{"id":8676,"date":"2022-03-15T16:06:51","date_gmt":"2022-03-15T16:06:51","guid":{"rendered":"https:\/\/www.insentragroup.com\/us\/?p=8676"},"modified":"2022-05-18T06:26:10","modified_gmt":"2022-05-18T06:26:10","slug":"removal-of-aad-dual-state-devices","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/removal-of-aad-dual-state-devices\/","title":{"rendered":"Removal of AAD Dual State Devices"},"content":{"rendered":"\n<p>I recently came across an issue with a couple of customers whereby they are getting several Azure Active Directory dual state devices.&nbsp;&nbsp;<\/p>\n\n\n\n<p>There may be several dual state (Azure AD Registered &amp; Hybrid Azure AD Join) devices found within <a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/professional-services\/what-is-azure-active-directory\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure AD<\/a>. Provided all the necessary prerequisites have been met, devices which are Windows 10 1803 and above, Hybrid Azure AD Join should take precedence over Azure AD Registered state. However, some devices may need manual intervention.\u00a0\u00a0<\/p>\n\n\n\n<p>Further information can be found &#8211; <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/devices\/faq#why-do-i-see-a-duplicate-azure-ad-registered-record-for-my-windows-10-hybrid-azure-ad-joined-device-in-the-azure-ad-devices-list\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Azure Active Directory device management FAQ | Microsoft Docs<\/a>&nbsp;<\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #F37237;color: #F37237\"><span>REMOVE CLIENT REGISTRATION OF AZURE AD REGISTERED DEVICE<\/span><\/h3>\n\n\n\n<p>On each dual state Windows 10\/11 device, the following needs to be completed to remove the Azure AD Registered state for each device&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Start &gt; Settings &gt; Accounts &gt; Access work or school&nbsp;<\/li><li>Select the required account, and select Disconnect \u2013 an example is provided below&nbsp;<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"608\" height=\"210\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-4.png\" alt=\"\" class=\"wp-image-8677\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-4.png 608w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-4-300x104.png 300w\" sizes=\"(max-width: 608px) 100vw, 608px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Verify the Azure AD Registered state device has been removed from within Azure AD \u2013 please allow up to 60 minutes for this to occur&nbsp;&nbsp;<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/aad.portal.azure.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Azure Active Directory admin center<\/a> &gt; Azure Active Directory &gt; Devices &gt; All devices&nbsp;<\/p>\n\n\n\n<p>If the device state does not change to Hybrid Azure AD Join with Microsoft Intune, please proceed with the remainder of these instructions.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #F37237;color: #F37237\"><span>UNREGISTER THE DEVICE FROM AZURE AD <\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>On each device that must be unregistered, launch an elevated Command Prompt as an administrator and type the following command&nbsp;<\/li><\/ul>\n\n\n\n<p>dsregcmd \/leave&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Verify the device has been removed from Azure AD&nbsp;&nbsp;<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/aad.portal.azure.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Azure Active Directory admin center<\/a> &gt; Azure Active Directory &gt; Devices &gt; All devices&nbsp;<\/li><li>Verify the certificates issued by &#8220;MS-Organization-Access&#8221; and &#8220;MS-Organization-P2P-Access [xxxx]&#8221; have been deleted from the local machine Personal certificate store<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/aus01.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fframework%2Fwcf%2Ffeature-details%2Fhow-to-view-certificates-with-the-mmc-snap-in&amp;data=04%7C01%7Cross.kirk%40insentragroup.com%7C7011159af9164e3a717708d978f7146d%7C671563ba62bf48be912017075aaaa1cc%7C0%7C0%7C637673824990072558%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=GazI2u39ownH8%2FJzNMTHOtRsQflPj6PHonPQtiFkO6M%3D&amp;reserved=0\" target=\"_blank\" rel=\"noreferrer noopener\">How to: View certificates with the MMC snap-in &#8211; WCF | Microsoft Docs<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"825\" height=\"176\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-5.png\" alt=\"\" class=\"wp-image-8678\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-5.png 825w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-5-300x64.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-5-768x164.png 768w\" sizes=\"(max-width: 825px) 100vw, 825px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Type the command dsregcmd \/status in a Command Prompt, and make sure the following parameters have the appropriate values&nbsp;<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>dsregcmd \/status \n\n+----------------------------------------------------------------------+ \n| Device State                                                         | \n+----------------------------------------------------------------------+ \nAzureAdJoined : NO  &lt;----- \nEnterpriseJoined : NO \nDomainJoined : YES  &lt;----- <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reboot device&nbsp;<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #F37237;color: #F37237\"><span>REGISTER THE DEVICE AS A HYBRID AZURE AD JOIN <\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>On device you wish to register, run the Task Scheduler as an administrator&nbsp;<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"320\" height=\"304\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-6.png\" alt=\"\" class=\"wp-image-8679\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-6.png 320w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-6-300x285.png 300w\" sizes=\"(max-width: 320px) 100vw, 320px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Go to Task Scheduler Library &gt; Microsoft &gt; Windows &gt; Workplace Join and manually start the task &#8220;Automatic-Device-Join&#8221;&nbsp;<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"712\" height=\"441\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-7.png\" alt=\"\" class=\"wp-image-8680\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-7.png 712w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-7-300x186.png 300w\" sizes=\"(max-width: 712px) 100vw, 712px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Verify the certificates issued by &#8220;MS-Organization-Access&#8221; and &#8220;MS-Organization-P2P-Access [xxxx]&#8221; have been created in the local machine Personal certificate store<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"832\" height=\"176\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-8.png\" alt=\"\" class=\"wp-image-8681\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-8.png 832w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-8-300x63.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2022\/03\/image-8-768x162.png 768w\" sizes=\"(max-width: 832px) 100vw, 832px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>If certificates are not present, go to Event Viewer &gt; Application and Services Logs &gt; Microsoft &gt; Windows &gt; AAD &gt; Operational. Common troubleshooting issues can be found below&nbsp;<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/devices\/troubleshoot-hybrid-join-windows-current\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Troubleshoot hybrid Azure Active Directory-joined devices | Microsoft Docs<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/troubleshoot\/azure\/active-directory\/pending-devices#the-state-of-a-registered-device-is-changed-to-pending\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Pending devices in Azure Active Directory &#8211; Active Directory | Microsoft Docs<\/a>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Type the command dsregcmd \/status in a Command Prompt, and make sure the following parameters have the appropriate values&nbsp;<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>dsregcmd \/status \n\n+----------------------------------------------------------------------+ \n| Device State                                                         | \n+----------------------------------------------------------------------+ \nAzureAdJoined : YES  &lt;----- \n\nEnterpriseJoined : NO \n\nDomainJoined : YES <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reboot device&nbsp;<\/li><li>Verify device is Hybrid Azure AD Join, and enrolled within Intune&nbsp;<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/aad.portal.azure.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Azure Active Directory admin center<\/a> &gt; Azure Active Directory &gt; Devices &gt; All devices&nbsp;<\/p>\n\n\n\n<p>Hopefully this has been informative and helpful! If you need any further clarification, or a no thrills chat, please feel free to reach out to myself, or fellow Insentrons here at Insentra.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently came across an issue with a couple of customers whereby they are getting several Azure Active Directory dual state devices.&nbsp;&nbsp; There may be several dual state (Azure AD Registered &amp; Hybrid Azure AD Join) devices found within Azure AD. Provided all the necessary prerequisites have been met, devices which are Windows 10 1803&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/removal-of-aad-dual-state-devices\/\">Continue reading <span class=\"screen-reader-text\">Removal of AAD Dual State Devices<\/span><\/a><\/p>\n","protected":false},"author":121,"featured_media":8682,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-8676","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modern-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/8676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/users\/121"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/comments?post=8676"}],"version-history":[{"count":5,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/8676\/revisions"}],"predecessor-version":[{"id":10037,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/8676\/revisions\/10037"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media\/8682"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media?parent=8676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/categories?post=8676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/tags?post=8676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}