Forum Discussion
Hybrid Entra ID Device stuck in Pending
I'm working on onboarding multiple devices to Intune automatically. I’ve created a group containing all relevant users and devices, which has been targeted in the Intune automatic enrolment scope.
While the initial testing with just two users was successful (one of those devices took 3-4 days to complete this process of consolidating the two objects from Entra Registered to Hybrid Joined). Expanding the scope to include all users has led to issues. Although all devices are synced to Entra ID via Entra Connect, many device objects are now stuck in a pending state specifically, they're not progressing from "Entra Registered" to "Entra Hybrid Joined".
Has anyone worked around this? Is this time taking for this task normal? (very keen to understand what's going on behind the scenes as one of the test devices also had the same issue and succeeded after 3-4 days)
Appreciate any ideas/thoughts on this.
Thank you!
2 Replies
Hy
These are the most common causes based on your post, but also the things I'll check first to understand the problem:
- Hybrid Join Requirements: Ensure that the Service Connection Point (SCP) in AD is correctly configured and reachable by all devices. If some OUs or domains were omitted or permissions are insufficient, devices won’t find the SCP or won’t attempt hybrid join.
- AD Connect Synchronization: The transition from "Registered" to "Hybrid Joined" often completes only after a successful synchronization of both the device object and associated attributes (like msDSKeyCredentialLink) from AD to Entra ID. If synchronization gets delayed or fails for some device objects, those devices remain in a registered state.
- Group Policy Application: Hybrid join and Intune auto-enrollment typically require two GPOs:
- Register domain-joined computers as devices.
- Enable automatic MDM enrollment using user credentials.
If these are not applied consistently to all targeted devices or OUs, many endpoints won’t proceed beyond registration.
- Device Licensing: Missing or incorrect Intune licenses can cause devices to be visible (Entra Registered) but never actually enrolled in the MDM system, which is required for a hybrid join completion.
- Duplicate / Stale Device Objects: If a device is already Entra Registered (typically from user-initiated or manual registration), you may see duplicates—one "Registered," one (possibly pending) "Hybrid Joined." The registered state is only cleaned up after the same user completes a successful hybrid join sign-in. Sometimes, stale device entries must be purged manually, especially in large rollouts.
Good luck!
Hi,
I think this thread may help. The user ended by re-registering the devices. Hybrid Azure AD Joined Device Registration Pending Issue - Microsoft Q&A
