# Troubleshooting
### Issues After Changing Domain
If you have changed the domain of your computer (for example, joined it to Azure AD and then reverted it to an on-premises AD domain) and encounter an error when registering the device in the domain, follow these steps:
1. Run `certmgr.msc` as an administrator on your computer.
2. Navigate to **Trusted Root Certification Authorities → Certificates**.
3. Check for multiple certificates from your domain server. Keep only the root certificate from the Certification Authority, removing any extras.
## **Lack of Connection to the Certification Authority (CA) Role Service**
If you encounter error **`0x800706BA`**, it indicates that the **Certification Authority (CA) server** is unavailable. To resolve this issue, follow these steps:
1. **Check CA Server Availability**
* Ensure the **CA server** is powered on and running properly.
* Verify that there are no network issues preventing access to the server.
2. **Test Connectivity to the CA Server**
* Run the following command in **Command Prompt (cmd)** to check if the CA server is reachable:
```powershell
powershellCopyEditping
```
* If the server is reachable, test connectivity to the **CA RPC service** by running:
```powershell
powershellCopyEditcertutil -ping
```
* If you receive a **timeout or connection error**, there may be firewall rules or network policies blocking access.
3. **Check Windows Firewall & Network Settings**
* Ensure that **RPC (Remote Procedure Call)** and **DCOM** are not blocked by a firewall.
* Open the required ports for CA communication (typically **TCP 135** for RPC).
4. **Restart the CA Service**
* Open **Services (services.msc)** on the CA server.
* Find **Active Directory Certificate Services** and restart it.
* Alternatively, restart the service via PowerShell:
```powershell
powershellCopyEditRestart-Service certsvc
```
5. **Verify CA Role Installation**
* Run the following command to check if the CA role is installed:
```powershell
powershellCopyEditGet-WindowsFeature -Name AD-Certificate
```
* If the CA role is missing, reinstall it using:
```powershell
powershellCopyEditInstall-WindowsFeature -Name AD-Certificate -IncludeManagementTools
```
If the issue persists, check event logs (**Event Viewer > Applications and Services Logs > CertificateServicesClient**) for detailed error messages.
### Login Issues After Registration
If the registration is successful but you cannot log in, run the following command in PowerShell as an administrator:
```plaintext
certutil -pulse
```
### Missing QR Code for Login
If the QR code does not appear on the Windows login screen, check if this option is enabled in **Hideez Client**.
### Connection Issues Between Hideez Authenticator and Hideez Enterprise Server (No Connection to Server)
If you encounter a "No connection to server" or "Operation timeout" issue during Single Sign-On to the web application or unlocking your computer, ensure that the port and server address for Hideez are open to the network where the smartphone with the Hideez Authenticator app is located.
#### **To Check the Connection Between Your Smartphone and Hideez Server, Follow These Steps:**
1. Open a browser on your smartphone (Chrome, Safari, or any other).
2. Enter the address of your Hideez server. This could be the local or public address of the Hideez Enterprise Server.
3. Check the connection status. If the server is available and the configuration is correct, you will see a page confirming access to the server or a prompt for authorization credentials.
### View Installed Smart Cards or Passwordless Unlock Accounts on Your Computer's TPM
To check registered smart cards or passwordless login accounts using PowerShell, execute the following command:
```powershell
Get-CimInstance -ClassName Win32_PnPEntity | Where-Object { $_.DeviceID -like "*smartcardreader*" } | Select-Object DeviceID
```
If your computer has smart cards registered as login methods or accounts for passwordless unlocking via the **Hideez Authenticator** app, the corresponding command or query will return something like this:
### Remove Installed Smart Cards from Your Computer's TPM Module
To remove installed smart cards or passwordless login accounts saved in the TPM 2.0 module on your computer using PowerShell, you can use the following command:
```plaintext
tpmvscmgr destroy /instance
```
The result of the command for removing smart cards or accounts from the TPM module or through the virtual smart card management utility may look something like this:
### Check the Status and Properties of TPM on Your Computer
To check the status and properties of TPM 2.0, you can use the following command in PowerShell:
```plaintext
Get-TPM
```
If the TPM (Trusted Platform Module) on your computer is enabled, the **Get-TPM** command in PowerShell will return information similar to this:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://authenticator.hideez.com/troubleshooting.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.