Can’t perform a Workplace Join by using Device Registration Services

Summary

When a user tries to perform a Workplace Join by using Device Registration Services, the user receives one of the following messages:
  • Message 1

    The user receives the following message before the user provides his or her user name and password:

    Confirm you are using the current sign-in info, and that your workplace uses this feature. Also, the connection to your workplace might not be working right now. Please wait and try again.

  • Message 2

    The user receives the following message after the user provides his or her user name and password:

    Can’t connect to the service.

Resolution

To resolve either of these problems, use the method that is appropriate for the situation.

Method 1

To fix the problem for message 1, review the Event logs on the client computer that is trying to perform a Workplace Join to determine the correct solution.

An administrator may see details in Event Viewer that resemble the following:

Event ID:(See the following table for the Event ID.)
Log Name:Windows 7: Applications and Service Logs/Microsoft-Workplace-Join/Admin

Windows 8 or Windows 10: Applications and Service Logs/Microsoft-Windows-Workplace-Join/Admin
Source:Microsoft-Windows-Workplace Join
Level:Error
Description:(See the following table for the Event ID description.)

Event IDDescriptionResolution
103Workplace Join discovery failed. Server returned http status 404.KB 3045386
103Workplace Join discovery failed. Server returned http status 503.KB 3045388
102Workplace Join discovery failed.

Exit Code: 0x80072EE7.

The server name or address could not be resolved. Could not connect to 'https://EnterpriseRegistration.domainTEST.com:443/EnrollmentServer/contract?api-version=1.0'.
KB 3045385
102Workplace Join discovery failed.

Exit Code: 0x80072F19.

It was not possible to connect to the revocation server or a definitive response could not be obtained. Could not connect to 'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-version=1.0'.
KB 3045384
102Workplace Join discovery failed.

Exit Code: 0x80072F8A.

The supplied certificate has been revoked. Could not connect to 'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-version=1.0'.
KB 3045383
102Workplace Join discovery failed.

Exit Code: 0x80072F0D.

The certificate authority is invalid or incorrect. Could not connect to 'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-version=1.0'.
KB 3045382
102Workplace Join discovery failed.

Exit Code: 0x80072EFD.

A connection with the server could not be established. Could not connect to 'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-version=1.0'.
KB 3045381
102Workplace Join discovery failed.

Exit Code: 0x80004005.

An unknown error has occurred. Could not connect to 'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-version=1.0'.
KB 3045380
200"The maximum number of devices that can be joined to the workplace by the user has been reached." KB 3045379

Method 2

To fix the problem for message 2, see the following article in the Microsoft Knowledge Base:

3045378 "Can’t connect to the service" error when you try to register a device

More Information

To quickly troubleshooting these problems, try one or more of the following things.

Verify DNS

Verify the DNS configuration by using NSlookup, and verify that the answers are correct. To do this, open a Command Prompt window, and then run the following command:

Nslookup enterpriseregistration.domain.com

  • If you use Azure Active Directory Join:
    • Should return CNAME result of EnterpriseRegistration.windows.net as the target.


  • If you use Windows Server Workplace Join:
    • Internal host should return internal ADFS node.
    • External host should return external ADFS proxy address. 

Flush the DNS cache

Open a Command Prompt window as an administrator, and then run the following command:

ipconfig /FlushDNS

Verify that Device Registration is enabled

If you try to perform Workplace Join to Azure Active Directory
  1. Sign-in to Azure Management Portal or start the Azure AD console from O365 admin center as a Company Administrator.
  2. Go to the directory where the user is trying to perform the join.
  3. Go to Configure.
  4. Scroll down to the Device Registration section.
  5. Make sure that the setting that is labeled ENABLE WORKPLACE JOIN is toggled to Yes. ("Yes" will be blue.)

If you try to perform Workplace Join to your local Active Directory domain, take the following action:
  • Open the Active Directory Federation Services (AD FS) management console, and select Relying Party Trusts to determine whether the Device Registration Service trust is enabled on each node of the AD FS farm.

Verify that the Active Directory Federation Services service and the Device Registration Services service are running

If you try to perform a Workplace Join to your local Active Directory, you should log on to each node of the AD FS farm and then follow these steps:
  1. Go to Control Panel, Administrative Tools, and then Services (Services.msc).
  2. Locate the Active Directory Federation Services service, and verify its status.
  3. Locate the Device Registration Services service, and verify its status.
  4. If either service is not running, start the services.

Verify that the host name bindings are registered for each node in the AD FS farm

If you try to perform a Workplace Join to your local Active Directory, you should follow the steps at the following Microsoft TechNet website and make sure that the host name (such as EnterpriseRegistration.domain_name.domain_extension) is bound to port 443:


Update the root certificates

Run Microsoft Update, and make sure that the Updates for Root Certificates are all installed

Verify date and time settings, clear SSL state, and reregister DLL files

Try the methods that are listed in the following article in the Microsoft Knowledge Base:

813444 You cannot log in to or connect to secured Web sites in Internet Explorer

Verify that traffic is enabled if you are using a third-party proxy or firewall server

If you try to perform a Workplace Join to your local Active Directory, you should verify that there is a rule to enable incoming TCP connections to EnterpriseRegistration.domain_name.domain_extension. This should allow for traffic to pass through to the DRS server.
Egenskaper

Artikel-id: 3045387 – senaste granskning 18 mars 2015 – revision: 1

Feedback