Microsoft Entra Hybrid Join (Azure Hybrid Join) error - 0x80072f78

Question

Hello,

So I got through multiple things and I would like to know if someone has any idea what to do here.

I'm trying to join devices into tenant as hybrid joined, to deploy Windows Hello for Business.

We're using Microsoft Entra Connect after recent migration from AADC, though I thought that it was what caused the error.

Note 1: When I try to go through Windows settings, to join the devices it automaticly goes to tenant as "Entra registered device"

So let's go through prerequsities

• Authentication - PTA
• Device configuration - GPO
• Windows (server) requirements - Servers WS2022, and notebooks W11 23H2 or later

I've tried to recreate the object of "AzureADKerberos", to see if it does anything at all.

With powershell:

Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

and then

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

But it.. doesn't?

It actually creates itself, two objects - krbtgt_AzureAD as an user object, and AzureADKerberos as a computer object.

The user object is created in BuiltIn OU, and is disabled by default, I don't know if that's the case, or if it's supposed to be like this, but it can't be enabled.

My GPO is set as in learn:

• Use Windows Hello for Business Enabled
• Use cloud trust for on-premises authentication Enabled (IS HERE MISTAKE? missing "word Kerberos" as it should be Use cloud Kerberos trust for on-premises authentication in my environment
• (I tried to update adml and admx files but there was no change in the Group Policy)
• Use PIN Recovery Enabled
• Use hardware security device Enabled

I additionally added:

• Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon (hoped that it would change something) - didn't

I also tried dsregtool, but not much of a luck.

Computer is domain joined.

Back to the Note 1: The device gets entra joined and domain joined, the dsregtool gets okay, but when i press 3 to get the output for whats wrong in Hybrid, it's says that it doesn't have connectivity.

Well it does, 443, 80, all microsoft websites are trusted.

A year ago, this whole set up worked quite fine, without any issues, all the devices worked as they should, with computers syncing as hybrid join, but now no success.

Rather than remove, and rejoin, going into entra registered, I have no clue what to do.

Answer 1

Try re-registering the device by running the following commands in PowerShell:

dsregcmd /leave

dsregcmd /debug

Then, restart the device and attempt to join it again.

Verify that the devices can reach the necessary Azure AD endpoints, specifically the connectivity to the following URLs:

Test-NetConnection -ComputerName enterpriseregistration.windows.net -Port 443
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443
Test-NetConnection -ComputerName device.login.microsoftonline.com -Port 443
Test-NetConnection -ComputerName autologon.microsoftazuread-sso.com -Port 443

You can use Test-NetConnection in PowerShell for that.

Check that your firewall or proxy is not blocking traffic to the required endpoints.

Don't forget also to check your Group Policy settings the ones related to device registration and Windows Hello for Business.

The AzureADKerberos objects should be created correctly. The krbtgt_AzureAD user object should be disabled, which is expected.

Run the dsregcmd /status command on a problematic device to get detailed information about the device registration status. Look for any errors or warnings in the output.

Check the Event Viewer logs on the device for any related errors. Look under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin for any relevant entries.