• Murray Wall

Have you properly renamed your Azure AD Computer - Root cause CAA5004B

I have been investigating the root problem to error CAA5004B - coming out of the Feedback Hub and I think I can better explain the issue and offer up a clear sky solution to the issue!

As with every solution there is always a few things that cloud the issues. In this case the error CAA5004B and other errors like not being able to login to your computer with your Azure AD account after an upgrade of your #WindowsInsider build is directly related to the fact that during the upgrade process your computer is DROPPED from Azure AD. I blogged here about how you can recover from this. This article is going to try and explain why the Azure AD drop is happening and how you can prevent it.

The root cause is that when you rename your Azure AD connected computer, it only renames the machine locally and does nothing on Azure AD(As of build 18334)


That is hard to believe - As an old school ITPro only renaming the computer and not dealing with the full scope of the rename is out right poor management! There is a user voice request where you can upvote a rename feature and it looks like Microsoft will be bringing this feature to the next part of Windows 10 (update as of Dec 2018). As insiders we have not see this capability as of yet and because of how long Windows 10 computers have been a part of Azure AD this is going to be a management issue to cleanup.

You have the ability to fixup this problem right now! Its a fairly technical procedure to correct up, I will be providing PowerShell code and hope to code up a WPF GUI that will put a nice front end on it.

The following steps are very technical, if you are not comfortable with PowerShell commands locally or in Azure AD, consider researching further! Always create a standalone Local Admin account prior to working on the computer - Ensure this account is added to the local administrators group!

This will check to see if your computer needs to be renamed within Azure AD. The caveat is that you need to have an idea of what your original machine name was. There are some indicators but as with most solutions, there can be some issues getting the right answer! None of the commands except the final Set-AzureADDevice command do anything but read Azure AD or the local computer registry - That makes them harmless!


Run a PowerShell Window as Administrator on the machine that needs to be renamed in Azure AD

Run the following commands to install the Azure AD Module

Install-Module AzureAD -Allowclobber -Force

Connect-AzureAD


Sign in with a Global Admin Account

Use the following command to check to see if the machine is in your Azure AD

(Get-AzureADDevice|where {$_.displayname -eq [System.Net.DNS]::GetHostByName('').HostName})

or

(Get-AzureADDevice|where {$_.displayname -eq ([System.Net.DNS]::GetHostByName('').HostName).split(".")[0]})

If you get nothing coming back from either of these commands then this machine has been renamed and not updated in Azure AD


On a machine that has been correctly added to Azure AD with the right name you will see the following out of the preceding 2 commands


If you get the top message (Nothing!) then you need to update this machine in Azure AD to match the current machine name.

The current machine name is generated by this code (different versions of windows handle this differently)

[System.Net.DNS]::GetHostByName('').HostName

or

([System.Net.DNS]::GetHostByName('').HostName).split(".")[0]

You can get a list of all your Azure AD Device via this command

Get-AzureADDevice

What we have to do is get the name of the machine when it was added to Azure AD - you can pull it out of that list from Get-AzureADDevice and copy the objectid if you know the original computer name or we can do it programmatically!

Thankfully this name that was used to join Azure AD is either stored in the registry or can be obtained from looking at the Registry and Azure AD.

The Registry Hive that stores the AAD join is obtained via this command

$AADJoin=((dir -r HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\).name).split("\")[6]

This gives us the DeviceID of the connection the computer used to Join Azure AD and from that we can see if that device is in Azure AD

(get-azureaddevice|Where {$_.deviceID -eq $AADJoin}).displayname

This should bring back the machine name that was installed when it was joined to Azure AD in older versions of Windows 10


Store the objectID using the following code

$oldMachineObjectID=(get-azureaddevice|Where {$_.deviceID -eq $AADJoin}).objectID


In newer (Post 1809) versions of Windows I have seen the previous query come back blank. In those cases the following command should bring back the old machine name.

(Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\$AADJoin\").DeviceDisplayName

Store the objectID of this machine with the following code

$OldMachine=(Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\$AADJoin\").DeviceDisplayName

Then get the ObjectID

$OldMachineObjectID=(Get-AzureADDevice |where {$_.displayname -eq $oldMachine}).objectid

I don't know exactly which one will work so I put both examples here as a reference. I am open to hearing from #WindowsInsiders on which one exactly works in each set of instances. That being said using one of the commands you should be able to obtain the devicename! Once we have the device name the real working piece needed is the objectID

The object ID is what is used to rename the computer in Azure AD

In older versions of Windows (1809) or older the following command will do the rename



Set-AzureADDevice -objectID $oldMachineObjectID -displayname ([System.Net.DNS]::GetHostByName('').HostName).split(".")[0]


in newer builds the following

Set-AzureADDevice -objectID $oldMachineObjectID -displayname [System.Net.DNS]::GetHostByName('').HostName

Once the device is renamed to what the current machine is named your computer will start interacting properly with Azure AD

I am waiting for Microsoft to complete the Windows 10 Rename feature so that in the future all computer renames are handled properly, until then take due care and attention and when you rename an Azure AD computer make sure you manually rename that computer to match the machine name you place on the computer - Done properly will ensure you do not end up with any CAA5004B errors not allowing you to login to Azure AD!


Thanks for reading if you have any questions reachout to me on twitter @murmanz or via the blog!

Murray




0 views