Autopilot - Hybrid Azure AD Joined

Copper Contributor

First post on here, hello everyone!


I've recently been testing the deployment of Windows 10 devices using Autopilot. I've managed to join a device to AAD and sync it back to our on-prem AD. This left 2 devices that appeared in AAD, the Azure AD joined device and the Hybrid Azure AD Joined device.

Once the Hybrid Azure AD Joined device was enrolled and compliant in Intune, I renamed it to AutopilotTest. Is there anyway of deleting the Azure AD Joined device, which still appears in AAD with its original name?


1 Reply
Renaming Hybrid Joined devices is not supported, see, but that only seems to be about renaming the device in Intune itself instead of on the machine using PowerShell or System Properties.

Normally the below applies, logging into the machine with the same user account should clear-up double registrations, but not sure if it applies when you renamed the device?

Handling devices with Azure AD registered state
If your Windows 10 domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of hybrid Azure AD joined and Azure AD registered device. We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or newer to automatically address this scenario. In pre-1803 releases, you'll need to remove the Azure AD registered state manually before enabling hybrid Azure AD join. In 1803 and above releases, the following changes have been made to avoid this dual state:

Any existing Azure AD registered state for a user would be automatically removed after the device is hybrid Azure AD joined and the same user logs in. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. After removing the Azure AD registered state, Windows 10 will unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.
Azure AD registered state on any local accounts on the device isn’t impacted by this change. Only applicable to domain accounts. Azure AD registered state on local accounts isn't removed automatically even after user logon, since the user isn't a domain user.
You can prevent your domain joined device from being Azure AD registered by adding the following registry value to HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001.
In Windows 10 1803, if you have Windows Hello for Business configured, the user needs to reconfigure Windows Hello for Business after the dual state cleanup. This issue has been addressed with KB4512509.

Even though Windows 10 automatically removes the Azure AD registered state locally, the device object in Azure AD is not immediately deleted if it is managed by Intune. You can validate the removal of Azure AD registered state by running dsregcmd /status and consider the device not to be Azure AD registered based on that.