Troubleshoot Device Registration Issues Using dsregcmd
Troubleshoot device authentication and registration issues in Microsoft Entra ID
The dsregcmd command is an important tool for troubleshooting device authentication and registration issues in Microsoft Entra ID. It helps admins figure out if a device is correctly joined to Microsoft Entra ID, hybrid-joined, or domain-joined Active Directory.
Running dsregcmd
By analyzing the output of dsregcmd /status, IT administrators can diagnose and resolve authentication, compliance, and device management issues. This remainder of this article explains how to use dsregcmd effectively and interpret its output to identify device registration problems.
Find out more at Cayosoft.com
To retrieve device details, run the following command in a Command Prompt as a domain user:
dsregcmd /status
Running this command as a domain user account provides comprehensive details about the device’s registration status, authentication status, and connectivity to Microsoft Entra ID.
Understanding dsregcmd output
Device State
The Device State section shows whether the device is:
| AzureAdJoined | EnterpriseJoined | DomainJoined | DeviceState |
|---|---|---|---|
| YES | NO | NO | Microsoft Entra joined |
| NO | NO | YES | Domain Joined |
| YES | NO | YES | Microsoft Entra hybrid joined |
- AzureAdJoined: YES if the device is Microsoft Entra joined.
- DomainJoined: YES if the device is Active Directory domain-joined.
- DomainName: Displays the domain name if the device is domain-joined.
AzureAD Joined (Microsoft Entra Joined)
The AzureAdJoined attribute is set to YES if the device is fully registered and joined to Microsoft Entra ID. A device in this state is cloud-managed, allowing seamless access to cloud-based resources, single sign-on (SSO), and policies applied via Microsoft Intune. If the value is NO, the device is not properly registered to Entra ID.
DomainJoined
The DomainJoined attribute is set to YES if the device is joined to a traditional Active Directory (AD) domain. This means the device is managed by on-premises Group Policy, and authenticates against local domain controllers.
Hybrid Join
If DomainJoined is YES and AzureAdJoined is YES, then the device is considered Microsoft Entra Hybrid joined.
If DomainJoined is YES and AzureAdJoined is NO, the device is not hybrid joined it operates solely within the on-premises AD infrastructure.
Domain Name
If a device is domain joined, this attribute displays the name of the Active Directory domain it belongs to. For example, a DomainName of CORP.COMPANY.COM confirms the device is part of an internal AD forest. If DomainJoined is NO, this field will be blank.
Example Scenario
A device showing:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : CONTOSO
+----------------------------------------------------------------------+…indicates it is Microsoft Entra hybrid joined, meaning it is connected to both Entra ID and an on-premises AD domain named CONTOSO.
Device details
The Device Details section provides more detailed information about the device, including the unique device identifier, thumbprint and key protection information.
DeviceId
The DeviceId is a unique identifier assigned to a device in Microsoft Entra ID. This value is crucial for tracking and managing devices within the organization. It allows administrators to locate and verify a device in Entra ID or troubleshoot registration issues.
Thumbprint
The Thumbprint is a cryptographic hash associated with the device’s authentication certificate. It ensures secure communication between the device and Entra ID. If authentication issues arise, comparing the thumbprint with the certificate stored in Entra ID can help determine if the correct certificate is being used.
DeviceCertificateValidity
This attribute provides the start and expiration dates of the device authentication certificate. If the certificate is expired or invalid, the device may fail to authenticate with Entra ID.
TpmProtected
This attribute indicates whether the private key of the device is stored in a Trusted Platform Module (TPM). If TpmProtected is YES, the device benefits from additional hardware-based security, making it resistant to certain types of attack. If NO, the key is software-based, which is considered to be more vulnerable.
DeviceAuthStatus
This field checks the health of the device in Microsoft Entra ID. A SUCCESS status confirms the device is active and properly registered. If the status shows FAILED, the device may be deleted, disabled, or unable to communicate with Entra ID.
Sample Device Details Output:
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : 00aa00aa-bb11-cc22-dd33-44ee44ee44ee
Thumbprint : AA11BB22CC33DD44EE55FF66AA77BB88CC99DD00
DeviceCertificateValidity : [2019-01-11 -- 2029-01-11]
TpmProtected : NO
DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+Tenant Details
This section provides information about the Microsoft Entra tenant that the device is joined to. If the MDM URL fields are empty, it indicates that either:
- Mobile Device Management (MDM) enrollment is not configured.
- The current user is not within the MDM enrollment scope.
Sample Tenant Details Output:
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName : HybridADFS
TenantId : aaaabbbb-0000-cccc-1111-dddd2222eeee
MdmUrl : https://enrollment.manage-beta.microsoft.com/
JoinSrvVersion : 1.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
+----------------------------------------------------------------------+User State
The User State section provides details about the logged-in user’s authentication status.
- NgcSet: YES if Windows Hello for Business is configured. NGC refers to ‘Next Generation Credential’
- WorkplaceJoined: YES if the device is Microsoft Entra registered (not Entra Joined)
- WamDefaultSet: YES if the Web Account Manager (WAM) WebAccount has been set for the user running the command
Sample User State Output:
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : YES
WorkplaceJoined : NO
WamDefaultSet : YES
+----------------------------------------------------------------------+SSO State
This section refers to the use of Primary Refresh Tokens (PRTs) for Single Sign-On (SSO).
- AzureAdPrt: YES if an Entra ID PRT is available.
- EnterprisePrt: YES if an Enterprise PRT (AD FS) is available.
Sample SSO State Output:
Additional dsregcmd commands
| Command | Description |
dsregcmd /status | Displays the device join status. |
dsregcmd /join | Schedules hybrid join task. |
dsregcmd /leave | Unregisters the device from Entra ID. |
dsregcmd /refreshprt | Refreshes the Primary Refresh Token. |
dsregcmd /debug | Enables debugging messages. |
Final thoughts
The dsregcmd command is a great tool for diagnosing and resolving device registration issues in Microsoft Entra ID. By understanding its output, administrators can effectively troubleshoot authentication, device join, and single sign-on (SSO)-related issues.
Frequently Asked Questions
What is the dsregcmd command used for?
The dsregcmd tool is a diagnostic command-line utility included with Windows that helps administrators and support personnel troubleshoot and understand device registration and Azure AD join issues. It provides detailed insights into how a Windows device is registered with Azure Active Directory (Azure AD) or Hybrid Azure AD. This includes information on whether the device is joined, domain-joined, or Azure AD registered, along with tenant details, SSO status, and certificate presence.
How to check dsregcmd status?
To check the device’s registration status, open a Command Prompt or PowerShell window with administrative privileges and run:
dsregcmd /status
This command outputs comprehensive registration details, including:
- AzureADJoin and DomainJoin status
- Device State (Joined, Registered, etc.)
- Tenant Information
- SSO State
- Certificate Presence
This is often the first step in diagnosing Azure AD connectivity or authentication issues.
What does dsregcmd /leave do?
The dsregcmd /leave command forces the device to leave Azure AD. This means it removes the device’s registration from Azure AD, including all associated credentials, configurations, and the device identity used for SSO and conditional access.
Warning: This operation is not reversible through dsregcmd and typically requires administrative rights. After using /leave, the device will need to be re-registered or re-joined to Azure AD.
What does dsregcmd /forcerecovery do?
The dsregcmd /forcerecovery command is used to reset the device’s Azure AD registration in a way that prompts it to reauthenticate with Azure AD. It deletes the current registration and forces the system to rejoin Azure AD upon the next login or sync cycle.
This is particularly useful for recovering devices that are in a broken or inconsistent Azure AD registration state, where other repair methods fail.
Dean is a Microsoft Security MVP, Microsoft Certified Trainer, and co-organizer at the Workplace Ninjas UK.
