
This error also appears, even after the device is hybrid AAD joined. So you should not rely on this message to trouble shoot your auto hybrid AAD join.
References:
[1] How to configure hybrid Azure Active Directory joined devices
14th May 2021, 12:49 PM #1
- Rep Power
- 29
Hello, we are slowly seeing a propagation of an error with Teams showing the user ‘Something went wrong’ message when signing in. This is now also being noted in OneDrive and a bit of Outlook.
Teams logs have a fairly consistent error:
warning — wamAccountEnumService: [AUTH] WAM enumeration response for AAD accounts was non-success. Status: 3. ErrorCode: 80080300.
We use AADConnect to sync our AD to Azure, nothing obvious here.
Has anyone seen this or has any ideas?
Thanks
14th May 2021, 02:01 PM #2
Not massively reliant on MS cloud services here, but, I am getting Errorcode 80080300 and my OneNote isn’t syncing properly.
Assuming a Microsoft service outage!
17th May 2021, 10:37 AM #3
Originally Posted by petben
Hello, we are slowly seeing a propagation of an error with Teams showing the user ‘Something went wrong’ message when signing in. This is now also being noted in OneDrive and a bit of Outlook.
Teams logs have a fairly consistent error:
warning — wamAccountEnumService: [AUTH] WAM enumeration response for AAD accounts was non-success. Status: 3. ErrorCode: 80080300.
We use AADConnect to sync our AD to Azure, nothing obvious here.
Has anyone seen this or has any ideas?
Thanks
Oddly enough, we’re seeing this randomly now too.
Did you get anywhere with finding a solution? Nothing at all has changed on our network so we’re a little perplexed at why it’s starting to happen.
We’re fully SSO and utilise OneDrive and Teams quite heavily, both of which are now failing to sign in automatically.
Do you use a Smoothwall at all?
Originally Posted by petben 
17th May 2021, 10:45 AM #4
We’re having the same thing this morning. Staff randomly not being signed into Office(and this coming up as inlicensed), with Outlook & Teams not working properly.
17th May 2021, 10:48 AM #5
I work with petben.
We are still seeing the issue this morning. Affecting Outlook, Teams, OneDrive, seemingly at random.
We do use Smoothwall, but we have taken a broken session, put it on a completely unfiltered/firewalled network and the issue has persisted.
We run Azure AD Sync, with password hash synchronisation.
17th May 2021, 10:57 AM #6
I work with petben.
We are still seeing the issue this morning. Affecting Outlook, Teams, OneDrive, seemingly at random.
We do use Smoothwall, but we have taken a broken session, put it on a completely unfiltered/firewalled network and the issue has persisted.
We run Azure AD Sync, with password hash synchronisation.
That sounds identical to our issue, and setup incidentally. Ours started happening last week (Thursday) and it has persisted since then. Users see this error for OneDrive
OneDrive Issue.JPG
Teams loads but the user just sees a message saying something went wrong.
Office apps come back as unlicensed.
17th May 2021, 10:58 AM #7
17th May 2021, 10:59 AM #8
We had that on 1 user last week… they had logged on with a cached network profile before the station had updated it’s IP address. A reboot of the station and it then worked fine.
17th May 2021, 11:01 AM #9
Given the timing, I was wondering if this is a bug introduced by the latest round of Windows Updates? Haven’t had a chance to test it yet though.
17th May 2021, 11:27 AM #10
Heck!
Do you know when this notification was released at all? I can’t seem to see a date stamp.
17th May 2021, 11:30 AM #11
Well the associated KB it refers to was created on the 04/08/2021 regarding connection issues signing in to Office 2016 (https://docs.microsoft.com/en-US/off…in-office-2016) so it’s been a possible issue for the last month or so?
17th May 2021, 12:37 PM #12
I’m diving deeper into this now.
Looks like the machines/users that I’m having the issues with aren’t hybrid domain joining any more. Event viewer spits out:
Device is not cloud domain joined: 0xC00484B2
AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2
17th May 2021, 02:09 PM #13
In our case it’s the remaining machies we had on 1909(about 8 of them) and it’s completely random. A teacher could be fine period 1, but period 2 another teacher comes along and Office wants them to sign in, then rejects it and deactivates(we have 365 version deployed & it updates automatically).
The only thing in common these machines have is that they’re 1909. I checked the Azure AD status and they’re reporting normally.
17th May 2021, 02:11 PM #14
In our case it’s the remaining machies we had on 1909(about 8 of them) and it’s completely random. A teacher could be fine period 1, but period 2 another teacher comes along and Office wants them to sign in, then rejects it and deactivates(we have 365 version deployed & it updates automatically).
The only thing in common these machines have is that they’re 1909. I checked the Azure AD status and they’re reporting normally.
You think going 20H2 might solve the issue then?
17th May 2021, 02:12 PM #15
You think going 20H2 might solve the issue then?
I’ve updated one of them during a free period and suspect so. We’ve had no reports of this problem on our 20H2 machines at all.
With Azure AD Conditional Access (CA) policies you can control that only managed devices can access resources protected by Azure AD – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices#managed-devices
As mentioned in the article above, you might require the devices the sign in is taking place from to be hybrid Azure AD joined.
Here is official Microsoft documentation about Azure AD PRT.
As explained in this blog – https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/ the Azure AD Primary Refresh Token (Azure AD PRT) is used during Azure AD CA policies evaluation to get the information about Windows 10 device registration state.
The mentioned blog explains that the Azure AD PRT is initially obtained during user sign into the station. In simple words, if the Cloud AP plugin is able to authenticate on behalf of the user (UPN and password or Windows Hello for Business PIN) to get the Azure AD access token and device is able to authenticate to Azure AD using the device registration state (MS-Organization-Access certificate) the Azure AD PRT will be issued to the user.
If any of these two parts (user or device) didn’t pass the authentication step, no Azure AD PRT will be issued.
So when you see an Azure AD Conditional Access error stating that the device is NOT registered, it doesn’t necessary mean that the hybrid Azure AD join is not working in your environment, but might mean that the valid Azure AD PRT was not presented to Azure AD.
To check if the Azure AD PRT is present for the signed into Windows 10 device user, you can use the “dsregcmd /status” command. Windows 10 OS version 1809 the Azure AD PRT info is stored in the SSO State section:
+———————————————————————-+
| SSO State |
+———————————————————————-+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2019-04-03 17:25:24.000 UTC
AzureAdPrtExpiryTime : 2019-04-17 21:25:54.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/tenantID
By the way you can use usual /? Switch to get help for the “dsregcmd” command (Windows 1809 and newer versions).
Keep in mind that the Azure AD PRT is a per user token, so you might see AzureAdPrt:NO if you are running the “dsregcmd /state” as local or not synchronized (on-premises AD user UPN doesn’t match the Azure AD UPN) user.
Per my experience, here are examples of what might be the root of Azure AD PRT being absent for the user (will be updating the list as discover more possible root causes):
- Device indeed is not hybrid Azure AD joined;
- Local registration state of the computer doesn’t match the records in Azure AD:
- Azure AD computer object was deleted by Global Admin via portal or PowerShell;
- Computer was moved out of Azure AD Connect sync scope and was removed from Azure AD by Azure AD Connect;
- Some services modified the Azure AD computer object and deleted the AlternativeSecurityIds attribute from Azure AD Computer object);
- CloudAP plugging is not able to authenticate on behalf of the user to get Azure AD access token:
- If the user is federated, the on premises STS is not reachable or STS do not have WS-Trust endpoint enabled (yes, WS-Trust is still required for Azure AD PRT flow and optional for Windows 1803 and newer registration flow) (for AD FS the WS-Trust endpoint is – adfs/services/trust/13/usernamemixed)
- The user has recently changed the UPN and is using Windows 1709 or older OS version and can’t get new or refresh expired Azure AD PRT – this issue was resolved in 1803 and newer);
Here are the recommended troubleshooting steps for mentioned above scenarios:
- To troubleshoot why the computer can’t perform hybrid Azure AD join refer to the following post – https://s4erka.wordpress.com/2018/03/06/azure-ad-device-registration-error-codes/;
- To better understand if there is a discrepancy between local registration state and Azure AD records, collect and review following info:
- “Dsregcmd /status” output on the effected computer, make the notes of the following fields: AzureAdJoined, DeviceCertificateValidity, AzureAdPrt, AzureAdPrtUpdateTime, AzureAdPrtExpiryTime;
- Check the Azure AD Portal – Devices blade, see if the station is present in Azure AD and has a timestamp listed in the Registered column, compare with the time in the DeviceCertificateValidity from the previous step. If there is no time stamp in the Registered column, that means that the AlternativeSecurityIds attribute (contains the MS-Organization-Access certificate thumbprint. This is the certificate that was saved to the station during registration process) was removed and the station needs to be re-joined to Azure AD;
- You can check if the station has the AlternativeSecurityIds attribute by using the Get-MsolDevice Azure AD PowerShell cmdlet;
- Check if the computer object is in the sync scope of Azure AD Connect;
- To get more clues about user portion of the Azure AD PRT receive process, its recommended to review the following Windows 10 logs – Application and Services Logs – Microsoft – Windows – AAD. These logs contain Operational and Analytic logs. Analytic logs are the equivalent of the Debug logs and are disabled by default. Usually you should be able to get info just by looking at the AAD Operational logs. In the AAD Operation logs look for the events generated by AadCloudAPPlugin Operation. By readying these logs you should get an idea either the STS is not reachable because of the network or protocol issues or Cloud AP is not able to authenticate on behalf of the user due to incorrect credentials or access policies configured on STS that block the authentication attempt for this user;
You can also use the “Get-WinEvent” PowerShell cmdlet to quickly pull latest AAD logs related to Azure AD Cloud AP plugin:
Get-WinEvent -LogName "Microsoft-Windows-AAD/Operational" -MaxEvents 20 | where {$_.TaskDisplayName -like "*AadCloudAPPlugin*"} | ft TimeCreated,id,KeyWordsDisplayNames,Message -wrap -autosizeKeep in mind that Windows down-level devices do not have Azure AD PRT and they “proof” to Azure AD CA that they are registered by establishing TLS authentication channel using the MS-Organization-Access certificate saved in the User certificate store during device registration. So if the successfully registered down-level Windows device is treated by Azure AD CA policy as not registered, most likely something (firewall/proxy) is messing up with that attempt of the device authentication.
In case you have verified that the signed in user has Azure AD PRT, but still the user who attempts to sign in via Microsoft Edge or Edge Chromium is getting “Device State: Unregistered”, make sure the user is signed in the browser with his work account. More details in this official document. Some other forums/blogs have mentioned the GPO is available to force automatic sign in into Edge browser to make it easier for the users.
AadCloudAPPlugin error codes examples and possible cause
0x80072ee7 followed by 0xC000023C – as mentioned in my Device Registration post, most likely caused by network or proxy settings, AadCloudAP plugin running under System cant access the Internet;
0xC000006A that has WSTrust response error “FailedAuthentication” coming before it – have seen these errors coming from 3rd party IdPs (Ping, Okta) due to users sync issues to Identity Provider (IdP) database. Also read the error description to get more clues about other possible causes of failed authentication and check IdP logs.
Logon failure. Status: 0xC000005F Correlation ID – check the federation settings of the user domain and make sure that the Identity provider supports WS-Trust protocol as mentioned here. IdPs supporting SAML protocol as primary Authentication will cause this error.
AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3 (along with the call to Azure AD sidtoname endpoint in previous AadCloudAPPlugin event)– you might see this error on Azure AD Joined machine in managed (non-federated) environment, if the user signs in the Windows machine using the certificate. Smart card sign in is not supported for such scenario.
AAD Cloud AP plugin call SignDataWithCert returned error: 0x80090016 followed by Http transport error. Status: Keyset does not exist Correlation ID followed by Logon failure. Status: 0xC0090016 Correlation ID – most likely the device has lost access to the device and transport keys (TPM corruption – check with the hardware vendor if the new firmware is available), or image used for VDI was HAADJ (not recommended by public documents)). Reregistering the device (newer versions of OS should auto recover) should address this issue and allow obtaining AAD PRT.
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 – most likely you are looking at the token acquisition events for the local account, that are not related to the sign ins of the user you are trying to troubleshoot. Keep searching for relevant events. 🙂
Logon failure. Status: 0xC00484C0 with Http transport error: Status: Unknown HResult Error code: 0x80048c0 – most likely you will see this for federated with non-Microsoft STS environments. Look for the event before these two events to see what STS endpoint returned this error and using timestamp, examine the STS logs to get more details.
Logon failure. Status: 0xC004848C – most likely you will see this for federated with non-Microsoft STS environments when the user is using the SmartCard to sign in the computer and the IdP MEX endpoint doesn’t contain information about certificate authentication endpoint/URL. This needs to be fixed on IdP side.
And the final thought. In case you need to re-join the Windows current device, make sure to follow the steps in this order to make sure the station really disjoined and will try the clean join process. Also keep in mind that since the computer object is recreated, the Bitlocker recovery keys that you might be saving in Azure AD for this station will be deleted and you will need to re-save them .
- Open elevated CMD (as local Admin) and issue “dsregcmd /leave”. Elevated CMD is important part, since during the leave flow, the registration service is trying to contact Azure AD and delete the computer object and also it tries to delete the MS-Organization-Access certificate from Computer certificate store, that definitely requires elevated privileges;
- Open new CMD window and confirm that the local registration state is cleaned and the station is not Azure AD joined by issuing “dsregcmd /status”;
- Using Azure AD devices portal confirm the computer object is gone, if not, delete it manually;
- In case you are in Managed environment, you need to run delta Azure AD Connect sync to pre-sync the AD computer object to Azure AD;
- Restart the station and sign in as Azure AD synchronized user.