使用 dsregcmd 命令排查设备问题Troubleshooting devices using the dsregcmd command

dsregcmd/status 实用程序必须以域用户帐户身份运行。The dsregcmd /status utility must be run as a domain user account.

设备状态Device state

此部分列出了设备联接状态参数。This section lists the device join state parameters. 下表列出了设备处于不同联接状态的条件。The table below lists the criteria for the device to be in various join states.

AzureAdJoinedAzureAdJoined EnterpriseJoinedEnterpriseJoined DomainJoinedDomainJoined 设备状态Device state
YESYES NO NO 已建立 Azure AD 联接Azure AD Joined
NO NO YESYES 已加入域Domain Joined
YESYES NO YESYES 已建立混合 AD 联接Hybrid AD Joined
NO YESYES YESYES 已建立本地 DRS 联接On-premises DRS Joined

备注

工作区加入(已注册 Azure AD)状态显示在“用户状态”部分Workplace Join (Azure AD registered) state is displayed in the "User State" section

  • AzureAdJoined: - 如果设备已建立 Azure AD 联接,请设置为“是”。AzureAdJoined: - Set to “YES” if the device is Joined to Azure AD. 否则为“否”。“NO” otherwise.
  • EnterpriseJoined: - 如果设备已建立本地 DRS 联接,则设置为“是”。EnterpriseJoined: - Set to “YES” if the device is Joined to an on-premises DRS. 设备不能同时为 EnterpriseJoined 和 AzureAdJoined。A device cannot be both EnterpriseJoined and AzureAdJoined.
  • DomainJoined: - 如果设备已加入域 (AD),则设置为“是”。DomainJoined: - Set to “YES” if the device is joined to a domain (AD).
  • DomainName: - 如果设备已加入域,则设置为域名。DomainName: - Set to the name of the domain if the device is joined to a domain.

设备状态输出示例Sample device state output

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : HYBRIDADFS
+----------------------------------------------------------------------+

设备详细信息Device details

只有当设备已建立 Azure AD 联接或已建立混合 Azure AD 联接(而非已注册 Azure AD)时才显示。Displayed only when the device is Azure AD joined or hybrid Azure AD joined (not Azure AD registered). 本节列出了标识云中存储的详细信息的设备。This section lists device identifying details stored in the cloud.

  • DeviceId: - Azure AD 租户中设备的唯一 IDDeviceId: - Unique ID of the device in the Azure AD tenant
  • Thumbprint: - 设备证书的指纹Thumbprint: - Thumbprint of the device certificate
  • DeviceCertificateValidity: - 设备证书的有效性DeviceCertificateValidity: - Validity of the device certificate
  • KeyContainerId: - 与设备证书关联的设备私钥的 ContainerIdKeyContainerId: - ContainerId of the device private key associated with the device certificate
  • KeyProvider: - 用于存储设备私钥的 KeyProvider(硬件/软件)。KeyProvider: - KeyProvider (Hardware/Software) used to store the device private key.
  • TpmProtected: - 如果设备私钥存储在硬件 TPM 中,则为“是”。TpmProtected: - “YES” if the device private key is stored in a Hardware TPM.

示例设备详细信息输出Sample device details output

+----------------------------------------------------------------------+
| Device Details                                                       |
+----------------------------------------------------------------------+

                  DeviceId : e92325d0-xxxx-xxxx-xxxx-94ae875dxxxx
                Thumbprint : D293213EF327483560EED8410CAE36BB67208179
 DeviceCertificateValidity : [ 2019-01-11 21:02:50.000 UTC -- 2029-01-11 21:32:50.000 UTC ]
            KeyContainerId : 13e68a58-xxxx-xxxx-xxxx-a20a2411xxxx
               KeyProvider : Microsoft Software Key Storage Provider
              TpmProtected : NO
+----------------------------------------------------------------------+

租户详细信息Tenant details

只有当设备已建立 Azure AD 联接或已建立混合 Azure AD 联接(而非已注册 Azure AD)时才显示。Displayed only when the device is Azure AD joined or hybrid Azure AD joined (not Azure AD registered). 此部分列出设备建立 Azure AD 联接时的常见租户详细信息。This section lists the common tenant details when a device is joined to Azure AD.

备注

如果此部分中的 MDM URL 为空,则表示 MDM 未配置或当前用户不在 MDM 注册范围内。If the MDM URLs in this section are empty, it indicates that the MDM was either not configured or current user is not in scope of MDM enrollment. 检查 Azure AD 中的移动设置以查看 MDM 配置。Check the Mobility settings in Azure AD to review your MDM configuration.

备注

即使你看到 MDM URL,这并不意味着设备由 MDM 管理。Even if you see MDM URLs this does not mean that the device is managed by an MDM. 如果租户具有用于自动注册的 MDM 配置,即使设备本身不受托管,也会显示该信息。The information is displayed if the tenant has MDM configuration for auto-enrollment even if the device itself is not managed.

租户详细信息输出示例Sample tenant details output

+----------------------------------------------------------------------+
| Tenant Details                                                       |
+----------------------------------------------------------------------+

                TenantName : HybridADFS
                  TenantId : 96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx
                       Idp : login.chinacloudapi.cn
               AuthCodeUrl : https://login.partner.microsoftonline.cn/96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx/oauth2/authorize
            AccessTokenUrl : https://login.partner.microsoftonline.cn/96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx/oauth2/token
                    MdmUrl : https://enrollment.manage-beta.microsoft.com/EnrollmentServer/Discovery.svc
                 MdmTouUrl : https://portal.manage-beta.microsoft.com/TermsOfUse.aspx
          MdmComplianceUrl : https://portal.manage-beta.microsoft.com/?portalAction=Compliance
               SettingsUrl : eyJVxxxxIjpbImh0dHBzOi8va2FpbGFuaS5vbmUubWljcm9zb2Z0LmNvbS8iLCJodHRwczovL2thaWxhbmkxLm9uZS5taWNyb3NvZnQuY29tLyxxxx==
            JoinSrvVersion : 1.0
                JoinSrvUrl : https://enterpriseregistration.chinacloudapi.cn/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.chinacloudapi.cn
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.chinacloudapi.cn/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.chinacloudapi.cn
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.chinacloudapi.cn/webauthn/96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.chinacloudapi.cn
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.chinacloudapi.cn/manage/96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.chinacloudapi.cn
+----------------------------------------------------------------------+

用户状态User state

本部分列出当前登录到设备的用户的各种属性的状态。This section lists the status of various attributes for the user currently logged into the device.

备注

命令必须在用户上下文中运行才能检索有效状态。The command must run in a user context to retrieve valid status.

  • NgcSet: - 如果为当前登录的用户设置了 Windows Hello 密钥,则设置为“是”。NgcSet: - Set to “YES” if a Windows Hello key is set for the current logged on user.
  • NgcKeyId: - 如果为当前登录的用户设置了 Windows Hello 密钥,则为其 ID。NgcKeyId: - ID of the Windows Hello key if one is set for the current logged on user.
  • CanReset: - 表示用户能否重置 Windows Hello 密钥。CanReset: - Denotes if the Windows Hello key can be reset by the user.
  • 可能的值: - DestructiveOnly、NonDestructiveOnly、DestructiveAndNonDestructive 或未知(如出现错误)。Possible values: - DestructiveOnly, NonDestructiveOnly, DestructiveAndNonDestructive, or Unknown if error.
  • WorkplaceJoined: - 如果已在当前 NTUSER 上下文中将已注册 Azure AD 帐户添加到设备,则设置为“是”。WorkplaceJoined: - Set to “YES” if Azure AD registered accounts have been added to the device in the current NTUSER context.
  • WamDefaultSet: - 如果为登录用户创建了 WAM 默认 WebAccount,则设置为“是”。WamDefaultSet: - Set to “YES” if a WAM default WebAccount is created for the logged in user. 如果从提升的命令提示符运行 dsreg/status,则此字段可能显示错误。This field could display an error if dsreg /status is run from an elevated command prompt.
  • WamDefaultAuthority: - 对于 Azure AD,设置为“组织”。WamDefaultAuthority: - Set to “organizations” for Azure AD.
  • WamDefaultId: - 对于 Azure AD,始终为“https://login.microsoft.com”。WamDefaultId: - Always “https://login.microsoft.com” for Azure AD.
  • WamDefaultGUID: - 默认 WAM WebAccount 的 WAM 提供程序(Azure AD/Microsoft 帐户)GUID。WamDefaultGUID: - The WAM provider’s (Azure AD/Microsoft account) GUID for the default WAM WebAccount.

用户状态输出示例Sample user state output

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : YES
                  NgcKeyId : {FA0DB076-A5D7-4844-82D8-50A2FB42EC7B}
                  CanReset : DestructiveAndNonDestructive
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : { B16898C6-A148-4967-9171-64D755DA8520 } (AzureAd)

+----------------------------------------------------------------------+

SSO 状态SSO state

对于已注册 Azure AD 的设备,可以忽略此部分。This section can be ignored for Azure AD registered devices.

备注

命令必须在用户上下文中运行才能检索该用户的有效状态。The command must run in a user context to retrieve valid status for that user.

  • AzureAdPrt: - 如果已登录用户的设备上存在 PRT,则设置为“是”。AzureAdPrt: - Set to “YES” if a PRT is present on the device for the logged-on user.
  • AzureAdPrtUpdateTime: - 设置为 PRT 上次更新的 UTC 时间。AzureAdPrtUpdateTime: - Set to the time in UTC when the PRT was last updated.
  • AzureAdPrtExpiryTime: - 设置为 PRT 将要过期(如果未续订)的 UTC 时间。AzureAdPrtExpiryTime: - Set to the time in UTC when the PRT is going to expire if it is not renewed.
  • AzureAdPrtAuthority: - Azure AD 颁发机构 URLAzureAdPrtAuthority: - Azure AD authority URL
  • EnterprisePrt: - 如果设备有来自本地 ADF 的 PRT,则设置为“是”。EnterprisePrt: - Set to “YES” if the device has PRT from on-premises ADFS. 对于已建立混合 Azure AD 联接的设备,该设备可同时具有来自 Azure AD 和本地 AD 的 PRT。For hybrid Azure AD joined devices the device could have PRT from both Azure AD and on-premises AD simultaneously. 本地联接设备将仅具有 Enterprise PRT。On-premises joined devices will only have an Enterprise PRT.
  • EnterprisePrtUpdateTime: - 设置为 Enterprise PRT 上次更新的 UTC 时间。EnterprisePrtUpdateTime: - Set to the time in UTC when the Enterprise PRT was last updated.
  • EnterprisePrtExpiryTime: - 设置为 PRT 将要过期(如果未续订)的 UTC 时间。EnterprisePrtExpiryTime: - Set to the time in UTC when the PRT is going to expire if it is not renewed.
  • EnterprisePrtAuthority: - ADFS 证书颁发机构 URLEnterprisePrtAuthority: - ADFS authority URL

SSO 状态输出示例Sample SSO state output

+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : YES
      AzureAdPrtUpdateTime : 2019-01-24 19:15:26.000 UTC
      AzureAdPrtExpiryTime : 2019-02-07 19:15:26.000 UTC
       AzureAdPrtAuthority : https://login.partner.microsoftonline.cn/96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx
             EnterprisePrt : YES
   EnterprisePrtUpdateTime : 2019-01-24 19:15:33.000 UTC
   EnterprisePrtExpiryTime : 2019-02-07 19:15:33.000 UTC
    EnterprisePrtAuthority : https://fs.hybridadfs.nttest.microsoft.com:443/adfs

+----------------------------------------------------------------------+

诊断数据Diagnostic data

联接前诊断Pre-join diagnostics

仅当设备已加入域但无法建立混合 Azure AD 联接时,才会显示此部分。This section is displayed only if the device is domain joined and is unable to hybrid Azure AD join.

本部分执行各种测试以帮助诊断联接故障。This section performs various tests to help diagnose join failures. 本部分还包括前面 (?) 的详细信息。This section also includes the details of the previous (?). 此信息包括错误阶段、错误代码、服务器请求 ID、服务器响应 http 状态、服务器响应错误消息。This information includes the error phase, the error code, the server request ID, server response http status, server response error message.

  • 用户上下文: - 运行诊断的上下文。User Context: - The context in which the diagnostics are run. 可能的值:SYSTEM、UN-ELEVATED 用户、ELEVATED 用户。Possible values: SYSTEM, UN-ELEVATED User, ELEVATED User.

    备注

    由于实际联接在系统上下文中执行,因此在系统上下文中运行诊断最接近实际的联接场景。Since the actual join is performed in SYSTEM context, running the diagnostics in SYSTEM context is closest to the actual join scenario. 若要在 SYSTEM 上下文中运行诊断,必须从提升的命令提示符运行 dsregcmd/status 命令。To run diagnostics in SYSTEM context, the dsregcmd /status command must be run from an elevated command prompt.

  • 客户端时间: - UTC 系统时间。Client Time: - The system time in UTC.

  • AD 连接测试: - 测试对域控制器执行连接性测试。AD Connectivity Test: - Test performs a connectivity test to the domain controller. 此测试中的错误可能会导致预检查阶段出现联接错误。Error in this test will likely result in Join errors in pre-check phase.

  • AD 配置测试: - 测试读取并验证是否已在本地 AD 林中正确配置 SCP 对象。AD Configuration Test: - Test reads and verifies whether the SCP object is configured properly in the on-premises AD forest. 此测试中的错误可能会导致发现阶段中出现联接错误,错误代码为 0x801c001d。Errors in this test would likely result in Join errors in the discover phase with the error code 0x801c001d.

  • DRS 发现测试: - 测试从发现元数据终结点获取 DRS 终结点,并执行用户领域请求。DRS Discovery Test: - Test gets the DRS endpoints from discovery metadata endpoint and performs a user realm request. 此测试中的错误可能会导致发现阶段出现联接错误。Errors in this test would likely result in Join errors in the discover phase.

  • AD 连接测试: - 测试对 DRS 终结点执行基本连接性测试。DRS Connectivity Test: - Test performs basic connectivity test to the DRS endpoint.

  • 令牌获取测试: - 如果用户租户是联合租户,测试将尝试获取 Azure AD 身份验证令牌。Token acquisition Test: - Test tries to get an Azure AD authentication token if the user tenant is federated. 此测试中的错误可能会导致身份验证阶段出现联接错误。Errors in this test would likely result in Join errors in the auth phase. 如果身份验证失败,则将以回退的形式尝试同步联接,除非使用以下注册表项设置显式禁用回退。If auth fails sync join will be attempted as fallback, unless fallback is explicitly disabled with the below registry key settings.

    Keyname: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
    Value: FallbackToSyncJoin
    Type:  REG_DWORD
    Value: 0x0 -> Disabled
    Value: 0x1 -> Enabled
    Default (No Key): Enabled
  • 回退以同步联接: - 如果上述注册表项不存在(为防止回退以对身份验证失败同步联接),则设置为“启用”。Fallback to Sync-Join: - Set to “Enabled” if the above registry key, to prevent the fallback to sync join with auth failures, is NOT present. 此选项在 Windows 10 1803 及更高版本中可用。This option is available from Windows 10 1803 and later.
  • 上次注册: - 上次联接尝试发生的时间。Previous Registration: - Time the previous Join attempt occurred. 仅记录失败的联接尝试。Only failed Join attempts are logged.
  • 错误阶段: - 联接发生中止的阶段。Error Phase: - The stage of the join in which it was aborted. 可能的值包括 pre-check、discover、auth 和 join。Possible values are pre-check, discover, auth, join.
  • Client ErrorCode: - 返回的客户端错误代码 (HRESULT)。Client ErrorCode: - Client error code returned (HRESULT).
  • Server ErrorCode: - 如果请求发送到服务器并且服务器返回错误代码,则存在服务器错误代码。Server ErrorCode: - Server error code if a request was sent to the server and server responded back with an error code.
  • 服务器消息: - 与错误代码一起返回的服务器消息。Server Message: - Server message returned along with the error code.
  • Https 状态: - 服务器返回的 Http 状态。Https Status: - Http status returned by the server.
  • 请求 ID: - 发送到服务器的 requestId。Request ID: - The client requestId sent to the server. 适用于与服务器端日志关联。Useful to correlate with server-side logs.

联接前诊断输出示例Sample pre-join diagnostics output

以下示例显示诊断测试失败并出现发现错误。The following example shows diagnostics test failing with a discovery error.

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+

     Diagnostics Reference : www.microsoft.com/aadjerrors
              User Context : SYSTEM
               Client Time : 2019-01-31 09:25:31.000 UTC
      AD Connectivity Test : PASS
     AD Configuration Test : PASS
        DRS Discovery Test : FAIL [0x801c0021/0x801c000c]
     DRS Connectivity Test : SKIPPED
    Token acquisition Test : SKIPPED
     Fallback to Sync-Join : ENABLED

     Previous Registration : 2019-01-31 09:23:30.000 UTC
               Error Phase : discover
          Client ErrorCode : 0x801c0021

+----------------------------------------------------------------------+

以下示例显示诊断测试通过,但注册尝试因目录错误而失败,这是同步联接的预期错误。The following example shows diagnostics tests are passing but the registration attempt failed with a directory error, which is expected for sync join. Azure AD Connect 同步作业完成后,设备将能够建立联接。Once the Azure AD Connect synchronization job completes, the device will be able to join.

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+

     Diagnostics Reference : www.microsoft.com/aadjerrors
              User Context : SYSTEM
               Client Time : 2019-01-31 09:16:50.000 UTC
      AD Connectivity Test : PASS
     AD Configuration Test : PASS
        DRS Discovery Test : PASS
     DRS Connectivity Test : PASS
    Token acquisition Test : PASS
     Fallback to Sync-Join : ENABLED

     Previous Registration : 2019-01-31 09:16:43.000 UTC
         Registration Type : sync
               Error Phase : join
          Client ErrorCode : 0x801c03f2
          Server ErrorCode : DirectoryError
            Server Message : The device object by the given id (e92325d0-7ac4-4714-88a1-94ae875d5245) is not found.
              Https Status : 400
                Request Id : 6bff0bd9-820b-484b-ab20-2a4f7b76c58e

+----------------------------------------------------------------------+

联接后诊断Post-join diagnostics

此部分显示在加入云的设备上所执行健全性检查的输出。This section displays the output of sanity checks performed on a device joined to the cloud.

  • AadRecoveryEnabled: - 如果为“是”,则设备中存储的密钥不可用,并且设备标记为进行恢复。AadRecoveryEnabled: - If “YES”, the keys stored in the device are not usable and the device is marked for recovery. 下次登录将触发恢复流并重新注册设备。The next sign in will trigger the recovery flow and re-register the device.
  • KeySignTest: - 如果“通过”,则设备密钥处于良好运行状况。KeySignTest: - If “PASSED” the device keys are in good health. 如果 KeySignTest 失败,设备通常将标记为进行恢复。If KeySignTest fails, the device will usually be marked for recovery. 下次登录将触发恢复流并重新注册设备。The next sign in will trigger the recovery flow and re-register the device. 对于已建立混合 Azure AD 联接的设备,恢复没有提示。For hybrid Azure AD joined devices the recovery is silent. 若已建立 Azure AD 联接或已注册 Azure AD,设备将提示用户身份验证以在必要时进行恢复和重新注册设备。While Azure AD joined or Azure AD registered, devices will prompt for user authentication to recover and re-register the device if necessary. KeySignTest 需要提升的权限。The KeySignTest requires elevated privileges.

联接后诊断输出示例Sample post-join diagnostics output

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+

         AadRecoveryEnabled: NO
               KeySignTest : PASSED
+----------------------------------------------------------------------+

NGC 先决条件检查NGC prerequisite check

本部分对 Windows Hello 企业版 (WHFB) 的预配执行先决条件检查。This section performs the prerequisite checks for the provisioning of Windows Hello for Business (WHFB).

备注

如果用户已成功配置 WHFB,在 dsregcmd /status 中可能就看不到 NGC 先决条件检查详细信息。You may not see NGC prerequisite check details in dsregcmd /status if the user already successfully configured WHFB.

  • IsDeviceJoined: - 如果设备已建立 Azure AD 联接,请设置为“是”。IsDeviceJoined: - Set to “YES” if the device is joined to Azure AD.
  • IsUserAzureAD: - 如果 Azure AD 中存在登录用户,则设置为“是”。IsUserAzureAD: - Set to “YES” if the logged in user is present in Azure AD .
  • PolicyEnabled: - 如果设备上启用了 WHFB 策略,则设置为“是”。PolicyEnabled: - Set to "YES" if the WHFB policy is enabled on the device.
  • PostLogonEnabled: - 如果平台以原生方式触发 WHFB 注册,则设置为“是”。PostLogonEnabled: - Set to "YES" if WHFB enrollment is triggered natively by the platform. 如果设置为“否”,则表示 Windows Hello 企业版注册由自定义机制触发If it's set to "NO", it indicates that Windows Hello for Business enrollment is triggered by a custom mechanism
  • DeviceEligible: - 如果设备满足注册 WHFB 的硬件要求,则设置为“是”。DeviceEligible: - Set to “YES” if the device meets the hardware requirement for enrolling with WHFB.
  • SessionIsNotRemote: - 如果当前用户直接登录到设备而不是远程登录,则设置为“是”。SessionIsNotRemote: - Set to “YES” if the current user is logged in directly to the device and not remotely.
  • CertEnrollment: - 特定于 WHFB 证书信任部署,指示 WHFB 的证书注册权限。CertEnrollment: - Specific to WHFB Certificate Trust deployment, indicating the certificate enrollment authority for WHFB. 如果 WHFB 策略的源是组策略,则设置为“注册权限”;如果源是 MDM,则设置为“移动设备管理”。Set to “enrollment authority” if source of WHFB policy is Group Policy, “mobile device management” if source is MDM. 否则为“无”“none” otherwise
  • AdfsRefreshToken: - 特定于 WHFB 证书信任部署。AdfsRefreshToken: - Specific to WHFB Certificate Trust deployment. 仅当 CertEnrollment 为“注册机构”时才存在。Only present if CertEnrollment is “enrollment authority”. 指示设备是否为用户提供 Enterprise PRT。Indicates if the device has an enterprise PRT for the user.
  • AdfsRaIsReady: - 特定于 WHFB 证书信任部署。AdfsRaIsReady: - Specific to WHFB Certificate Trust deployment. 仅当 CertEnrollment 为“注册机构”时才存在。Only present if CertEnrollment is “enrollment authority”. 如果在支持 WHFB 的发现元数据中指示 ADFS 并且登录证书模板可用,则设置为“是”。Set to “YES” if ADFS indicated in discovery metadata that it supports WHFB and if logon certificate template is available.
  • LogonCertTemplateReady: - 特定于 WHFB 证书信任部署。LogonCertTemplateReady: - Specific to WHFB Certificate Trust deployment. 仅当 CertEnrollment 为“注册机构”时才存在。Only present if CertEnrollment is “enrollment authority”. 如果登录证书模板的状态有效并有助于排查 ADFS RA 问题,则设置为“是”。Set to “YES” if state of logon certificate template is valid and helps troubleshoot ADFS RA.
  • PreReqResult: - 提供所有 WHFB 先决条件评估的结果。PreReqResult: - Provides result of all WHFB prerequisite evaluation. 如果 WHFB 注册将在用户下次登录时作为登录后任务启动,则设置为“将预配”。Set to “Will Provision” if WHFB enrollment would be launched as a post-logon task when user signs in next time.

NGC 先决条件检查输出示例Sample NGC prerequisite check output

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+

            IsDeviceJoined : YES
             IsUserAzureAD : YES
             PolicyEnabled : YES
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : enrollment authority
          AdfsRefreshToken : YES
             AdfsRaIsReady : YES
    LogonCertTemplateReady : YES ( StateReady )
              PreReqResult : WillProvision
+----------------------------------------------------------------------+

后续步骤Next steps

如有问题,请参阅设备管理常见问题解答For questions, see the device management FAQ