Azure AD device registration after mainboard change (Bitlocker, TPM 2.0 Cond. Access on hybrid joined devices)

PatrickEl 21 Reputation points
2021-01-27T18:00:45.53+00:00

Hi guys,

Core infos:
Windows 10 Notebook with Bitlocker and TPM 2.0
On prem AD gets synced to Azure AD
Conditional Access Policies to restrict apps for hybrid joined (registered devices) only
No BYD

We had a damaged notebook were the mainboard got changed, after that the user notified us, that he can’t access apps like Office/Teams/CRM etc.

Error message:
“Device is not in required device state, Conditional Access policy requires a domain joined device and the device is not domain joined”

The device state of the notebook is unregistered.
We couldn’t find a solution even with Microsoft support, some days later the user said it works.. so we hoped it was just one case :-).

--
We heard of another case with the same problem (sadly also fixed automatically after some days), so we are trying to recreate the issue if further cases will occur.

I did everything *1 & *2 said and after delta syncing the ADConnect the device is registered,
But for now I don’t know if it was the comment dsregcmd /forcerecovery (*3)
or the second delta sync after I connected via VPN because for registering a device,
I need a connected domain controller. (we saw that on the local Event Log)
I will test this separate and let you know tomorrow, so I can be sure

(*4 We changed nothing in regards of the TPM or Bitlocker, but maybe we have to?)
That’s why I have some questions for you:

Does the Primary refresh token interferes after a mainboard change regarding registered devices?
Do we have to check or maybe disable TPM2.0 prior of the change?
Do you have any experience with that mainboard change scenario on what to do step by step regarding to registered devices in azure?

Sources:
*1 https://samilamppu.com/2020/01/16/azure-ad-hybrid-device-join-hdj-status-pending/
2 https://s4erka.wordpress.com/2019/04/05/azure-ad-conditional-access-policies- troubleshooting-device-state-unregistered/
3
https://learn.microsoft.com/en-us/azure/active-directory/devices/faq
4* Updating Bitlocker After Motherboard Replacement – Engineering Information Technology

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,630 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jason Sandys 31,196 Reputation points Microsoft Employee
    2021-01-27T19:06:06.3+00:00

    Was the device AAD domain joined, hybrid AAD domain joined, or just AAD registered?