Windows 7 Hybrid Join and MFA ramblings

Today I ran into an issue where Windows 7 would not hybrid join as expected. Before going into the details, for those who might not be aware like Windows 10 and Server 2016, you can also hybrid join down-level devices. The functionality is of course not built into Windows so you need to install the “Microsoft Workplace Join for non-Windows 10 computers” software.

One reason why you want to hybrid join Windows 7 devices is Conditional access. Let’s assume you plan to introduce Conditional access for your users where you want to enforce MFA when using a non-corporate device.

The only way this is going to work in a mixed environment where your users use both Windows 10 and Windows 7 is to also hybrid-join Windows 7 devices, otherwise users logging on to Windows 7 devices would be required to authenticate through MFA.

Okay, now back to my ramblings, while I had this all nicely working in my lab, today while working with a client, we ran into an issue where the hybrid join failed. I asked myself what’s different? Of course, in IT there are many things that work here but not there. Anyway, since at the same time we’re also doing some work on enabling MFA and SSPR I had a suspicion where the problem could be. I went back to my lab, configured a few things and was able to get the same error.

Within the Event log the error is as shown below.

All prerequisites were validated, so none of the issues described here Troubleshooting hybrid Azure Active Directory joined down-level devices seemed to apply.

So what’s the issue? Well it turned out that the user who logged in was in a pending MFA registration state,

meaning that MFA registration was enforced through Azure Identity Protection, but the user did not complete the registration yet.

Another location where MFA registration can be enforced / requested is within AzureAD Password reset.

Once I completed the MFA registration and tried to hybrid join the Windows 7 device manually again.

C:\Program Files\Microsoft Workplace Join>AutoWorkplace.exe /i

The hybrid join completed successfully.

Within the Event log the result is as shown below.

And within AzureAD we get the status as well.

Conclusion, if you’re having issues with Windows 7 hybrid join and Event ID 404 check whether the user has completed MFA registration.

I hope you enjoyed the post and it’s going to be of help for someone who runs into this particular issue.

Happy joining.


2 Replies to “Windows 7 Hybrid Join and MFA ramblings”

  1. HI Alex,

    Are you using ADFS in your environment?. We cannot get any Win7 devices to register if the users is enabled/enforced for MFA. Even if they are enrolled in MFA. The only way we can get a device registered is to disable MFA for the user which kinda defeats the object of trying to improve security

Leave a Reply