error_missing_device when joining a domain with hybrid join config

Copper Contributor

I just inherited this setup, and I've never done a hybrid environment before. I'm just looking for the next clue in the mystery.


I created a VM. I ran dsregcmd /status and it was clean, as expected. No errors.

I joined our domain. I immediatley ran dsregcmd /status again, without even rebooting. 




Previous Registration : 2024-01-30 20:53:16.000 UTC
         Registration Type : sync
               Error Phase : join
          Client ErrorCode : 0x801c03f3
          Server ErrorCode : invalid_request
       Server ErrorSubCode : error_missing_device
          Server Operation : DeviceRenew
            Server Message : The device object by the given id (f6628439-35ae-43c8-969f-7780d1b8d48f) is not found.
              Https Status : 400
                Request Id : c3ba163b-fcd7-4d3e-8525-9fe3b82ec5bb


This happens to all workstations and as far as I can tell, has always happened. Devices do not show up in Entra as expected. The Azure AD Connector seems to be working as users do show up in M365 and Entra.


I'd like to focus on the errors above.  Why is it saying "missing device"? What device is it looking for? Itself? Why? Why would it look for itself and not just create a new record (which is what I'm expecting)?


Any insight appreciated.

8 Replies
The error suggests that the device object has not synced in Entra ID. Do the devices have a line of sight to DC? Have you included the user certificate in attributes for syncing in Entra ID connect synchronisation settings?
So I discovered that Azure AD connect was not set to sync the OU which computers reside in. So this explains why they are not showing up in Entra. Cool. But can you explain what, then, is trying to "sync" it which results in the errors in my original post?

"The error suggests that the device object has not synced in Entra ID. "

@rahuljindal-MVP That was the case, but I still don't understand the error. What made it think it was SUPPOSED to sync to Entra ID? In other words, if the sync was never set up, why the error? Like, why doesn't my personal laptop get this error? It's not synced in Entra ID. See what I'm getting at?

I am not sure what you mean, but the sync is really a registration with Entra ID. There are some moving elements running in the background but at a high level your on-prem device objects need to be allowed to sync with default device & user certificate attributes through the Entra ID connect sync. Then you need to decide whether to provide details of your Azure tenant to the devices using SCP or targeted deployment involving GPO. As the final step your devices need to be allowed to go over internet to connect to relevant Azure URLs to register with service and pull down user certificate. This is where the device object in Entra ID is checked for. If missing, the user certificate will not come down to the device. Once satisfied, the device needs line if sight to DC to complete the handshake and finish the hybrid join process. Hope this helps.
Imagine I said I had an error that said my computer won't power on and you said "Did you power it on". So then I turned it on and it worked. Wouldn't you be curious about the initial error? That's how I feel about this sync error. Why was there a sync error if the sync had never been set up correctly?
There was an error because you didn’t have the configuration in place all the way. It is like any other thing. If your engine oil light comes on and you fix it by putting in more engine oil then the indicator did its job. :smiling_face_with_smiling_eyes:
| you didn’t have the configuration in place all the way

Right, that's what I'm trying to figure out. What part of the configuration was complete? Why was it trying to join if it wasn't in an OU with the policy?


Windows has a built in Scheduled Task under Microsoft\Windows\Workplace Join called "Automatic-Device-Join" which is triggered at user logon that essentially does what "dsregcmd.exe /join" does.