dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
• dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
• Ten sed command examples - Wed, Aug 23 2023

dsregcmd is a command line tool that allows viewing the current details of Azure Active Directory joined devices. Using the tool, admins can check various aspects of a hybrid Microsoft Entra ID configuration and current status, such as the current state of the Azure Active Directory join. It provides an excellent troubleshooting and management tool for administering hybrid joined devices.

To view the parameters of the command, run the following command:

dsregcmd /?

Running dsregcmd to view the parameters

Verifying domain and Microsoft Entra ID joins

The dsregcmd /status command provides verbose output, allowing admins to determine the device state and many other aspects to manage and troubleshoot hybrid Active Directory joins. It provides the basic details needed to troubleshoot an Active Directory join. We can see this by running dsregcmd with the status parameter. The device state allows admins to easily see the status of the device and which directory services it is joined to, including the following:

• AzureAdJoined—Joined to Azure Active Directory
• EnterpriseJoined—Joined to an on-premises Device Registration Service (DRS), also known as a "Workplace Join" (WPJ)
• DomainJoined—Joined to a legacy on-premises Active Directory Domain Services directory service

Run the following command:

dsregcmd /status

You can quickly check the status of the workstation. Is it joined to Azure? Is it domain joined?

As noted below, AzureAdJoined, EnterpriseJoined, and DomainJoined are all displaying as No.

Viewing the status of a Windows 11 workgroup machine with dsregcmd

After the workstation is joined to an on-premises Active Directory Domain Services environment, we see the following:

Machine is joined to an on premises Active Directory Domain Services domain

AzureAdJoined device status using dsregcmd

Tenant details

The dsregcmd /status command also displays the tenant details. These only appear if the device is either Azure AD-joined or hybrid Azure AD-joined, but not if it's Azure AD-registered. What are the differences among these three?

• Azure AD-joined—For corporate-owned and managed devices; authentication is handled only by Azure AD
• Hybrid AD-joined—For corporate-owned devices; authentication can be handled with local Active Directory or Azure Active Directory
• Azure AD-registered—For personal devices; authentication is handled with a local or personal cloud ID with authentication to corporate resources using a corporate Azure AD login

This command is helpful for seeing relevant tenant information, troubleshooting MDM configurations, etc.

Using dsregcmd to display tenant details

User state

You can also view the user state, which is helpful in understanding whether the user has Windows Hello configured and whether a workspace account is configured on the workstation. Note the following detail displayed, which is helpful with troubleshooting the Windows Hello configuration:

• NgcSet: If a Windows Hello key is assigned to the currently logged-in user, the flag is set to YES.

User state details with dsregcmd

SSO state

The SSO state output returns the current state of single sign-on information and configuration using the command. If you are troubleshooting the SSO configuration for a specific device, the SSO state information is helpful. It will display error messages, such as the ones seen below, if there are issues with the tenant ID or subscriptions.

SSO state details using dsregcmd

Work account

You can quickly see any cloud accounts configured on the device in the output of the Work Account section displayed by dsregcmd. It includes the MDM configuration and other information about the tenant to which it is connected.

Workplace account details found using dsregcmd

Diagnostic information

dsregcmd also allows easily getting diagnostic information to troubleshoot failed Azure Active Directory joins and other issues. Make note of any errors displayed in the diagnostic data output, as these can help pinpoint problems joining the device to Microsoft Entra ID with specific error codes.

If there are errors, you will see a DRS Discovery Test section in the output with the failure code. Otherwise, the output will resemble the following with a clean join:

dsregcmd diagnostic data status output

Other dsregcmd troubleshooting and management

Aside from the /status parameter, there are other helpful dsregcmd troubleshooting and management tools to note, including the following:

• join—If the device is deleted in Azure AD, you can reregister it using this parameter.
• leave—To unregister a device from Azure AD, you can run dsregcmd with the /leave parameter.
• debug—Use in combination with /join and /leave to display verbose output:
  • dsregcmd /debug /join and dsregcmd /debug /leave display verbose output for the join and leave process.
• updatedevice—The update device command is used in situations in which device attributes have changed and need to be updated in Azure AD. It can be used to refresh or repair device registration if it is in a misconfigured state or in error.

Below, we are running the command:

dsregcmd /debug /join

Running the dsregcmd to reregister a device with Azure Active Directory

When you run the dsregcmd /debug /join command, it is the same as triggering the built-in Windows Scheduled Task by selecting Microsoft > Windows > Workplace Join > Automatic-Device-Join.

The workplace join scheduled task

dsregcmd has two parameters that can be helpful with Windows Account Manager token-based authentication:

• cleanupaccounts—Removes cached authentication tokens on the devices for these accounts. This is helpful when redeploying the device, troubleshooting authentication issues, or removing a device from Azure AD, ensuring there are no leftover cached credentials.
• listaccounts—Lists accounts used for modern authentication. Helpful in understanding the status of authentication on the device to see which accounts have been accessed, diagnosing authentication problems, and auditing security.

Below, we are running:

dsregcmd /listaccounts

This displays accounts found, application accounts, and other details regarding the cloud connection, which is helpful in understanding which accounts are connected to the device.

List Windows Account manager accounts

Wrapping up

dsregcmd is an excellent way to manage and troubleshoot Microsoft Entra ID device joins and authentication. It lets us see the low-level debug information and manually join and unjoin devices and Windows Account Manager modern authentication tokens when needed. It is a "Swiss army knife" command-line tool for hybrid administrators working with modern Azure Active Directory environments. More information about the various dsregcmd output parameters can be found here.