Its correct that you do end up with 2 objects. Usually you have to wait for Azure AD Connect to sync the device and the hybrid join to complete. It depends on your sync schedule. For a good understanding, see https://oofhours.com/2020/05/23/digging-into-hybrid-azure-ad-join/
Fails on first attempt to be Azure AD Hybrid joined
- We are testing Azure AD Hybrid.
- The AD is configured to sync the correct OU
- We have created a autopilot deployment profile that is hybrid azure ad joined
- We have a test vm that has direct line to the dc
- We boot the test vm, use Shift+F10 and use Get-WindowsAutopilotinfo -Online to push the hwid.
- We can see the hwid in endpoint manager and we assign this to a group that is assigned to the autopilot deployment profile. We also assign the device to a user. We wait until everything is assigned.
- We reboot the VM and are prompted with the correct user, we enter cred...wait some time, and then we get the login picture and we can see that it is joined to the local domain and its asking for our cred. We login with local ad account.
- We see the computer object in local ad, but in Azure we see the object as azure ad joined.
- We check the dsregcmd and see the device is not AzureADJoined with error 0x801c03f3
We google some, and finds info about "make sure the on-premises computer object is synchronized to Azure AD. Run the Delta Azure AD Connect sync"....The OU that the machine is added to is marked for sync, so do we have to wait for Azure AD Sync ?
We did a manual sync, but still same object i Azure Ad.
Then we did a "dsregcmd.exe /debug /join" and it was successfull. When we now check Azure AD we can see two devices objects, one is Azure AD Joined and the other is Hybrid Azure AD joined.
What went wrong here ?
Is we had just waited would the Azure AD Joined device itself "turn into" Hybrid Azure AD joined device ?
One other question, after we logged into the device the first time, the user was NOT administrator even if we had configured it to be under Autopilot profile, but after a reboot the user was added as local admin... is a reboot necessary ?
Thanks for any explanation.
Sign in to comment
2 additional answers
Sort by: Most helpful
@andreas bright , For Windows Autopilot user-driven Hybrid Azure AD Join, we will end up seeing two devices in Azure AD when this process completes. An Azure AD Join device object (which ends up getting enabled and renamed as part of this process) and the synced Hybrid Azure AD Join device object. This is by design. Here are the objects in my lab:
Also, find a link describe this, we can read it for the reference:
Note: Non-Microsoft link, just for the reference.
For the situation about adding into the local administrator group, based on the phenomenon we get, it seems the reboot is needed.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for great feedback from both of you.
Just to make things clear, If I had dropped running the "dsregcmd.exe /debug /join" it would after awhile have been joined correctly after all ? What is the max waiting time for this ?