In my upgrade testing I have been experiencing some issues with machines connected to Azure AD and its been quite a ride to figure out how to correct it!
I have mapped out what exactly has happened and now the sun is now rising again as I have a tested and working solution!
I just need to get Microsoft to confirm that the upgrade is causing the issue and help work out the issue as to why this is happening.
Here is my synopsis of the issue, I know I am not the only one that has seen this issue, on the MS Answers Forums you can reference here and here. This is what is actually what is happening - Prior to the issue, the machine is connected to AzureAD and logged on and authenticated with an AzureAD account. A new upgrade in Settings --> Update & Security will download a new #WindowsInsider build.
In all cases that I have seen this issue, the machine had been previously renamed after it was joined to AzureAD, but I can neither confirm nor deny if this is part of the issue.
After the upgrade an attempt to login with the AzureAD user account gives a bad password prompt, even though the password is correct. After some investigation I figured out the real problem, the #WindowsInsider Build upgrade has disconnected it from Azure AD! How to confirm this? I had setup an LocalAdmin account on my test devices knowing that I may need a way to get into the computer in the event that my azure AD account was unavailable.
Logging in as the LocalAdmin I verified a couple of settings, first things I did was login to the FeedBack Hub and attempt to sign in as my Azure AD account
Here is the CAA5004B error that I have been seeing, the error comes back as Device Information is missing - I went back and checked inside the settings application to validate that I was connected to my Azure AD
in the Settings --> Accounts --> Access Work or School was enabled. Something looked a little strange, it shows that I am connected to an Azure AD but it doesn't look like it normally does, I try a disconnect and I am not allowed. My original solution was to completely reset the computer - This does work, is extremely drastic, and isn't the best solution.
Here is the fix!
I figured out the right way to address the issue without reseting the computer!
Even though the settings application sees that I am connected to Azure AD I had a sneaking suspicion that I really was not connected at all - I just needed a way to confirm this, thankfully Microsoft has a command that lets us know in detail what exactly is the status of our domain join
DSREGCMD /status
This command
Tells the real picture - After the upgrade my machine has been unjoined from Azure AD! This is a huge problem! I checked my Azure AD and the last machine update (Get-AzureADDevice) showed that my machine was updating and was on build 18323 - This upgrade was to 18329.1 - something removed the domain join on the machine and didnt touch Azure AD. Ok now I know why the user couldn't login, no domain to authenticate, no way to login!
Now how to get it to Rejoin Azure AD!
For me, I could not disconnect and reconnect it to Azure AD in Settings --> Accounts --> Access Work or School as It would not let me Disconnect as it was already disconnected - To disconnect the domain I needed to run DSREGCMD as system!
PSEXEC -i -s cmd
A handy Windows Sysinternals utility to the rescue! PSEXEC (A tool every ITPro uses!) lets you run a command prompt in the NTAuthority\System context interactively! After I spawned a cmd prompt running the Command
DSREGCMD /Debug
Verified that I was not connected and that the only way I could get out was via the
DSREGCMD /Leave
This command run in the NTAuthority\System context removed the hidden Azure AD connection.
In Settings --> Accounts --> Access Work or School I went through the process to rejoin Azure AD (Hit the Connect and then ensure you choose Join Computer to Azure AD with your Azure AD account)
Now this looks Better! It now shows that the machine is connected to my corporate Azure AD - To confirm that the machine was actually connected to my Azure AD a DSREGCMD /status showed the complete picture that I was truly authenticated correctly!
I signed out of the device as my LocalAdmin Account and re logged in as my Azure AD account, the login worked and my old profile showed exactly as it was! It was like I had never left(I was worried that it may create a new login profile and not reuse the old! My issue has been righted and my machine is back in working order within my Azure AD!
The problem of the upgrade unjoining the machine from Azure AD still exists but at least there is now a solution to undo the problem!
Thanks for reading and I hope you get your machine reconnected. Reach out to me @Murmanz on twitter if you need a hand!
Murray