AADSTS50019 during Windows OOBE after device reimage – Entra device object already exists / certificate expected

Question

Hello,

I’m having an issue during Windows initial setup (OOBE) after reimaging a corporate Windows device.

When I try to sign in with my work account, the setup fails with this error:

AADSTS50019 – No valid certificate detected on the device

Because of this, the device cannot finish Microsoft Entra ID join or continue with enrollment.

This device was previously Microsoft Entra joined

1.After reimaging, all local certificates and keys were removed (expected)

2.However, in Microsoft Entra ID, the device still exists as an active and compliant device

3.Other devices using the same account work fine

4.The issue only happens on this reimaged device

It looks like Entra ID still expects a device certificate or identity, but the device can’t create one yet because enrollment hasn’t completed.

Answer 1

The behavior matches a scenario where Microsoft Entra ID still has a valid device object and expects the existing device identity (certificates/keys), but the reimaged OS has lost those credentials. This is similar in effect to issues caused by bad Sysprep images or cleared TPM, where the device identity in Entra no longer matches what the OS can present.

Use the following remediation steps:

1. Remove the stale device identity
   • In the Microsoft Entra admin portal, locate the affected device record that corresponds to the reimaged machine.
   • Delete the device from Microsoft Entra ID so that any associated MS-Organization-Access/device certificates and IDs are removed on the service side.
   • This forces a clean device registration on the next join attempt.
2. Ensure the image is not pre-joined or pre-enrolled
   • Verify that the reference image used to reimage the device is not:
     • Microsoft Entra joined
     • Microsoft Entra hybrid joined
     • Microsoft Entra registered
     • MDM-enrolled (Intune or other MDM)
   • If the image was captured after the device had been joined/enrolled, it may contain stale device IDs and certificate remnants that conflict with the existing Entra device object. In such cases, rebuild the reference image from a clean, non-joined, non-enrolled installation.
3. Check for TPM / keyset issues after reimage
   • If the device uses TPM-backed keys for PRT/device auth, a cleared or misconfigured TPM can cause join/authentication failures similar to what is described for error NTE_BAD_KEYSET (0x80090016) and other TPM-related errors:
     • Avoid clearing TPM in BIOS or Windows settings once the device is joined.
     • If TPM was cleared or there is a bad image, remove and re-add accounts or re-run the join after fixing the image.
   • On devices with persistent TPM errors, temporarily disable TPM for the join process (Windows 10 1809+ can complete hybrid join without TPM when it detects TPM failure).
4. Retry OOBE join after cleanup
   • After deleting the device object and confirming the image is clean (no pre-existing join/enrollment), reimage again if necessary.
   • Run OOBE and sign in with the work account to perform a fresh Microsoft Entra join. A new MS-Organization-Access certificate and device identity should be issued during registration.
5. If the issue persists
   • Collect logs using the Microsoft auth scripts for deeper analysis:
     • Download and extract Auth.zip.
     • From an elevated PowerShell session, run ./start-auth.ps1 -vAuth -accepteula.
     • Reproduce the OOBE/join issue.
     • Run ./stop-auth.ps1 and review or provide the generated Authlogs to Microsoft Support.

These steps align with guidance to avoid bad Sysprep images containing Entra/MDM artifacts and to handle TPM/keyset-related join failures.

---

References:

• Troubleshoot Microsoft Entra hybrid joined devices
• Sysprep will not run correctly on a Windows 10 device that has been MDM enrolled
• Microsoft Entra device management FAQ
• Troubleshooting Microsoft Entra hybrid joined down-level devices
• Troubleshoot Microsoft Entra Certificate-Based Authentication issues