![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 32%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 61%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Use the Microsoft Entra Joined Device Local Administrator role and the PRT behavior to fix this.
- Verify the device state
- In the Microsoft Entra admin center, go to Entra ID > Devices > All devices and confirm whether the device is Enabled or has been Deleted/Disabled.
- If it was deleted and recreated, the local device can still show as registered until it is re-joined or re-registered.
- If the device was deleted or disabled in Entra ID
- Because the local state still shows as registered, re-register or recover the join on the device:
- Open Command Prompt as administrator on the Windows 11 device.
- For a Microsoft Entra joined device, run:
Then select Sign in and complete sign-in, sign out, and sign back in.dsregcmd /forcerecovery - If the device is Microsoft Entra hybrid joined instead, run:
Then sign out and sign back in with domain credentials to trigger re-registration.dsregcmd.exe /debug /leave
- Because the local state still shows as registered, re-register or recover the join on the device:
- Ensure the user is actually in scope for local admin
- In the Microsoft Entra admin center, go to Entra ID > Devices > Device settings.
- Under Manage Additional local administrators on all Microsoft Entra joined devices, ensure the intended users/groups are added.
- This setting assigns the Microsoft Entra Joined Device Local Administrator role tenant-wide to those users.
- Force the device to pick up the updated local admin role (PRT refresh)
- The local admin privilege is delivered via the Primary Refresh Token (PRT), not by directly listing the user in the local Administrators group.
- On the affected device, sign in as the user, then:
- Open Command Prompt as that user and run:
Confirm a PRT is present in the SSO State section.dsregcmd /status - Schedule a PRT refresh:
Wait 1–2 minutes.dsregcmd /refreshprt - Sign out of Windows completely, then sign back in (do not just lock/unlock).
- Verify local admin by running:
Confirm thatwhoami /groupsBUILTIN\Administratorsappears in the group list.
- Open Command Prompt as that user and run:
- Alternatively, wait up to 4 hours for automatic PRT renewal, then have the user sign out and back in.
- If the device is still problematic
- Unjoin and rejoin:
- Ensure there is an offline local admin account.
- Go to Settings > Accounts > Access work or school, select the Entra account, choose Disconnect, and follow prompts.
- Reboot, then join the device again to Entra ID and sign in with the user who should be local admin.
- Unjoin and rejoin:
These steps ensure the device object and join state in Entra ID match the local state, and that the user receives the Microsoft Entra Joined Device Local Administrator role via a fresh PRT.
References:
- How to manage the local administrators group on Microsoft Entra joined devices
- No local administrator group privileges on Microsoft Entra joined device
- Microsoft Entra device management FAQ
- Error AADSTS700003 - Device object was not found in the tenant '<TenantName>' directory
- Troubleshooting Windows devices in Microsoft Entra ID