Dsregcmd Command: Check Azure AD Join Status Windows 10/11

You can use dsregcmd to:

• Confirm device join state and tenant association
• Diagnose Primary Refresh Token issues causing login prompts
• Run connectivity tests against Azure AD endpoints
• Perform leave and rejoin operations during troubleshooting

This matters because hybrid identity failures create real security gaps. According to Microsoft, the Storm-0501 ransomware group actively exploits hybrid Azure AD environments, using compromised Entra Connect servers to gain global administrator access.

What Are the Prerequisites?

Before running dsregcmd, confirm your environment meets these requirements:

• Windows 10 or Windows 11 workstation
• Administrative access to the target device
• Network connectivity to Azure AD endpoints (port 443 outbound)
• Basic familiarity with Command Prompt or PowerShell
• Knowledge of your organization's Azure AD tenant name

If you manage devices through Intune, you may also find our guide on enabling Remote Desktop via Intune helpful for related configuration tasks.

How Do I Open an Elevated Command Prompt?

Most dsregcmd operations require administrative privileges to read device registration data. Press Windows + R, type cmd, then press Ctrl + Shift + Enter to launch Command Prompt as administrator.

Alternatively, right-click the Start button and select Terminal (Admin) or PowerShell (Admin).

Confirm your elevated context by running:

whoami /priv

You should see privileges like SeDebugPrivilege listed. If the command returns limited privileges, close the window and relaunch with elevation.

How Do I Run the Primary Status Command?

Execute dsregcmd /status to retrieve comprehensive device registration information. This single command reveals join state, SSO configuration, tenant details, and connectivity health.

dsregcmd /status

The output divides into multiple sections. Focus first on the Device State section, which displays three key values.

Device State Combinations

In our lab environment running Windows 11 23H2, hybrid joined devices showed both values as YES within seconds of successful synchronization.

How Do I Analyze SSO State and PRT Status?

The SSO State section determines whether users experience seamless single sign-on to Microsoft 365 and other Azure AD-integrated applications. A valid Primary Refresh Token (PRT) eliminates repeated credential prompts.

Locate these fields in the output:

• AzureAdPrt should display YES for functioning SSO
• AzureAdPrtUpdateTime shows the last token refresh timestamp
• AzureAdPrtExpiryTime indicates when the current token expires

For accurate user-specific PRT information, run the command without elevation as the logged-in user:

dsregcmd /status

Compare results between admin and user contexts. The user context provides more reliable PRT diagnostics. If AzureAdPrt shows NO, expect authentication failures and repeated login prompts across cloud applications.

This authentication layer matters. According to Microsoft's Digital Defense Report, modern MFA blocks more than 99% of identity attacks, but attackers increasingly bypass it via stolen tokens and device code flows.

How Do I Verify Tenant Configuration Details?

The Tenant Details section confirms your device connects to the correct Azure AD tenant. Review these values to validate proper registration.

Key fields to check:

• TenantName must match your organization
• TenantId should be a valid GUID format
• MdmUrl and related MDM fields indicate Intune enrollment status

Cross-reference the TenantId with your Azure portal. Missing MDM URLs may indicate enrollment problems if your organization uses Intune for device management.

Record the TenantId value for future troubleshooting or support requests. If you encounter Intune-specific errors, our guide on fixing Secure Boot certificate expiry error 65000 covers related enrollment issues.

How Do I Review Diagnostic Connectivity Tests?

The Diagnostic Data section runs automated connectivity tests against Azure AD infrastructure. Each test returns SUCCESS or an error code that points to specific failure causes.

Key tests include:

• DRS Discovery verifies Device Registration Service endpoint resolution
• DRS Connectivity confirms connection to Azure registration services
• AD Connectivity tests on-premises domain controller communication
• Token acquisition validates authentication token retrieval

For verbose troubleshooting output, enable debug mode:

dsregcmd /status /debug

Common Error Codes

0x801c001d

0x801c0021

0x801c0003

Warning: Debug output may contain sensitive data. Sanitize logs before sharing with external parties.

How Do I Perform Join or Leave Operations?

When troubleshooting requires re-registration, dsregcmd supports join and leave operations. Use the leave command to remove the device from Azure AD cleanly.

dsregcmd /leave

After leaving, trigger a fresh registration by restarting the device or running the appropriate join command for your environment.

For hybrid scenarios, ensure the device object exists in on-premises AD and has synchronized to Azure AD before attempting rejoin. When we tested this process, synchronization typically completed within 30 minutes using default Entra Connect intervals.

Protecting these hybrid components matters. Microsoft reports that 40% of ransomware attacks now target hybrid components, up from less than 5% in 2023.

How Do I Verify the Fix Worked?

After any configuration changes, re-run the status command and confirm these conditions exist:

dsregcmd /status

Validation checklist:

1. Device State shows expected join type with clear YES or NO values
2. AzureAdPrt displays YES with a recent update timestamp
3. All diagnostic tests return SUCCESS
4. TenantName matches your organization

Test actual SSO functionality by opening a Microsoft 365 application and confirming automatic sign-in without credential prompts.

If you encounter password prompt loops in Outlook after fixing device registration, our guide on fixing Exchange Server auth loops addresses that specific symptom.