Forum Discussion
Autopilot Company owned
We deploy all our Wiindows Laptops with AutoPilot and are Hybrid AD joined. An old sore is that devices are created twice as the device is first Entra AD joined, after which the device is joined as a Hybrid AD joined device (configuration profile), and thus creating two devices which represent one physical device.
- An Entra-ID joined device which becomes stale over time, as the device stats are no longer updated. And thus becomes Uncompliant.
- A Entra-ID Hybrid joined device which is managed by Intune, and updated wherefore the device is compliant.
This is an old sore and confirmed by Microsoft support, wherefore does not seem to be a sollution. We have in some cases removed the stale Entra-ID joined device, and others we merely disabled the stale device.
Yesterday i discovered some devices which show the opposite. The Hybrid AD joined device shows that it is not managed by an MDM, while the Entra-ID joined device showes managed by Intune.
This results in that the correct device is no longer updated by Intune.
Also when looking the deviceownership i can see that the wrong device states company owned, while the Hybrid AD joined device shows none.
Is there anyway to rectify this situation? I confirm that the device is in use.
Hy,
Yes, you are right, the issue is well known by Microsoft and they still confirm that in a hybrid environment you should only have one hybrid artifact in Entra per device after the initial sync.
Regarding your device, you might want to try looking at the logs on your Entra Connect server to see if there is anything related to this.
How about deleting the device from Intune and running a dsregcmd /leave and after a join?
Good luck!
6 Replies
I do not see how a DSREGCMD /Leave/Join could resolve this issue, as this command will remove the device from Entra ID and rejoin the device to Entra ID. Thus the Hybrid Joined device will be removed from Entra ID as that object represents the physical device, but is not present in the Intune Database. The registered device in Intune, is the old Object which is Entra ID joined and is stale. To remove that device i would need to delete that device in Intune, but the newly rejoined device would not be enrolled in Intune.
I guess this can only be fixed by deleting all device objects referebcing the physical device in Intra ID and Intune, and then redeploy the device with Autopilot.
Bogdan_Guinea I had a call with Microsoft Support about these double device issue in Entra ID a year back, and they told me to disable the Stale device, but not to delete them....
Disabling and not deleting still means an obsolete device, not the right approach at this point, annoying MS 🙃 and yes normally in a hybrid infrastructure they shouldn't exist.
if that doesn't make sense with dsregcmd, even if you haven't tried it, I would suggest you try it with a new OU and a test device , after Sync to Entra Connect so you can see how it shows up.
I don't know your E. Connect config, so it could also be a misconfiguration.
yes, you could try Autopilot to get around this issue, you need a “domain join” config profile/templates in order for you to maintain your hybrid infra.
Good luck!
Bogdan_Guinea I am sorry i doubted your advice, but it really works. Have tested this on two machines.
You need to login to the device and open cmd in administrator mode. Then you need to run the command DSREGCMD /leave. Checking the status (DSREGCMD /Status) before the leave shows that the device is Hybrid Ad joined. After the leave the status shows that the device is not Entra-ID joined. Then you need to reboot the device. Once the device is rebooted you again check the status and see althoughyou performed a leave the device is still Hybrid AD joined. At this moment the Entra-ID device is updated in which the Hybrid Entra-ID device ownership is registered to company. In Intune device is still not updated and remains stale. Then run the DSREGCMD /Join command again in administrator mode. Then the IIntune device will be registered correctly. A reboot is required in each step, and thus also after performing the Join.
No objects were deleted from Entra-ID during the procedure. So even after the process you objects for the device remain. We removed the obsolete device this time, after verifying that the correct device is registered in Intune.
Many thanks!
Dual state device identity is a known issue within Entra ID. Manual cleanup is what you need to do. That is why it is recommended to do a device inventory first on your registered devices in Entra ID so you can sort out stale and unmanaged devices.
Thanks Bogdan for your input.
Yes, it’s unfortunately a pretty common headache.
We’ve also checked Entra Connect logs, but didn’t spot anything obvious that would cause this.I was considering exactly what you suggested — removing the device from Intune and doing a
dsregcmd /leave.
followed by a fresh join.The only concern is potential disruption for the user, since it’s an actively used laptop. Might plan it for after-hours just to be safe.
Hy,
Yes, you are right, the issue is well known by Microsoft and they still confirm that in a hybrid environment you should only have one hybrid artifact in Entra per device after the initial sync.
Regarding your device, you might want to try looking at the logs on your Entra Connect server to see if there is anything related to this.
How about deleting the device from Intune and running a dsregcmd /leave and after a join?
Good luck!
