[Devices] Backlog bug 124996

Author: MicrosoftGuyJFlo

markdownlint.json .markdownlint.json

@@ -1,18 +1,16 @@
 ---
 title: Troubleshoot devices by using the dsregcmd command
 description: This article covers how to use the output from the dsregcmd command to understand the state of devices in Microsoft Entra ID.
-services: active-directory
+
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: troubleshooting
-ms.date: 08/31/2022
+ms.date: 01/09/2024
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
-ms.reviewer: ravenn
-
-ms.collection: M365-identity-device-management
+ms.reviewer: jploegert
 ---
 # Troubleshoot devices by using the dsregcmd command
 
@@ -23,7 +21,7 @@ This article covers how to use the output from the `dsregcmd` command to underst
 This section lists the device join state parameters. The criteria that are required for the device to be in various join states are listed in the following table:
 
 | AzureAdJoined | EnterpriseJoined | DomainJoined | Device state |
-| ---	| ---	| ---	| ---	|
+| --- | --- | --- | --- |
 | YES | NO | NO | Microsoft Entra joined |
 | NO | NO | YES | Domain Joined |
 | YES | NO | YES | Microsoft Entra hybrid joined |
@@ -57,23 +55,23 @@ The state is displayed only when the device is Microsoft Entra joined or Microso
 - **DeviceId**: The unique ID of the device in the Microsoft Entra tenant.
 - **Thumbprint**: The thumbprint of the device certificate.
 - **DeviceCertificateValidity**: The validity status of the device certificate.
-- **KeyContainerId**: The containerId of the device private key that's associated with the device certificate.
-- **KeyProvider**: The KeyProvider (Hardware/Software) that's used to store the device private key.
+- **KeyContainerId**: The containerId of the device private key associated with the device certificate.
+- **KeyProvider**: The KeyProvider (Hardware/Software) used to store the device private key.
 - **TpmProtected**: The state is set to *YES* if the device private key is stored in a hardware Trusted Platform Module (TPM).
 - **DeviceAuthStatus**: Performs a check to determine the device's health in Microsoft Entra ID. The health statuses are:  
-  * *SUCCESS* if the device is present and enabled in Microsoft Entra ID.  
-  * *FAILED. Device is either disabled or deleted* if the device is either disabled or deleted. For more information about this issue, see [Microsoft Entra device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). 
-  * *FAILED. ERROR* if the test was unable to run. This test requires network connectivity to Microsoft Entra ID under the system context.
-    > [!NOTE]
-    > The **DeviceAuthStatus** field was added in the Windows 10 May 2021 update (version 21H1).  
+   - *SUCCESS* if the device is present and enabled in Microsoft Entra ID.  
+   - *FAILED. Device is either disabled or deleted* if the device is either disabled or deleted. For more information about this issue, see [Microsoft Entra device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices).
+   - *FAILED. ERROR* if the test was unable to run. This test requires network connectivity to Microsoft Entra ID under the system context.
+   > [!NOTE]
+   > The **DeviceAuthStatus** field was added in the Windows 10 May 2021 update (version 21H1).  
 - **Virtual Desktop**: There are three cases where this appears.
-   - NOT SET - VDI device metadata is not present on the device.
+   - NOT SET - VDI device metadata isn't present on the device.
    - YES - VDI device metadata is present and dsregcmd outputs associated metadata including:
       - Provider: Name of the VDI vendor.
       - Type: Persistent VDI or non-persistent VDI.
       - User mode: Single user or multi-user.
       - Extensions: Number of key value pairs in optional vendor specific metadata, followed by key value pairs.
-    - INVALID - The VDI device metadata is present but not set correctly. In this case, dsregcmd outputs the incorrect metadata.
+   - INVALID - The VDI device metadata is present but not set correctly. In this case, dsregcmd outputs the incorrect metadata.
 
 ### Sample device details output
 
@@ -98,8 +96,7 @@ The tenant details are displayed only when the device is Microsoft Entra joined
 
 > [!NOTE]
 > If the mobile device management (MDM) URL fields in this section are empty, it indicates either that the MDM was not configured or that the current user isn't in scope of MDM enrollment. Check the Mobility settings in Microsoft Entra ID to review your MDM configuration.
-
-> [!NOTE]
+>
 > Even if you see MDM URLs, this does not mean that the device is managed by an MDM. The information is displayed if the tenant has MDM configuration for auto-enrollment even if the device itself isn't managed.
 
 ### Sample tenant details output
@@ -177,39 +174,38 @@ You can ignore this section for Microsoft Entra registered devices.
 > The command must run in a user context to retrieve that user's valid status.
 
 - **AzureAdPrt**: Set the state to *YES* if a Primary Refresh Token (PRT) is present on the device for the logged-in user.
-- **AzureAdPrtUpdateTime**: Set the state to the time, in Coordinated Universal Time (UTC), when the PRT was last updated.
+- **AzureAdPrtUpdateTime**: Set the state to the time, in Coordinated Universal Time (UTC), when the [PRT was last updated](concept-primary-refresh-token.md#how-is-a-prt-renewed).
 - **AzureAdPrtExpiryTime**: Set the state to the time, in UTC, when the PRT is going to expire if it isn't renewed.
 - **AzureAdPrtAuthority**: The Microsoft Entra authority URL
 - **EnterprisePrt**: Set the state to *YES* if the device has a PRT from on-premises 
-Active Directory Federation Services (AD FS). For Microsoft Entra hybrid joined devices, the device could have a PRT from both Microsoft Entra ID and on-premises Active Directory simultaneously. On-premises joined devices will have only an Enterprise PRT.
+Active Directory Federation Services (AD FS). For Microsoft Entra hybrid joined devices, the device could have a PRT from both Microsoft Entra ID and on-premises Active Directory simultaneously. On-premises joined devices have only an Enterprise PRT.
 - **EnterprisePrtUpdateTime**: Set the state to the time, in UTC, when the Enterprise PRT was last updated.
 - **EnterprisePrtExpiryTime**: Set the state to the time, in UTC, when the PRT is going to expire if it isn't renewed.
 - **EnterprisePrtAuthority**: The AD FS authority URL
 
 >[!NOTE]
 > The following PRT diagnostics fields were added in the Windows 10 May 2021 update (version 21H1).
-
->[!NOTE]
-> * The diagnostics information that's displayed in the **AzureAdPrt** field is for Microsoft Entra PRT acquisition or refresh, and the diagnostics information that's displayed in the **EnterprisePrt** field is for Enterprise PRT acquisition or refresh.
-> * The diagnostics information is displayed only if the acquisition or refresh failure happened after the last successful PRT update time (AzureAdPrtUpdateTime/EnterprisePrtUpdateTime).  
+>
+> - The diagnostics information that's displayed in the **AzureAdPrt** field is for Microsoft Entra PRT acquisition or refresh, and the diagnostics information that's displayed in the **EnterprisePrt** field is for Enterprise PRT acquisition or refresh.
+> - The diagnostics information is displayed only if the acquisition or refresh failure happened after the last successful PRT update time (AzureAdPrtUpdateTime/EnterprisePrtUpdateTime).  
 >On a shared device, this diagnostics information could be from a different user's login attempt.
 
 - **AcquirePrtDiagnostics**: Set the state to *PRESENT* if the acquired PRT diagnostics information is present in the logs.  
-   This field is skipped if no diagnostics information is available.
+   - This field is skipped if no diagnostics information is available.
 - **Previous Prt Attempt**: The local time, in UTC, at which the failed PRT attempt occurred.  
 - **Attempt Status**: The client error code that's returned (HRESULT).
 - **User Identity**: The UPN of the user for whom the PRT attempt happened.
-- **Credential Type**: The credential that's used to acquire or refresh the PRT. Common credential types are Password and Next Generation Credential (NGC) (for Windows Hello).
-- **Correlation ID**: The correlation ID that's sent by the server for the failed PRT attempt.
+- **Credential Type**: The credential used to acquire or refresh the PRT. Common credential types are Password and Next Generation Credential (NGC) (for Windows Hello).
+- **Correlation ID**: The correlation ID sent by the server for the failed PRT attempt.
 - **Endpoint URI**: The last endpoint accessed before the failure.
-- **HTTP Method**: The HTTP method that's used to access the endpoint.
-- **HTTP Error**: WinHttp transport error code. Get additional [network error codes](/windows/win32/winhttp/error-messages).
-- **HTTP Status**: The HTTP status that's returned by the endpoint.
+- **HTTP Method**: The HTTP method used to access the endpoint.
+- **HTTP Error**: WinHttp transport error code. Get other [network error codes](/windows/win32/winhttp/error-messages).
+- **HTTP Status**: The HTTP status returned by the endpoint.
 - **Server Error Code**: The error code from the server.  
 - **Server Error Description**: The error message from the server.
 - **RefreshPrtDiagnostics**: Set the state to *PRESENT* if the acquired PRT diagnostics information is present in the logs.  
-This field is skipped if no diagnostics information is available.
-The diagnostics information fields are same as **AcquirePrtDiagnostics**
+   - This field is skipped if no diagnostics information is available.
+   - The diagnostics information fields are same as **AcquirePrtDiagnostics**
 
 >[!NOTE]
 > The following Cloud Kerberos diagnostics fields were added in the original release of Windows 11 (version 21H2).
@@ -256,37 +252,37 @@ The diagnostics information fields are same as **AcquirePrtDiagnostics**
 
 This diagnostics section is displayed only if the device is domain-joined and unable to Microsoft Entra hybrid join.
 
-This section performs various tests to help diagnose join failures. The information includes the error phase, the error code, the server request ID, the server response http status, and the server response error message.
+This section performs various tests to help diagnose join failures. The information includes the: error phase, error code, server request ID, server response HTTP status, and server response error message.
 
 - **User Context**: The context in which the diagnostics are run. Possible values: SYSTEM, UN-ELEVATED User, ELEVATED User.
 
    > [!NOTE]
    > Because the actual join is performed in SYSTEM context, running the diagnostics in SYSTEM context is closest to the actual join scenario. To run diagnostics in SYSTEM context, the `dsregcmd /status` command must be run from an elevated command prompt.
 
 - **Client Time**: The system time, in UTC.
-- **AD Connectivity Test**: This test performs a connectivity test to the domain controller. An error in this test will likely result in join errors in the pre-check phase.
+- **AD Connectivity Test**: This test performs a connectivity test to the domain controller. An error in this test likely results in join errors in the pre-check phase.
 - **AD Configuration Test**: This test reads and verifies whether the Service Connection Point (SCP) object is configured properly in the on-premises Active Directory forest. Errors in this test would likely result in join errors in the discover phase with the error code 0x801c001d.
 - **DRS Discovery Test**: This test gets the DRS endpoints from discovery metadata endpoint and performs a user realm request. Errors in this test would likely result in join errors in the discover phase.
 - **DRS Connectivity Test**: This test performs a basic connectivity test to the DRS endpoint.
-- **Token Acquisition Test**: This test tries to get a Microsoft Entra authentication token if the user tenant is federated. Errors in this test would likely result in join errors in the authentication phase. If authentication fails, sync-join will be attempted as fallback, unless fallback is explicitly disabled with the following registry key settings:
+- **Token Acquisition Test**: This test tries to get a Microsoft Entra authentication token if the user tenant is federated. Errors in this test would likely result in join errors in the authentication phase. If authentication fails, sync-join is attempted as fallback, unless fallback is explicitly disabled with the following registry key settings:
 
-  ```
-  Keyname: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
-  Value: FallbackToSyncJoin
-  Type:  REG_DWORD
-  Value: 0x0 -> Disabled
-  Value: 0x1 -> Enabled
-  Default (No Key): Enabled
-  ```
+   ```
+   Keyname: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
+   Value: FallbackToSyncJoin
+   Type:  REG_DWORD
+   Value: 0x0 -> Disabled
+   Value: 0x1 -> Enabled
+   Default (No Key): Enabled
+   ```
 
 - **Fallback to Sync-Join**: Set the state to *Enabled* if the preceding registry key to prevent fallback to sync-join with authentication failures is *not* present. This option is available from Windows 10 1803 and later.
 - **Previous Registration**: The time when the previous join attempt occurred. Only failed join attempts are logged.
 - **Error Phase**: The stage of the join in which it was aborted. Possible values are *pre-check*, *discover*, *auth*, and *join*.
-- **Client ErrorCode**: The client error code that's returned (HRESULT).
-- **Server ErrorCode**: The server error code that's displayed if a request was sent to the server and the server responded with an error code.
-- **Server Message**: The server message that's returned along with the error code.
-- **Https Status**: The HTTP status that's returned by the server.
-- **Request ID**: The client requestId that's sent to the server. The request ID is useful to correlate with server-side logs.
+- **Client ErrorCode**: The client error code returned (HRESULT).
+- **Server ErrorCode**: The server error code displayed if a request was sent to the server and the server responded with an error code.
+- **Server Message**: The server message returned along with the error code.
+- **Https Status**: The HTTP status returned by the server.
+- **Request ID**: The client requestId sent to the server. The request ID is useful to correlate with server-side logs.
 
 ### Sample pre-join diagnostics output
 
@@ -345,10 +341,10 @@ The following example shows that diagnostics tests are passing but the registrat
 
 ### Post-join diagnostics
 
-This diagnostics section displays the output of sanity checks performed on a device that's joined to the cloud.
+This diagnostics section displays the output of sanity checks performed on a device joined to the cloud.
 
 - **AadRecoveryEnabled**: If the value is *YES*, the keys stored in the device aren't usable, and the device is marked for recovery. The next sign-in will trigger the recovery flow and re-register the device.
-- **KeySignTest**: If the value is *PASSED*, the device keys are in good health. If KeySignTest fails, the device is usually marked for recovery. The next sign-in will trigger the recovery flow and re-register the device. For Microsoft Entra hybrid joined devices, the recovery is silent. While the devices are Microsoft Entra joined or Microsoft Entra registered, they'll prompt for user authentication to recover and re-register the device, if necessary. 
+- **KeySignTest**: If the value is *PASSED*, the device keys are in good health. If KeySignTest fails, the device is usually marked for recovery. The next sign-in will trigger the recovery flow and re-register the device. For Microsoft Entra hybrid joined devices, the recovery is silent. While the devices are Microsoft Entra joined or Microsoft Entra registered, they prompt for user authentication to recover and re-register the device, if necessary.
    > [!NOTE]
    > The KeySignTest requires elevated privileges.
 
@@ -385,8 +381,7 @@ This diagnostics section performs the prerequisites check for setting up Windows
 
 >[!NOTE]
 > The following Cloud Kerberos diagnostics fields were added in the Windows 10 May 2021 update (version 21H1).
-
->[!NOTE]
+>
 > Prior to Windows 11 version 23H2, the setting **OnPremTGT** was named **CloudTGT**.
 
 - **OnPremTGT**: This setting is specific to Cloud Kerberos trust deployment and present only if the CertEnrollment state is *none*. Set the state to *YES* if the device has a Cloud Kerberos ticket to access on-premises resources. Prior to Windows 11 version 23H2, this setting was named **CloudTGT**.