SOLVED

Dual State HAADJ and AADJ Devices - Autopilot

Copper Contributor

 

I have a Server 2022 domain and building Win 10 22H2 devices via Autopilot with HAADJ...and getting the dual device in AAD.

 

Have re-checked all the documentation and even reworked the steps. Have even tried the BlockAADWorkplaceJoin entry and that does nothing!

 

We see two entries for every device, with both showing a 'join' value. This differs from other posts I have seen where you will have dual devices with one being Joined and the other Registered. These devices do not automatically clean themselves up. 

 

I am well aware AADJ is far superior to HAADJ. Please do not reply with 'just use AADJ'. 

 

Device both 'Hybrid Azure AD joined' and 'Azure AD registered' : Intune (reddit.com) - this reference is for Join & Registered

 

Azure Active Directory device management FAQ - Microsoft Entra | Microsoft Learn - also references Join & Registered. During our tests, the users are not accepting any prompts to join work or school. 

 

Reviewed - Plan your hybrid Azure Active Directory join deployment - Microsoft Entra | Microsoft Learn 

 

 

thumbnail_image001.png

1 Reply
best response confirmed by nicoleve (Microsoft)
Solution

@Dan Padgett try this script, it will clean up the dual state by deleting the WPJ (Entra Registered) record: 

 https://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip

 

Source: https://learn.microsoft.com/en-us/entra/identity/devices/faq#how-do-i-remove-a-microsoft-entra-regis... 

 

The key you are referring to "BlockAADWorkplaceJoin" is to block future users from selecting this option below and joining their work or school account by creating an Entra Registered record (dual state), it doesn't delete the records that have already been created, it just blocks future attempts. The script should do the trick!

nicoleve_0-1707318361148.png

 

1 best response

Accepted Solutions
best response confirmed by nicoleve (Microsoft)
Solution

@Dan Padgett try this script, it will clean up the dual state by deleting the WPJ (Entra Registered) record: 

 https://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip

 

Source: https://learn.microsoft.com/en-us/entra/identity/devices/faq#how-do-i-remove-a-microsoft-entra-regis... 

 

The key you are referring to "BlockAADWorkplaceJoin" is to block future users from selecting this option below and joining their work or school account by creating an Entra Registered record (dual state), it doesn't delete the records that have already been created, it just blocks future attempts. The script should do the trick!

nicoleve_0-1707318361148.png

 

View solution in original post