Forum Discussion
Double entries in userCertificate avoids Hybrid Join
When a machine is trying to join Hybrid Azure AD, it requires a valid userCertificate to authenticate. The Automatic-Device-Join task creates this certificate on the OnPremises computer object, which is then synchronized to Azure AD (Entra). However, if the system creates two certificates under the userCertificate attribute, the Hybrid Join fails due to the ambiguity of which certificate is correct for the process
As you already identified, removing both certificates manually and letting the system recreate the correct certificate with the next join is a viable fix.
Investigating the Task Execution: Review the logs for the Automatic-Device-Join task to see if it’s being triggered multiple times or at an incorrect stage.
Ensure Correct Sync Timing: Confirm that the synchronization between the on-premises AD and Azure AD is configured correctly, and no premature syncs are happening.
Best Regards,
Ali Koc
When a machine is trying to join Hybrid Azure AD, it requires a valid userCertificate to authenticate. The Automatic-Device-Join task creates this certificate on the OnPremises computer object, which is then synchronized to Azure AD (Entra). However, if the system creates two certificates under the userCertificate attribute, the Hybrid Join fails due to the ambiguity of which certificate is correct for the process
As you already identified, removing both certificates manually and letting the system recreate the correct certificate with the next join is a viable fix.
Investigating the Task Execution: Review the logs for the Automatic-Device-Join task to see if it’s being triggered multiple times or at an incorrect stage.
Ensure Correct Sync Timing: Confirm that the synchronization between the on-premises AD and Azure AD is configured correctly, and no premature syncs are happening.
Best Regards,
Ali Koc