This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi guys,
Core infos:
Windows 10 Notebook with Bitlocker and TPM 2.0
On prem AD gets synced to Azure AD
Conditional Access Policies to restrict apps for hybrid joined (registered devices) only
No BYD
We had a damaged notebook were the mainboard got changed, after that the user notified us, that he can’t access apps like Office/Teams/CRM etc.
Error message:
“Device is not in required device state, Conditional Access policy requires a domain joined device and the device is not domain joined”
The device state of the notebook is unregistered.
We couldn’t find a solution even with Microsoft support, some days later the user said it works.. so we hoped it was just one case :-).
--
We heard of another case with the same problem (sadly also fixed automatically after some days), so we are trying to recreate the issue if further cases will occur.
I did everything *1 & *2 said and after delta syncing the ADConnect the device is registered,
But for now I don’t know if it was the comment dsregcmd /forcerecovery (*3)
or the second delta sync after I connected via VPN because for registering a device,
I need a connected domain controller. (we saw that on the local Event Log)
I will test this separate and let you know tomorrow, so I can be sure
(*4 We changed nothing in regards of the TPM or Bitlocker, but maybe we have to?)
That’s why I have some questions for you:
Does the Primary refresh token interferes after a mainboard change regarding registered devices?
Do we have to check or maybe disable TPM2.0 prior of the change?
Do you have any experience with that mainboard change scenario on what to do step by step regarding to registered devices in azure?
Sources:
*1 https://samilamppu.com/2020/01/16/azure-ad-hybrid-device-join-hdj-status-pending/
2 https://s4erka.wordpress.com/2019/04/05/azure-ad-conditional-access-policies- troubleshooting-device-state-unregistered/
3 https://learn.microsoft.com/en-us/azure/active-directory/devices/faq
4* Updating Bitlocker After Motherboard Replacement – Engineering Information Technology
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
From your description, we find the issue is more related to Azure AD. I would remove the tag of "mem-intune-device-configuration", which represents device configuration profile in intune. Thanks!.
Was the device AAD domain joined, hybrid AAD domain joined, or just AAD registered?
Hi Jason,
sorry for the late response.
the device is hybrid AAD domain joined.
I tested it again yesterday and I think we found the problem why it wasn't registering.
The main issue we had for our users with mainboard changes outside the office was the VPN connection that was missing after the change.
The mainboard contains the TPM which also will contain private key material associated with the hybrid domain join. Thus, switching out the mainboard (and TPM) cause this to be lost and you must manually leave AAD and rejoin (both using dsregcmd) on these systems.