United Kingdom | Removal of AAD Dual State Devices

Ross Kirk - 15.03.2022

United Kingdom | Removal of AAD Dual State Devices

Join our community of 1,000+ IT professionals, and receive tech tips and updates once a week.

Removal of AAD Dual State Devices

United Kingdom | Removal of AAD Dual State Devices

I recently came across an issue with a couple of customers whereby they are getting several Azure Active Directory dual state devices.  

There may be several dual state (Azure AD Registered & Hybrid Azure AD Join) devices found within Azure AD. Provided all the necessary prerequisites have been met, devices which are Windows 10 1803 and above, Hybrid Azure AD Join should take precedence over Azure AD Registered state. However, some devices may need manual intervention.  

Further information can be found – Azure Active Directory device management FAQ | Microsoft Docs 

REMOVE CLIENT REGISTRATION OF AZURE AD REGISTERED DEVICE

On each dual state Windows 10/11 device, the following needs to be completed to remove the Azure AD Registered state for each device 

  • Start > Settings > Accounts > Access work or school 
  • Select the required account, and select Disconnect – an example is provided below 
United Kingdom | Removal of AAD Dual State Devices
  • Verify the Azure AD Registered state device has been removed from within Azure AD – please allow up to 60 minutes for this to occur  

Azure Active Directory admin center > Azure Active Directory > Devices > All devices 

If the device state does not change to Hybrid Azure AD Join with Microsoft Intune, please proceed with the remainder of these instructions.  

UNREGISTER THE DEVICE FROM AZURE AD

  • On each device that must be unregistered, launch an elevated Command Prompt as an administrator and type the following command 

dsregcmd /leave 

  • Verify the device has been removed from Azure AD  
  • Azure Active Directory admin center > Azure Active Directory > Devices > All devices 
  • Verify the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been deleted from the local machine Personal certificate store

How to: View certificates with the MMC snap-in – WCF | Microsoft Docs 

United Kingdom | Removal of AAD Dual State Devices
  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values 
dsregcmd /status   +----------------------------------------------------------------------+  | Device State                                                         |  +----------------------------------------------------------------------+  AzureAdJoined : NO  <-----  EnterpriseJoined : NO  DomainJoined : YES  <----- 
  • Reboot device 

REGISTER THE DEVICE AS A HYBRID AZURE AD JOIN

  • On device you wish to register, run the Task Scheduler as an administrator 
United Kingdom | Removal of AAD Dual State Devices
  • Go to Task Scheduler Library > Microsoft > Windows > Workplace Join and manually start the task “Automatic-Device-Join” 
United Kingdom | Removal of AAD Dual State Devices
  • Verify the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been created in the local machine Personal certificate store
United Kingdom | Removal of AAD Dual State Devices
  • If certificates are not present, go to Event Viewer > Application and Services Logs > Microsoft > Windows > AAD > Operational. Common troubleshooting issues can be found below 

Troubleshoot hybrid Azure Active Directory-joined devices | Microsoft Docs 

Pending devices in Azure Active Directory – Active Directory | Microsoft Docs 

  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values 
dsregcmd /status   +----------------------------------------------------------------------+  | Device State                                                         |  +----------------------------------------------------------------------+  AzureAdJoined : YES  <-----   EnterpriseJoined : NO   DomainJoined : YES 
  • Reboot device 
  • Verify device is Hybrid Azure AD Join, and enrolled within Intune 

Azure Active Directory admin center > Azure Active Directory > Devices > All devices 

Hopefully this has been informative and helpful! If you need any further clarification, or a no thrills chat, please feel free to reach out to myself, or fellow Insentrons here at Insentra. 

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United Kingdom | Removal of AAD Dual State Devices

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.