DSREGCMD.exe

Directory Service Registration, device join status.

Syntax
      DSREGCMD options

Key
   /status       Display the device join status.
   /status_old   Display the device join status in old format.
   /join         Schedule and monitor the Autojoin task to Hybrid Join the device.
   /leave        Perform a Hybrid Unjoin.
                 Removes the device from azure and then re-joins on the next delta sync.
   /forcerecovery For Azure AD joined devices, will force a Sign out and Sign back in.
   /refreshprt   Refresh Primary Refresh Token (PRT) in the cloudAP cache.
   /debug        Display debug messages.

   /refreshp2pcerts  Refresh P2P certificates. *
   /cleanupaccounts  Delete all WAM accounts. *
   /listaccounts     List all WAM accounts. *
   /UpdateDevice     Update device attributes (e.g. a change in device name) to Azure AD. *
   /?            Help.

* = Windows 11 option.

Device State

AzureAdJoined EnterpriseJoined DomainJoined Device state

YES NO NO Azure AD Joined

NO NO YES Domain Joined

YES NO YES Hybrid AD Joined

NO YES YES On-premises DRS Joined

AzureAdJoined	EnterpriseJoined	DomainJoined	Device state
YES	NO	NO	Azure AD Joined
NO	NO	YES	Domain Joined
YES	NO	YES	Hybrid AD Joined
NO	YES	YES	On-premises DRS Joined

Device details

The Device state is displayed only when the device is Azure AD-joined or hybrid Azure AD-joined (not Azure AD-registered).

DeviceId, Thumbprint, DeviceCertificateValidity, KeyContainerId, KeyProvider, TpmProtected, DeviceAuthStatus (device health in Azure AD, added in 21H1).

Tenant details

The tenant details are displayed only when the device is Azure AD-joined or hybrid Azure AD-joined, not Azure AD-registered.

TenantName, TenantId, Idp, and various Urls.

User state

Statuses of various attributes for users who are currently logged in to the device.

SSO state

You can ignore this section for Azure AD registered devices.

Pre-join diagnostics

This diagnostics section is displayed only if the device is domain-joined and unable to hybrid Azure AD-join. This section performs various tests to help diagnose join failures. The information includes the error phase, the error code, the server request ID, the server response http status, and the server response error message.

Post-join diagnostics

This diagnostics section displays the output of sanity checks performed on a device that’s joined to the cloud.

AadRecoveryEnabled: If the value is YES, the keys stored in the device aren’t usable, and the device is marked for recovery. The next sign-in will trigger the recovery flow and re-register the device. KeySignTest: If the value is PASSED, the device keys are in good health.

NGC prerequisites check

This diagnostics section performs the prerequisites check for setting up Windows Hello for Business (WHFB).

Azure AD roles

"Global Administrator"
"Azure AD joined device local administrator"

Examples

Display the device join status:

C:\> DSREGCMD /status

Rename the computer in PowerShell

PS C:\> DSREGCMD.exe /leave
PS C:\> Rename-computer -Newname "workstation64"

“There’s no limit possible to the expansion of each one of us” ~ Charles M. Schwab

Related commands

BROWSTAT - Get domain, browser and PDC info.
DSAdd - Add items to Active Directory (user group computer).
NTDSUtil - Active Directory Domain Services management.
Microsoft.com - Troubleshoot devices with dsregcmd.