Directory Service Registration, device join status.
Syntax DSREGCMD options Key /status Display the device join status. /status_old Display the device join status in old format. /join Schedule and monitor the Autojoin task to Hybrid Join the device. /leave Perform a Hybrid Unjoin. Removes the device from azure and then re-joins on the next delta sync. /forcerecovery For Azure AD joined devices, will force a Sign out and Sign back in. /refreshprt Refresh Primary Refresh Token (PRT) in the cloudAP cache. /debug Display debug messages. /refreshp2pcerts Refresh P2P certificates. * /cleanupaccounts Delete all WAM accounts. * /listaccounts List all WAM accounts. * /UpdateDevice Update device attributes (e.g. a change in device name) to Azure AD. * /? Help. * = Windows 11 option.
AzureAdJoined EnterpriseJoined DomainJoined Device state YES NO NO Azure AD Joined NO NO YES Domain Joined YES NO YES Hybrid AD Joined NO YES YES On-premises DRS Joined
The Device state is displayed only when the device is Azure AD-joined or hybrid Azure AD-joined (not Azure AD-registered).
- DeviceId, Thumbprint, DeviceCertificateValidity, KeyContainerId, KeyProvider, TpmProtected, DeviceAuthStatus (device health in Azure AD, added in 21H1).
The tenant details are displayed only when the device is Azure AD-joined or hybrid Azure AD-joined, not Azure AD-registered.
- TenantName, TenantId, Idp, and various Urls.
Statuses of various attributes for users who are currently logged in to the device.
You can ignore this section for Azure AD registered devices.
This diagnostics section is displayed only if the device is domain-joined and unable to hybrid Azure AD-join. This section performs various tests to help diagnose join failures. The information includes the error phase, the error code, the server request ID, the server response http status, and the server response error message.
This diagnostics section displays the output of sanity checks performed on a device that's joined to the cloud.
AadRecoveryEnabled: If the value is YES, the keys stored in the device aren't usable, and the device is marked for recovery. The next sign-in will trigger the recovery flow and re-register the device. KeySignTest: If the value is PASSED, the device keys are in good health.
NGC prerequisites check
This diagnostics section performs the prerequisites check for setting up Windows Hello for Business (WHFB).
C:\> DSREGCMD /status
"There's no limit possible to the expansion of each one of us" ~ Charles M. Schwab
BROWSTAT - Get domain, browser and PDC info.
DSAdd - Add items to Active Directory (user group computer).
NTDSUtil - Active Directory Domain Services management.
Microsoft.com - Troubleshoot devices with dsregcmd.