├── DSRegTool.ps1 ├── LICENSE ├── README.md └── media └── DSRegTool.png /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Mohammad Zmaili 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![visitor badge](https://visitor-badge.glitch.me/badge?page_id=DSRegTool) 2 | # Device Registration Troubleshooter Tool 3 | Coming from the fact that it is not so easy to troubleshoot device registration issues and it does take some time, but now, using Device Registration Troubleshooter tool it is not complex anymore :) 4 | 5 | DSRegTool PowerShell is a comprehensive tool that performs more than 50 different tests that helps you to identify and fix the most common device registration issues for all join types (Hybrid Azure AD joined, Azure AD Joined and Azure AD Register). 6 | 7 | ## Script requirements 8 | You can run DSRegTool as a normal user, except with option #3 and option #7 where you need to run DSRegTool with a user who has local admin permissions 9 | 10 | ## How to run the script 11 | Download and run the `DSRegTool.ps1` script from [this](https://github.com/mzmaili/DSRegTool/archive/refs/heads/master.zip) GitHub repo. 12 | 13 | ## Why is this script useful? 14 | DSRegTool facilitates troubleshooting device registration issues for different join types 15 | 16 | ## What are tests DSRegTool perform? 17 | #### 1- Troubleshoot Microsoft Entra Register 18 | - Testing OS version 19 | - Testing if the device is registered to AzureAD by the signed in user 20 | - Testing Device Registration endpoints connectivity 21 | - Testing Device Registration Service 22 | - Testing if the device exists on AAD 23 | - Testing if the device is enabled on AAD 24 | 25 | #### 2- Troubleshoot Microsoft Entra join device 26 | - Testing OS version 27 | - Testing if the device joined to the local domain 28 | - Testing if the device is joined to AzureAD 29 | - Testing if you signed in user is a Built-in Administrator account 30 | - Testing if the signed in user has local admin permissions 31 | - Testing Device Registration endpoints connectivity 32 | - Testing Device Registration Service 33 | - Testing if the device exists on AAD. 34 | - Testing if the device is enabled on AAD 35 | 36 | #### 3- Troubleshoot Microsoft Entra hybrid join 37 | - Testing OS version 38 | - Testing if the device joined to the local domain 39 | - Testing if the device is joined to AzureAD 40 | - Testing Automatic-Device-Join task scheduler 41 | - Testing Domain Controller connectivity 42 | - Testing Service Connection Point (SCP) configuration for both client and domain sides 43 | - Testing Device Registration endpoints connectivity under system context: 44 | - Testing connectivity over winHTTP proxy (considering if domain is bypassed) 45 | - Testing connectivity over winInet proxy (considering if domain is bypassed) 46 | - Testing the following with Federated domain: 47 | - Testing MEX endpoint (for Federated domains) 48 | - Testing windowstransport endpoints (for Federated domains) 49 | - If federated join flow failed, checking sync join flow 50 | - Testing OS version if it supports fallback to sync join 51 | - Testing fallback to sync join configuration enablement 52 | - Testing the following with Managed domain / Sync join flow: 53 | - Testing if the device synced successfully to AAD (for Managed domains) 54 | - Testing userCertificate attribute under AD computer object 55 | - Testing self-signed certificate validity 56 | - Testing if the device synced to Azure AD 57 | - Testing Device Registration Service 58 | - Test if the device exists on AAD. 59 | - Test if the device enabled on AAD. 60 | - Test if the device is not pending on AAD. 61 | - Testing if device is stale 62 | 63 | #### 4- Verify Service Connection Point (SCP) 64 | - Testing client-side registry setting 65 | - Testing client-side registry configuration (tenantID, DomainName) 66 | - Testing Domain Controller connectivity 67 | - Testing Service Connection Point (SCP) on configuration partition 68 | - Testing Service Connection Point (SCP) configuration 69 | 70 | #### 5- Verify the health status of the device 71 | - Checks OS version 72 | - Checks if the device joined to the local domain 73 | - Checks if the device is joined to AzureAD 74 | - Checks if the device hybrid, Azure AD Join or Azure AD Register 75 | - Checks the device certificate configuration. 76 | - Checks if the device exists on AAD. 77 | - Checks if the device enabled on AAD. 78 | - Checks if the device is not pending on AAD 79 | - Shows the health status for the device 80 | - Provides recommendations to fix unhealthy devices 81 | 82 | #### 6- Verify Primary Refresh Token (PRT) 83 | - Checks OS version 84 | - Checks if the device joined to the local domain 85 | - Testing if the device is Hybrid Azure AD joined 86 | - Testing if the device is Azure AD Joined 87 | - Testing Azure AD PRT (DJ++ or ADDJ) 88 | - Testing Enterprise PRT (DJ++) 89 | - Testing if the device is workplace joined 90 | - Testing the registry configuration (WPJ) 91 | 92 | #### 7- Collect the logs 93 | - If DSRegTool is running with elevated privileges, start log collection. Otherwise, tool shows action plan to collect the logs using Feedback hub. 94 | 95 | ## User experience 96 | ![Alt text](/media/DSRegTool.png "DSRegTool") 97 | 98 | ## Frequently asked questions 99 | ### Does the script change anything? 100 | No, It just retrieves data. 101 | 102 | ### Does the script require any PowerShell module to be installed? 103 | No, the script does not require any PowerShell module. 104 | 105 | ### Will the tool fix the issue when it detects it? 106 | No, it identifies the issue and suggest recommended steps to fix it. 107 | 108 | ### What are the logs being collected by option #7? 109 | Here is log collection output file reference: 110 | | File Name | Description | 111 | | ------------- | ------------- | 112 | | dsregcmd-status.txt | dsregcmd /status output | 113 | | dsregcmd-debug.txt | dsregcmd /debug output under system context | 114 | | DeviceInfo.txt | Following machine's information: OS version, Device Name, Object GUID, Distinguished Name and UserCertificate | 115 | | hosts.txt | Copy of machine's hosts file | 116 | | ipconfig-all.txt | Machine's IP address configuration | 117 | | Winver.txt | Windows OS version | 118 | | IdentityStore.txt | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore registry value | 119 | | WPJ-info.txt | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AAD registry value | 120 | | CloudDomainJoin.txt | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin registry value | 121 | | WorkplaceJoin-windows.txt | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin registry value | 122 | | Winlogon-current-control-set.txt | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon registry value | 123 | | WorkplaceJoin-control.txt | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WorkplaceJoin registry value | 124 | | Lsa.txt | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry value | 125 | | winHTTP.txt | winHTTP configuration under system context | 126 | | winInet-user.txt | winInet configuration under logged on user context | 127 | | winInet-user-regkey.txt | winInet registry value under logged on user context | 128 | | winInet-system.txt | winInet configuration under system context | 129 | | winInet-system-regkey.txt | winInet registry value under system context | 130 | | TestDeviceRegConnectivity-user.txt | Result of testing Device Registration endpoints connectivity under system context | 131 | | TestDeviceRegConnectivity-system.txt | Result of testing Device Registration endpoints connectivity under system context | 132 | | Task-Scheduler.txt | Task scheduler configuration | 133 | | tasklist.txt | Running tasks | 134 | | set.txt | System environment values | 135 | | services-running.txt | Running services | 136 | | services-config.txt | sc config | 137 | | SCP-config-partition.txt | SCP from domain configuration partition | 138 | | SCP-client-side.txt | SCP client-side registry value | 139 | | Schannel.txt | Schannel registry value | 140 | | GPResult.htm | Group Policy Result | 141 | | Patches.htm | Installed windows updates | 142 | | netstat-nao.txt | Established network connections | 143 | | route-print.txt | Routing table | 144 | | Netsetup.log | Netsetup debug logs | 145 | | netlogon.log | Netlogon debug logs | 146 | | Netlogon.txt | Netlogon registry value | 147 | | AAD-Operational.evtx | CloudAP plugin and AAD broker plugin operational logs | 148 | | AAD-Analytic.evtx | CloudAP plugin and AAD broker diagnostic logs | 149 | | User Device Registration-Admin.evtx | Device Registration administrative logs | 150 | | User Device Registration-Debug.evtx | Device Registration diagnostic logs | 151 | | Biometrics-Operational.evtx | Biometrics operational logs| 152 | | HelloForBusiness-Operational.evtx | Windows Hello for Business logs | 153 | | LiveId-Operational.evtx | Live ID operational logs | 154 | | Kerberos-Operational.evtx | Kerberos operational logs | 155 | | Shell-Core-Operational.evtx | Shell core operational logs | 156 | | WebAuthN-Operational.evtx | WebAuthN operational logs including FIDO key logs | 157 | | WebAuth-Operational.evtx | WebAuth operational logs | 158 | | WMI-Activity-Operational.evtx | WMI activity operational logs | 159 | | Authentication-AuthenticationPolicyFailures-DomainController.evtx | Authentication Policy Failur logs | 160 | | Authentication-ProtectedUser-Client.evtx | Protected user failure client logs | 161 | | Authentication-ProtectedUserFailures-DomainController.evtx | Protected user failure authentication logs | 162 | | Authentication-ProtectedUserSuccesses-DomainController.evtx | Protected user successes authentication logs | 163 | | CAPI2-Operational.evtx | Certificate operational logs | 164 | | CertPoleEng-Operational.evtx | CertPoleEng operational logs | 165 | | Crypto-DPAPI-Operational.evtx | Crypto DPAPI operational logs | 166 | | GroupPolicy-Operational.evtx | Group policy operational logs | 167 | | IdCtrls-Operational.evtx | IdCtrls operational logs | 168 | | User Control Panel-Operational.evtx | Control panel operational logs | 169 | | System.evtx | Machine system event logs | 170 | | Application.evtx | Machine application event logs | 171 | | LSA.etl | LSA debug traces in binary format | 172 | | Netmon.etl | network trace | 173 | | WebAuth.etl | WebAuth debug traces in binary format | 174 | | Kerberos.etl | Kerberos debug traces in binary format | 175 | | Ntlm_CredSSP.etl | Ntlm_CredSSP debug traces in binary format | 176 | | AADExtention\
Azure.ActiveDirectory.AADLoginForWindows | AADExtention logs | 177 | | AADExtention\
AzuerVMInfo.txt | Azure VM information | 178 | | AADExtention\
AzureVMTenantID.txt | Tenant ID that is associated with the Azure Subscription | 179 | | AADExtention\
AzureVMAccessToken.txt | Azure VM Access Token | 180 | | AADExtention\
pas.windows.net.txt | Connectivity result to pas.windows.net | 181 | | AADExtention\
login.microsoftonline.com.txt | Connectivity result to login.microsoftonline.com | 182 | | AADExtention\
device.login.microsoftonline.com.txt | Connectivity result to device.login.microsoftonline.com | 183 | | AADExtention\
enterpriseregistration.windows.net.txt | Connectivity result to enterpriseregistration.windows.net | 184 | | Log.log | Shows log collection verbose logs | 185 | | DSRegTool.log | Copy of DSRegTool log file | 186 | -------------------------------------------------------------------------------- /media/DSRegTool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mzmaili/DSRegTool/b5703a7e1190b5834b730f48603e88f937144fc1/media/DSRegTool.png --------------------------------------------------------------------------------