Anavem
EnglishFrancais
Anavem
Languagefr
How to Use Dsregcmd to Check Azure AD Join Status on Windows

How to Use Dsregcmd to Check Azure AD Join Status on Windows

Master the dsregcmd command-line tool to verify and troubleshoot Microsoft Entra ID (Azure AD) device join status on Windows 10/11 systems.

Evan MaelEvan Mael
March 27, 2026 12 min
mediumazure-ad 7 steps 12 min

Why Use Dsregcmd for Azure AD Device Management?

Managing device identity in modern hybrid environments requires precise visibility into registration status and connectivity. The dsregcmd command-line tool serves as the primary diagnostic utility for Microsoft Entra ID (formerly Azure AD) device registration, providing IT administrators with comprehensive insights into device join status, authentication tokens, and connectivity issues.

In enterprise environments where devices need seamless access to both on-premises and cloud resources, understanding device registration state becomes critical. Whether you're troubleshooting single sign-on failures, investigating conditional access policy blocks, or validating hybrid Azure AD join configurations, dsregcmd delivers the detailed information needed to diagnose and resolve issues quickly.

What Device States Can Dsregcmd Identify?

Modern Windows devices can exist in several registration states: purely domain-joined for traditional on-premises environments, Azure AD-joined for cloud-first organizations, or hybrid Azure AD-joined for enterprises bridging both worlds. Each state provides different capabilities for authentication, device management, and resource access. Dsregcmd reveals not just the current state, but also the underlying configuration details, token status, and connectivity health that determine whether users experience seamless authentication or encounter repeated login prompts.

The tool also exposes Primary Refresh Token (PRT) information, which governs single sign-on behavior across Microsoft 365 applications and other Azure AD-integrated services. Understanding PRT status helps administrators quickly identify why users might be experiencing authentication issues or why conditional access policies aren't applying correctly.

Implementation Guide

Full Procedure

01

Open Command Prompt with Administrative Privileges

Start by launching Command Prompt or PowerShell with elevated privileges. Most dsregcmd operations require administrative access to read device registration information and perform join/leave operations.

Press Windows + R, type cmd, then press Ctrl + Shift + Enter to run as administrator. Alternatively, right-click the Start button and select "Windows PowerShell (Admin)" or "Command Prompt (Admin)".

Pro tip: You can also search for "cmd" in the Start menu, right-click on "Command Prompt" and select "Run as administrator".

Verify you have administrative privileges by running:

whoami /priv

You should see privileges like "SeDebugPrivilege" and "SeSystemtimePrivilege" listed as "Enabled" or "Disabled".

02

Run Basic Device Status Check

Execute the primary dsregcmd command to get a comprehensive overview of your device's registration status. This command provides detailed information about Azure AD join status, domain membership, and SSO configuration.

dsregcmd /status

The output is divided into several sections. Focus on the Device State section first, which shows three critical values:

  • AzureAdJoined - Indicates if the device is registered with Microsoft Entra ID
  • DomainJoined - Shows if the device is joined to an on-premises Active Directory domain
  • EnterpriseJoined - Indicates workplace join status (less common)

Here's what different combinations mean:

AzureAdJoinedDomainJoinedState
YESNOMicrosoft Entra joined (cloud-only)
NOYESDomain joined (on-premises only)
YESYESMicrosoft Entra hybrid joined
NONONot joined to any directory

Verification: Look for clear "YES" or "NO" values in the Device State section. If you see "---" or blank values, there may be a configuration issue.

03

Analyze SSO State and Primary Refresh Token

The SSO State section provides crucial information about single sign-on capabilities and Primary Refresh Token (PRT) status. This determines whether users can seamlessly access cloud resources without repeated authentication.

In the dsregcmd output, locate the SSO State section and examine these key fields:

  • AzureAdPrt - Primary Refresh Token status (should be "YES" for working SSO)
  • AzureAdPrtUpdateTime - When the PRT was last refreshed
  • AzureAdPrtExpiryTime - When the current PRT expires
  • EnterprisePrt - Enterprise PRT status for hybrid scenarios
Warning: If AzureAdPrt shows "NO", users will experience authentication prompts and SSO won't work properly. This often indicates network connectivity issues or misconfigured conditional access policies.

For detailed PRT troubleshooting, run the command as the logged-in user (not as administrator) to get user-specific token information:

dsregcmd /status

Compare the results when run as admin versus as a regular user. User context provides more accurate PRT status information.

Verification: Confirm AzureAdPrt : YES and check that the update time is recent (within the last few hours or days).

04

Examine Tenant Details and Configuration

The Tenant Details section reveals important configuration information about your Azure AD tenant and device management settings. This helps verify that the device is connecting to the correct tenant and has proper MDM enrollment.

In the dsregcmd output, review the Tenant Details section for:

  • TenantName - Your organization's Azure AD tenant name
  • TenantId - Unique identifier for your Azure AD tenant
  • AuthCodeUrl - Authentication endpoint URL
  • AccessTokenUrl - Token endpoint for API access
  • MdmUrl - Mobile Device Management enrollment URL
  • MdmTouUrl - MDM Terms of Use URL
  • MdmComplianceUrl - Compliance policy endpoint

Cross-reference the TenantId with your Azure AD portal to ensure the device is registered to the correct tenant:

# In PowerShell, you can also check tenant info with:
Get-AzureADTenantDetail | Select-Object ObjectId, DisplayName
Pro tip: Save the TenantId value - you'll need it when troubleshooting device registration issues or when contacting Microsoft support.

Look for MDM-related URLs if your organization uses Intune or another MDM solution. Missing MDM URLs might indicate enrollment issues.

Verification: Confirm the TenantName matches your organization and the TenantId is a valid GUID format (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).

05

Review Diagnostic Data for Connectivity Issues

The Diagnostic Data section provides detailed connectivity test results that help identify network, DNS, or configuration problems preventing proper Azure AD communication.

Examine these diagnostic tests in the output:

  • AD Connectivity - Tests connection to on-premises Active Directory domain controllers
  • AD Configuration - Verifies Service Connection Point (SCP) configuration for hybrid join
  • DRS Discovery - Tests Device Registration Service endpoint discovery
  • DRS Connectivity - Verifies connection to Azure Device Registration Service
  • Token acquisition - Tests ability to obtain authentication tokens
  • Fallback to Sync-Join - Indicates if device fell back to synchronous join process

Each test shows either "SUCCESS" or an error code. Common error codes include:

  • 0x801c001d - DRS Discovery failure (DNS or connectivity issue)
  • 0x801c0021 - Authentication failure
  • 0x801c0003 - Device not found in Azure AD

For detailed error analysis, run dsregcmd in debug mode:

dsregcmd /status /debug
Warning: Debug mode produces verbose output that may contain sensitive information. Use it only for troubleshooting and avoid sharing debug logs without sanitizing them first.

Verification: All diagnostic tests should show "SUCCESS". Any failures indicate specific areas that need attention before the device can properly communicate with Azure AD.

06

Perform Azure AD Join Operations

Use dsregcmd to perform join, leave, or refresh operations when troubleshooting device registration issues. These commands modify the device's Azure AD registration state.

For hybrid Azure AD join (most common in enterprise environments):

dsregcmd /join

This command schedules a task to register the device with Azure AD while maintaining domain membership. The process runs asynchronously, so you won't see immediate results.

To leave Azure AD (removes cloud registration but keeps domain join):

dsregcmd /leave

For troubleshooting stuck registrations, use debug mode:

dsregcmd /debug /join

To refresh the Primary Refresh Token without full re-registration:

dsregcmd /refreshprt

Complete rejoin sequence for persistent issues:

# Check current status
dsregcmd /status

# Leave Azure AD
dsregcmd /leave

# Force Group Policy update
gpupdate /force

# Restart computer
shutdown /r /t 0

After restart, log in as a domain user and run:

dsregcmd /join
Pro tip: Always run /status before and after join/leave operations to verify the changes took effect. The join process can take several minutes to complete.

Verification: Run dsregcmd /status after each operation. For join operations, wait 5-10 minutes then check that AzureAdJoined shows "YES".

07

Troubleshoot Common Registration Issues

When dsregcmd reveals problems, use specific troubleshooting commands and techniques to resolve common Azure AD join issues.

For devices showing "Pending" hybrid join status, check the scheduled task:

schtasks /query /tn "\Microsoft\Windows\Workplace Join\Automatic-Device-Join"

If the task exists but isn't running, trigger it manually:

schtasks /run /tn "\Microsoft\Windows\Workplace Join\Automatic-Device-Join"

For certificate-related issues, check device certificates:

certlm.msc

Navigate to Personal > Certificates and look for certificates issued by "MS-Organization-Access" or your organization's CA.

Update device attributes if there are mismatches:

dsregcmd /updatedevice

Check Windows event logs for detailed error information:

eventvwr.msc

Navigate to Applications and Services Logs > Microsoft > Windows > User Device Registration > Admin for registration events.

For network connectivity issues, verify these URLs are accessible:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com

Test connectivity with PowerShell:

Test-NetConnection -ComputerName enterpriseregistration.windows.net -Port 443
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443
Warning: Some organizations block these URLs through proxy or firewall. Work with your network team to ensure proper access to Microsoft endpoints.

Verification: After applying fixes, run dsregcmd /status to confirm the issues are resolved. Check that diagnostic tests show "SUCCESS" and device state reflects the expected join status.

Frequently Asked Questions

What does AzureAdJoined YES mean in dsregcmd output?+
AzureAdJoined YES indicates that your Windows device is successfully registered with Microsoft Entra ID (Azure AD) and can authenticate users against cloud identity services. This enables single sign-on to Microsoft 365 applications, conditional access policy enforcement, and cloud-based device management through Intune. The device has established a trust relationship with your Azure AD tenant and possesses the necessary certificates for secure communication.
How do I fix dsregcmd showing AzureAdPrt NO for SSO issues?+
AzureAdPrt NO means the Primary Refresh Token is missing or invalid, breaking single sign-on functionality. First, run dsregcmd /refreshprt to attempt token renewal. If that fails, check network connectivity to login.microsoftonline.com and ensure the device can reach Azure AD endpoints. Verify the user account isn't blocked by conditional access policies. In persistent cases, try dsregcmd /leave followed by dsregcmd /join to re-establish the device registration and obtain a fresh PRT.
What's the difference between domain joined and hybrid Azure AD joined?+
Domain joined devices (DomainJoined YES, AzureAdJoined NO) authenticate only against on-premises Active Directory and cannot access cloud resources without additional credentials. Hybrid Azure AD joined devices (both values YES) maintain domain membership while also registering with Azure AD, enabling seamless access to both on-premises and cloud resources. Hybrid join provides the best of both worlds: traditional domain features like Group Policy alongside modern cloud capabilities like conditional access and cloud app SSO.
Why does dsregcmd /join fail with error 0x801c001d?+
Error 0x801c001d typically indicates DRS (Device Registration Service) discovery failure, meaning the device cannot locate Azure AD registration endpoints. This usually stems from DNS resolution issues, proxy/firewall blocking access to enterpriseregistration.windows.net, or missing Service Connection Point (SCP) configuration in on-premises Active Directory. Verify network connectivity to Microsoft endpoints, check DNS resolution, and ensure your AD Connect server has properly configured the SCP object with your tenant information.
How often should I run dsregcmd /status for device monitoring?+
Run dsregcmd /status reactively when troubleshooting authentication issues, SSO failures, or device management problems rather than on a scheduled basis. For proactive monitoring, incorporate it into login scripts or system health checks monthly to catch registration drift or certificate expiration issues. Always run it before and after performing join/leave operations to verify success. In environments with frequent conditional access policy changes, weekly checks help identify devices that may have lost compliance status or PRT validity.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#azure-ad#windows#device-management

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Configure Suspicious File Blocking in Microsoft Defender Using Intune
tutorial
Cybersecurity

How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

Deep Dive
How to Control Windows Start Menu Shortcuts Using Microsoft Intune
tutorial
Cloud Computing

How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account