I recently came across an issue with a couple of customers whereby they are getting several Azure Active Directory dual state devices.
There may be several dual state (Azure AD Registered & Hybrid Azure AD Join) devices found within Azure AD. Provided all the necessary prerequisites have been met, devices which are Windows 10 1803 and above, Hybrid Azure AD Join should take precedence over Azure AD Registered state. However, some devices may need manual intervention.
Further information can be found – Azure Active Directory device management FAQ | Microsoft Docs
REMOVE CLIENT REGISTRATION OF AZURE AD REGISTERED DEVICE
On each dual state Windows 10/11 device, the following needs to be completed to remove the Azure AD Registered state for each device
- Start > Settings > Accounts > Access work or school
- Select the required account, and select Disconnect – an example is provided below
- Verify the Azure AD Registered state device has been removed from within Azure AD – please allow up to 60 minutes for this to occur
Azure Active Directory admin center > Azure Active Directory > Devices > All devices
If the device state does not change to Hybrid Azure AD Join with Microsoft Intune, please proceed with the remainder of these instructions.
UNREGISTER THE DEVICE FROM AZURE AD
- On each device that must be unregistered, launch an elevated Command Prompt as an administrator and type the following command
dsregcmd /leave
- Verify the device has been removed from Azure AD
- Azure Active Directory admin center > Azure Active Directory > Devices > All devices
- Verify the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been deleted from the local machine Personal certificate store
How to: View certificates with the MMC snap-in – WCF | Microsoft Docs
- Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values
dsregcmd /status +----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : NO <----- EnterpriseJoined : NO DomainJoined : YES <----- - Reboot device
REGISTER THE DEVICE AS A HYBRID AZURE AD JOIN
- On device you wish to register, run the Task Scheduler as an administrator
- Go to Task Scheduler Library > Microsoft > Windows > Workplace Join and manually start the task “Automatic-Device-Join”
- Verify the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been created in the local machine Personal certificate store
- If certificates are not present, go to Event Viewer > Application and Services Logs > Microsoft > Windows > AAD > Operational. Common troubleshooting issues can be found below
Troubleshoot hybrid Azure Active Directory-joined devices | Microsoft Docs
Pending devices in Azure Active Directory – Active Directory | Microsoft Docs
- Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values
dsregcmd /status +----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : YES <----- EnterpriseJoined : NO DomainJoined : YES - Reboot device
- Verify device is Hybrid Azure AD Join, and enrolled within Intune
Azure Active Directory admin center > Azure Active Directory > Devices > All devices
Hopefully this has been informative and helpful! If you need any further clarification, or a no thrills chat, please feel free to reach out to myself, or fellow Insentrons here at Insentra.
