Azure AD Conditional Access policies troubleshooting – Device State: Unregistered

With Azure AD Conditional Access (CA) policies you can control that only managed devices can access resources protected by Azure AD – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices#managed-devices

As mentioned in the article above, you might require the devices the sign in is taking place from to be hybrid Azure AD joined.

Here is official Microsoft documentation about Azure AD PRT.

As explained in this blog – https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/ the Azure AD Primary Refresh Token (Azure AD PRT) is used during Azure AD CA policies evaluation to get the information about Windows 10 device registration state.

The mentioned blog explains that the Azure AD PRT is initially obtained during user sign into the station. In simple words, if the Cloud AP plugin is able to authenticate on behalf of the user (UPN and password or Windows Hello for Business PIN) to get the Azure AD access token and device is able to authenticate to Azure AD using the device registration state (MS-Organization-Access certificate) the Azure AD PRT will be issued to the user.

If any of these two parts (user or device) didn’t pass the authentication step, no Azure AD PRT will be issued.

So when you see an Azure AD Conditional Access error stating that the device is NOT registered, it doesn’t necessary mean that the hybrid Azure AD join is not working in your environment, but might mean that the valid Azure AD PRT was not presented to Azure AD.

To check if the Azure AD PRT is present for the signed into Windows 10 device user, you can use the “dsregcmd /status” command. Windows 10 OS version 1809 the Azure AD PRT info is stored in the SSO State section:

+———————————————————————-+

| SSO State                                                           |

+———————————————————————-+

     AzureAdPrt : YES

     AzureAdPrtUpdateTime : 2019-04-03 17:25:24.000 UTC

     AzureAdPrtExpiryTime : 2019-04-17 21:25:54.000 UTC

     AzureAdPrtAuthority : https://login.microsoftonline.com/tenantID

By the way you can use usual /? Switch to get help for the “dsregcmd” command (Windows 1809 and newer versions).

Keep in mind that the Azure AD PRT is a per user token, so you might see AzureAdPrt:NO if you are running the “dsregcmd /state” as local or not synchronized (on-premises AD user UPN doesn’t match the Azure AD UPN) user.

Per my experience, here are examples of what might be the root of Azure AD PRT being absent for the user (will be updating the list as discover more possible root causes):

1. Device indeed is not hybrid Azure AD joined;
2. Local registration state of the computer doesn’t match the records in Azure AD:
   • Azure AD computer object was deleted by Global Admin via portal or PowerShell;
   • Computer was moved out of Azure AD Connect sync scope and was removed from Azure AD by Azure AD Connect;
   • Some services modified the Azure AD computer object and deleted the AlternativeSecurityIds attribute from Azure AD Computer object);
3. CloudAP plugging is not able to authenticate on behalf of the user to get Azure AD access token:
   • If the user is federated, the on premises STS is not reachable or STS do not have WS-Trust endpoint enabled (yes, WS-Trust is still required for Azure AD PRT flow and optional for Windows 1803 and newer registration flow) (for AD FS the WS-Trust endpoint is – adfs/services/trust/13/usernamemixed)
   • The user has recently changed the UPN and is using Windows 1709 or older OS version and can’t get new or refresh expired Azure AD PRT – this issue was resolved in 1803 and newer);

Here are the recommended troubleshooting steps for mentioned above scenarios:

1. To troubleshoot why the computer can’t perform hybrid Azure AD join refer to the following post – https://s4erka.wordpress.com/2018/03/06/azure-ad-device-registration-error-codes/;
2. To better understand if there is a discrepancy between local registration state and Azure AD records, collect and review following info:
   1. “Dsregcmd /status” output on the effected computer, make the notes of the following fields: AzureAdJoined, DeviceCertificateValidity, AzureAdPrt, AzureAdPrtUpdateTime, AzureAdPrtExpiryTime;
   2. Check the Azure AD Portal – Devices blade, see if the station is present in Azure AD and has a timestamp listed in the Registered column, compare with the time in the DeviceCertificateValidity from the previous step. If there is no time stamp in the Registered column, that means that the AlternativeSecurityIds attribute (contains the MS-Organization-Access certificate thumbprint. This is the certificate that was saved to the station during registration process) was removed and the station needs to be re-joined to Azure AD;
   3. You can check if the station has the AlternativeSecurityIds attribute by using the Get-MsolDevice Azure AD PowerShell cmdlet;
   4. Check if the computer object is in the sync scope of Azure AD Connect;
3. To get more clues about user portion of the Azure AD PRT receive process, its recommended to review the following Windows 10 logs – Application and Services Logs – Microsoft – Windows – AAD. These logs contain Operational and Analytic logs. Analytic logs are the equivalent of the Debug logs and are disabled by default. Usually you should be able to get info just by looking at the AAD Operational logs. In the AAD Operation logs look for the events generated by AadCloudAPPlugin Operation. By readying these logs you should get an idea either the STS is not reachable because of the network or protocol issues or Cloud AP is not able to authenticate on behalf of the user due to incorrect credentials or access policies configured on STS that block the authentication attempt for this user;

You can also use the “Get-WinEvent” PowerShell cmdlet to quickly pull latest AAD logs related to Azure AD Cloud AP plugin:

Get-WinEvent -LogName "Microsoft-Windows-AAD/Operational" -MaxEvents 20 |

where {$_.TaskDisplayName -like "*AadCloudAPPlugin*"} |

ft TimeCreated,id,KeyWordsDisplayNames,Message -wrap -autosize

Keep in mind that Windows down-level devices do not have Azure AD PRT and they “proof” to Azure AD CA that they are registered by establishing TLS authentication channel using the MS-Organization-Access certificate saved in the User certificate store during device registration. So if the successfully registered down-level Windows device is treated by Azure AD CA policy as not registered, most likely something (firewall/proxy) is messing up with that attempt of the device authentication.

In case you have verified that the signed in user has Azure AD PRT, but still the user who attempts to sign in via Microsoft Edge or Edge Chromium is getting “Device State: Unregistered”, make sure the user is signed in the browser with his work account. More details in this official document. Some other forums/blogs have mentioned the GPO is available to force automatic sign in into Edge browser to make it easier for the users.

AadCloudAPPlugin error codes examples and possible cause

0x80072ee7 followed by 0xC000023C – as mentioned in my Device Registration post, most likely caused by network or proxy settings, AadCloudAP plugin running under System cant access the Internet;

0xC000006A that has WSTrust response error “FailedAuthentication” coming before it – have seen these errors coming from 3rd party IdPs (Ping, Okta) due to users sync issues to Identity Provider (IdP) database. Also read the error description to get more clues about other possible causes of failed authentication and check IdP logs.

Logon failure. Status: 0xC000005F Correlation ID – check the federation settings of the user domain and make sure that the Identity provider supports WS-Trust protocol as mentioned here. IdPs supporting SAML protocol as primary Authentication will cause this error.

AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3 (along with the call to Azure AD sidtoname endpoint in previous AadCloudAPPlugin event)– you might see this error on Azure AD Joined machine in managed (non-federated) environment, if the user signs in the Windows machine using the certificate. Smart card sign in is not supported for such scenario.

AAD Cloud AP plugin call SignDataWithCert returned error: 0x80090016 followed by Http transport error. Status: Keyset does not exist Correlation ID followed by Logon failure. Status: 0xC0090016 Correlation ID – most likely the device has lost access to the device and transport keys (TPM corruption – check with the hardware vendor if the new firmware is available), or image used for VDI was HAADJ (not recommended by public documents)). Reregistering the device (newer versions of OS should auto recover) should address this issue and allow obtaining AAD PRT.

AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 – most likely you are looking at the token acquisition events for the local account, that are not related to the sign ins of the user you are trying to troubleshoot. Keep searching for relevant events. 🙂

Logon failure. Status: 0xC00484C0 with Http transport error: Status: Unknown HResult Error code: 0x80048c0 – most likely you will see this for federated with non-Microsoft STS environments. Look for the event before these two events to see what STS endpoint returned this error and using timestamp, examine the STS logs to get more details.

Logon failure. Status: 0xC004848C – most likely you will see this for federated with non-Microsoft STS environments when the user is using the SmartCard to sign in the computer and the IdP MEX endpoint doesn’t contain information about certificate authentication endpoint/URL. This needs to be fixed on IdP side.

And the final thought. In case you need to re-join the Windows current device, make sure to follow the steps in this order to make sure the station really disjoined and will try the clean join process. Also keep in mind that since the computer object is recreated, the Bitlocker recovery keys that you might be saving in Azure AD for this station will be deleted and you will need to re-save them .

1. Open elevated CMD (as local Admin) and issue “dsregcmd /leave”. Elevated CMD is important part, since during the leave flow, the registration service is trying to contact Azure AD and delete the computer object and also it tries to delete the MS-Organization-Access certificate from Computer certificate store, that definitely requires elevated privileges;
2. Open new CMD window and confirm that the local registration state is cleaned and the station is not Azure AD joined by issuing “dsregcmd /status”;
3. Using Azure AD devices portal confirm the computer object is gone, if not, delete it manually;
4. In case you are in Managed environment, you need to run delta Azure AD Connect sync to pre-sync the AD computer object to Azure AD;
5. Restart the station and sign in as Azure AD synchronized user.

• Azure Active Directory
• Azure AD
• Azure AD Conditional Access Policy
• Conditional Access
• Device Registration
• Troubleshooting