Paul Farris's Blog

Home

Azure AD Join Issue - error 0x8007010b / 0x80070554
Azure (Hybrid Join) Wednesday, 11 March 2020 by paul

Error when a Windows 10/7 machine tries to join with Azure AD.

C:\Windows\system32>dsregcmd /debug /join

dsregcmd::wmain logging initialized.

dsregcmd::wmain logging initialized.

DsrCmdJoinHelper::Join: ClientRequestId: c0783b9f-2a9c-4511-3c02-1372e59b1cedDsrCmdAccountMgr::IsDomainControllerAvailable: DsGetDcName success { domain:romec.local forest:domain.local domainController:\\DC.domain.local isDcAvailable:true }

DsrCmdAccountMgr::IsDrsJoined: DsrGetJoinInfoEx failed with error code 0x8007010b.

PreJoinChecks Complete.

preCheckResult: DoNotJoin

deviceKeysHealthy: undefined

isJoined: undefined

isDcAvailable: YES

isSystem: YES

keyProvider: undefined

keyContainer: undefined

dsrInstance: undefined

elapsedSeconds: 0

resultCode: 0x8007010b

Automatic device join pre-check tasks completed.

Also some machines have the error:

C:\Windows\system32>dsregcmd /join /debug

dsregcmd::wmain logging initialized.

dsregcmd::wmain logging initialized.

DsrCmdJoinHelper::Join: ClientRequestId: 65799911-c4c1-4721-9792-42c196fe3364DsrCmdAccountMgr::IsDomainControllerAvailable: DsGetDcName success { domain:domain.local forest:domain.local domainController:\\DC.domain.local isDcAvailable:true }

PreJoinChecks Complete.

preCheckResult: Join

deviceKeysHealthy: undefined

isJoined: undefined

isDcAvailable: YES

isSystem: YES

keyProvider: undefined

keyContainer: undefined

dsrInstance: undefined

elapsedSeconds: 0

resultCode: 0x0

Automatic device join pre-check tasks completed.

TenantInfo::Discover: Join Info { TenantType = Managed; AutoJoinEnabled = 1; TenandID = e7b85x0b-8649-47sf-b7a8-fb50acb40ab7; TenantName = domain.onmicrosoft.com }

DsrDeviceAutoJoin failed 0x80070554.

DsrCmdJoinHelper::Join: DsrCmdDeviceEnroller::AutoEnrollSync failed with error code 0x80070554.

DSREGCMD_END_STATUS

AzureAdJoined : NO

EnterpriseJoined : NO

Tests with Azure support do not show the cause of the issue.

The initial error is related to a directory not found so using ProcessExplorer an error was located trying to access the folder c:\windows\system32\config\systemprofile\appdata\roaming\systemcertificates\my\crls. This folder did not exist and comparing affected machines, to working machines, showed some folders had been changed to files – possibly by some folder corruption at some point.

Created a group policy to remove the files and create the folders.

The following files need to be deleted first.

Then the following folders created.

Then after the policy is applied the machines are rebooted and the dsregmcd /join is then working as expected.

Add Comment

Thursday, 24 December 2020 by Rob C

Simple script that I created and pushed out to all computers. IF EXIST "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache\MicrosoftAccount" GOTO CHKFILE IF NOT EXIST "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache\MicrosoftAccount" GOTO FIXO365 :FIXO365 ECHO FIXO365 c: cd\ cd\Windows\System32\config\systemprofile\AppData\Local\Microsoft Ren "Internet Explorer" "Internet Explorerold" Ren Vault Vaultold Ren InstallService InstallServiceold Ren Windows Windowsold MD "Internet Explorer" MD Vault MD InstallService MD Windows MD PRICache MD SchCache cd Windows MD CloudAPCache cd CloudAPCache MD MicrosoftAccount MD AzureAccount c: cd\ cd\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My attrib CRLs -s -i attrib CTLS -s -i attrib AppContainerUserCertRead -i -s Ren CRLs CRLsold Ren CTLs CTLsOld Ren AppContainerUserCertRead AppContainerUserCertReadOld MD CRLs MD CTLs MD AppContainerUserCertRead GOTO COPYFILE :CHKFILE IF EXIST C:\Dell\intune.txt GOTO END IF NOT EXIST C:\Dell\intune.txt GOTO COPYFILE :COPYFILE md C:\Dell copy intune.txt C:\Dell /y GOTO END :END

Monday, 15 June 2020 by Paul

Hi Chris, The issue we had was in the folder c:\windows\system32\config\systemprofile\AppData. Some of the folders had become files due to some filesystem corruption. We used group policy to remove those files and then another to create the folders. If you compare the folder structure for a machine that works with one that does not then you can see which files/folders are affected.

Monday, 15 June 2020 by Chris

Hi Paul, what does this sentence mean explicitely? "Created a group policy to remove the files and create the folders" Does the GPO have to remove the files and create the folders oder are they created automatically? Can you please specify the folders which need to be created? Thanks Chris