В сегодняшнем посте мы определим причину, а затем предложим возможные решения проблемы событие ID 307 и событие ID 304 с кодом ошибки 0x801c001d регистрируются после развертывания Windows 10 на устройстве.
При развертывании Windows на устройстве регистрируются следующие события:
Имя журнала: Microsoft-Windows-User Device Registration / Admin
Источник: Регистрация устройства пользователя
ID события: 307
Уровень: Ошибка
Описание:
Ошибка автоматической регистрации. Не удалось найти информацию о службе регистрации в Active Directory. Код выхода: Неизвестный код ошибки HResult: 0x801c001d. См. Http://go.microsoft.com/fwlink/?LinkId=623042.
Имя журнала: Microsoft-Windows-User Device Registration / Admin
Источник: Microsoft-Windows-User Device Registration
ID события: 304
Уровень: Ошибка
Описание:
Ошибка автоматической регистрации на этапе присоединения. Код выхода: Неизвестный код ошибки HResult: 0x801c001d. Ошибка сервера: . Вывод отладки: r n undefined.
Вы столкнетесь с этой проблемой, потому что эти коды событий 307 и 304 возникают, когда инфраструктура Active Directory не подготовлена для Гибридное соединение. Когда устройство пытается выполнить гибридное присоединение, регистрация не выполняется, и события регистрируются.
Как правило, организации с локальным следом полагаются на методы создания образов для подготовки устройств, и они часто используют Диспетчер конфигурации или же Групповая политика (GP) управлять ими.
Если в вашей среде есть локальный след AD, и вы также хотите воспользоваться возможностями, предоставляемыми Лазурь Active Directory, вы можете реализовать гибридные присоединенные к Azure AD устройства. Эти устройства являются устройствами, которые подключены к вашей локальной службе Active Directory и зарегистрированы в Azure Active Directory.
Однако, если вы столкнулись с этой проблемой в среде гибридного присоединения, обратитесь к этому Документ Microsoft для шагов по устранению неполадок.
Надеюсь, этот пост направит вас в правильном направлении.
Windows server. User Device Registration Error Event ID 304 / 307. Automatic registration failed at join phase.
22.12.2020 admin Без рубрики Ответить на комментарий
Оглавление
Инцидент
Лог сервера забит ошибками 304 и 307 “USER DEVICE REGISTRATION”, Automatic registration failed at join phase:
Решение
Открываете планировщик заданий taskschd.msc, спускаетесь до MicrosoftWindowsWorkplace Join и отключаете задание Automatic-Device-Join
Ссылки
Windows Server 2016 – User Device Registration Error Event ID 304 / 307
Оставьте ответ
Ваш адрес email не будет опубликован.
Комментарий
Имя
Сайт
Сохранить моё имя, email и адрес сайта в этом браузере для последующих моих комментариев.
WC Captcha
78 ÷ = 13
- Remove From My Forums
-
Question
-
hi All,
it has been highlighted in our environment that «Windows 10 devices are trying to register to Azure AD and failing«.
we have Azure AD (infra) configured but we don’t want to register our Windows 10 devices, which are on-prem AD joined to register to Azure AD.
do anyone know what is causing this error? and how to stop devices trying to register to azure AD.
Here is the screenshot of the error event:
Thanks in advance.
All replies
-
I am not sure about the error, but has someone set a GPO to automatically register the machines? I would do a gpresult /scope computer /h gpresult.html one of the machines and see if there has been a GPO set.
The GPO can be found at Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain-joined computers as devices or Computer Configuration > Policies > Administrative
Templates > Windows Components > Workplace Join > Automatically workplace join client computers -
Thanks for your reply Nick.
The problem is that I have already set «Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain-joined computers as devices
» as DisabledAlso, I can’t find Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join > Automatically workplace join client computers
-
Automatically workplace join client computers is older. It doesn’t matter.
Can you do a gpresult like mentioned above to see that it isn’t picking up a GPO from somewhere else to automatically register? And that it is picking up your disabled GPO.
-
Sorry my bad. I realised that after I posted my comment. Thanks for highlighting that.
The policy where I have disabled (Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register
domain-joined computers as devices)is getting deployed. I am currently checking all the other policies that are currently deployed to the windows 10 devices.
But I have noticed on these devices that:
- the scheduled task (Automatic-Device-Join) is disabled
2) The Registry value (AutoWorkplacejoin) = 0)
-
Also, confirmed that in all the other GPOs (applied to windows 10 devices), this setting is not configured
-
-
Proposed as answer by
Sunday, April 9, 2017 5:35 AM
-
Proposed as answer by
-
I experience the same issue. We want to prevent our WS2016 Servers from Azure AD join. Even when Register
domain-joined computers as devices is disabled they continue with Azure AD domain join. I have noticed they do it even after policy is disabled and i do gpupdate. For the moment i could say this happens when RDH role is installed on servers. -
Anyone find a solution for this?
Having the same problem with Windows Server 2016 LTSB.
GPO applied.
Task Scheduler shows the task disabled, but history continues to log the task executing, then being disabled again.
Events 304 and 307 keep occurring.
There’s no place like 127.0.0.1
-
Any solution so far for this?
Have the same Problem with Windows 10 1803 Clients US-version…no problem on DE-versions!
-
Same issue here… does anyone have a solution?
I also get the message in Eventlog:
«Error: ‘invalid_tenant’ Description: ‘Tenant <domainname.local.com> not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator’. TraceId: {ebf91047-a1a6-48f2-81ef-fe13c8dac807}»
-
anyone have any luck in stopping devices from registering with azure?
-
Setting the GPO to Disabled does not stop me from seeing the event log messages where it is trying to do something. I do not want my servers to even try to reach out to Azure AD so can this be stopped?
Computer Configuration (Enabled)hide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the central store.
Windows Components/Device Registrationhide
Policy Setting Comment <span gpmc_settingdescription=»This setting lets you configure how domain joined computers become registered as devices. When you enable this setting, domain joined computers automatically and silently get registered as devices with Azure Active Directory.
Note: Additional requirements may apply on certain Windows SKUs. Refer to Azure Active Directory Device Registration Overview.
http://go.microsoft.com/fwlink/?LinkId=307136
» gpmc_settingname=»Register domain joined computers as devices» gpmc_settingpath=»Computer Configuration/Administrative Templates/Windows Components/Device Registration» gpmc_supported=»At least Windows Server 2012 R2 or Windows
8.1″ tabindex=»0″>Register domain joined computers as devicesDisabled -
Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Date: 7/15/2019 1:32:16 PM
Event ID: 304
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: TESTxxx.xxx.com
Description:
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c03f2. Server error: empty. Debug Output:rn joinMode: Join
drsInstance: azure
registrationType: sync
tenantType: managed
tenantId: bx1400-f938-4×49-xx
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0
.
Event Xml:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-User Device Registration» Guid=»{2xxxx-67xD-4xA3-xx36-D43E5xx5″ />
<EventID>304</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=»2019-07-15T18:32:16.062888600Z» />
<EventRecordID>358</EventRecordID>
<Correlation />
<Execution ProcessID=»3572″ ThreadID=»3576″ />
<Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
<Computer>TESTxxxx.xxx.vom</Computer>
<Security UserID=»S-1-5-18″ />
</System>
<EventData>
<Data Name=»ExitCode»>-2145647630</Data>
<Data Name=»ServerErrorMessage»>empty</Data>
<Data Name=»TenantName»>joinMode: Join
drsInstance: azure
registrationType: sync
tenantType: managed
tenantId: bccc61400-f9c38-49c49-8caf-cc24
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0
</Data>
</EventData>
</Event> -
Run this Powershell command on each of the clients:
Get-ScheduledTask
*-join | Unregister-ScheduledTask -Confirm:$FalseShould work on W10/server 2012/2016/2019.
Ciao,
Claudio
MCSA, MCSE, MCT, MCITP:EA
-
This PowerShell command will disable the scheduled task
disable-scheduledtask -taskpath «MicrosoftWindowsWorkplace Join» -taskname Automatic-Device-Join
-
Proposed as answer by
KWJ76
Wednesday, December 18, 2019 8:17 PM
-
Proposed as answer by
Even when you followed the Hybrid Azure AD join instructions to set up your environment, you still might experience some issues with the computers not registering with Azure AD.
If you are looking for troubleshooting guide for the issue when Azure AD Conditional Access policy is treating your successfully joined station as Unregistered, see my other recent post.
To check if the device was joined to Azure AD run “dsregcmd /status” command in command prompt and look at AzureAdJoined value. For the Azure AD registered devices, it should be set to YES.
If the AzureAdJoined says NO, next step will be to collect information from the Application and Services – Microsoft – Windows – User Device Registration – Admin logs.
First thing, try to locate and read the text description in the error to see if it gives any clue.
Below are some examples of the errors and possible solutions to try.
User Device Registration Admin log – EventID 304 or 305 – adalResponseCode: 0xcaa1000e – recommended step is to check the AD FS claim rules per mentioned above article. It is important to have the AD FS claim rules in the described order and if you have multiple verified domains, do not forget remove any existing IssuerID rule that might have been created by Azure AD Connect or other means. Microsoft also recommends using Azure AD Connect wizard to set up device registration. Other way to configure correct claim rules for your Office 365 Relying Party is to use official AD FS claims generator.
User Device Registration Admin log –wmain: Unable to retrieve access token 0x80004005 – recommended step is to check the AD FS claim rules.
User Device Registration Admin log – EventID 305 – AdalErrorCode: 0xcaa90006 – make sure the computer is able to reach and authenticate to specified in the error text description Identity Provider endpoint.
User Device Registration Admin log – EventID 204 – Error code: 0x801c03f2 or 0x801c03f3 (“The device object by the given id (xxx) is not found.”) – make sure the on-premises computer object is synchronized to Azure AD. Run the Delta Azure AD Connect sync.
User Device Registration Admin log – EventID 204 or 304 – Error code: 0x801c03f2 (“The public key user certificate is not found on the device object with id (xxx).”) – make sure the userCertificate attribute is selected in the Azure AD Connect “Select Attributes” settings of the on-premises connector.
User Device Registration Admin log – EventID 304 (309, 201 and 233 coming before it) – Error code: 0x801c0021 (Error code: 0x80072efe in EventID 201) (Or in the User Device Registration Debug logs EventID 500 with message “wmain TenantInfi::Discover failed with error code 0x801c0021”) – most likely the network or proxy didn’t allow the connection to Azure AD device registration endpoints or IdP to complete authentication. See the next error description for the recommended troubleshooting steps.
User Device Registration Debug log – EventID 502 – Error code: 0x80072ee7 (“WinHttpRequest<class DiscoveryHttpRequest>::OnCallback: The callback handling failed with error code: 0x80072ee7”) – most likely the network or proxy didn’t allow the connection to Azure AD device registration endpoints or IdP to complete authentication. Open IE as System Account using “psexec -i -s cmd.exe” and try to navigate to https://enterpriseregistration.windows.net/verifiedDomain/enrollmentserver/contract?api-version=1.2 (replace VerifiedDomain with your domain). You should see the list of device registration service endpoints like this.
If there is a failure, you might want to configure correct proxy settings in the same IE opened as System Account.
User Device Registration Admin log – 0xCAA90022 Could not discover endpoint for Integrate Windows Authentication. Check your ADFS settings. It should support Integrate Widows Authentication for WS-Trust 1.3. (error message is self explanatory). In case your IdP is not AD FS consult your IdP documentation.
User Device Registration Admin log – 0xCAA9002b with this error from ADAL – ADALUseWindowsAuthenticationTenant failed, unable to perform integrated auth. Check your STS settings. It should support Integrate Widows Authentication for WS-Trust 1.3. (error message is self explanatory). In case your IdP is not AD FS consult your IdP documentation.
User Device Registration Admin log – 0x801c001d. Failed to lookup the registration service information from Active Directory. Recommended to check the Service Connection Point settings in on-premises Active Directory.
User Device Registration Admin log – The discovery operation callback failed with exit code: Unknown HResult Error code: 0x801c0012. The server returned HTTP status: 400. And in the Debug logs you see 0x801c03e9 before 0x801c0012 – most likely the on-premises proxy requiring authentication. Capture network trace while reproducing registration attempt to get more details.
Sometimes the error description of the User Device Registration Admin log event does not provide enough information and you have to enable the User Device Registration Debug log to get more information.
To enable debug logs open Event Viewer – check “Show Analytic and Debug Logs” and browse to Application and Services – Microsoft – Windows – User Device Registration – right click on Debug log and select Enable log.
To trigger the device join attempt you have to open Command prompt as System account (you can use Sysinternals PsExec – psexec -i -s cmd.exe) and issue “dsregcmd /debug /join” command. After that disable the Debug log, check the Admin logs and if still the error description is not informative go to Debug logs.
Example 1:
Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Date: 2/9/2018 10:17:49 AM
Event ID: 304
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: XXX
Description:
Automatic registration failed at join phase. Exit code: An unexpected internal error has occurred in the Platform Crypto Provider.
User Device Registration Debug log –
Log Name: Microsoft-Windows-User Device Registration/Debug
Source: Microsoft-Windows-User Device Registration
Date: 2/9/2018 10:23:30 AM
Event ID: 500
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: XXX
Description:
wmain: failed with error code 0x80290407.
Most likely this error is an indication that the TPM is not supporting Azure AD join requirements (https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/tpm-recommendations ).
Next steps for this particular issue I would recommend for these stations are:
- Ensure the TPM is in 2.0 mode. You will find this setting in the BIOS.
- As a last resort, disable TPM in the BIOS, so Azure AD Join process uses software-based keys.
Example 2:
Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Date: 4/17/2018 12:44:10 PM
Event ID: 304
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: XXX
Description:
Automatic registration failed at join phase. Exit code: Keyset does not exist. Server error: empty.
After running dsregcmd /debug /join see following in the output:
DsrDeviceAutoJoinFederated failed with -2146893802
wmain: failed with error code 0x80090016.
Most likely this error indicates that the machine was imaged from the already Azure AD registered computer. Also it might indicate the TPM issues (see the TMP troubleshooting steps mentioned above).
If the fist is true, try renaming the “C:ProgramDataMicrosoftCryptoKeys” folder and re-running the dsregcmd /debug /join.
Example 3:
Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Date: 5/16/2018 8:44:03 AM
Event ID: 305
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: XXX
Description:
Automatic registration failed at authentication phase. Unable to acquire access token. Exit code: Unspecified error. Server error: AdalMessage: ADALUseWindowsAuthenticationTenant failed, unable to preform integrated auth
AdalErrorCode: 0xcaa9002c
This error usually indicates an issue with connecting to AD FS farm. Check if Windows Integrated Authentication is enabled for Intranet, is working correctly for Intranet and WSTrust windows endpoints are enabled in AD FS.
-
#1
Добрый день, заметил в логах windows server 2019 ошибки с кодами 304 и 307, источник события User Device Registration.
Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c001d
Server error:
Tenant type: undefined
Registration type: undefined
Debug Output:
joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0
и вторая ошибка
Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d.
Регистрация сервера {4991D34B-80A1-4291-83B6-3328366B9097} DCOM не выполнена за отведенное время ожидания.
Подскажите из-зи чего ошибки ?? С виду все работает
-
#2
Еще подозрительные предупреждения обнаружил
Поставщик DMWmiBridgeProv1 зарегистрирован в пространстве имен rootcimv2mdmdmmap инструментария управления Windows и будет использовать учетную запись LocalSystem. Она обладает повышенными привилегиями, поэтому, если поставщик некорректно олицетворяет запросы пользователей, безопасность может оказаться под угрозой.
——
Служба «Update Orchestrator Service» завершена из-за ошибки
Возврат из операции произошел из-за превышения времени ожидания.
-
#3
Руководство по Настройке гибридного присоединения к Azure Active Directory для федеративных доменов
Эти коды событий возникают, когда инфраструктура не готова к гибридному соединению. Когда устройство пытается выполнить гибридное соединение, регистрация завершается неудачно, и события регистрируются.
-
#4
я понял, короче это норма. А по другой ошибке подскажете ?