Azure - Duplicate device won't register in Intune - Want Hybrid only

BCK@HACH 1 Reputation point
2020-01-23T03:00:53.423+00:00

We have some rogue Windows 10 devices registering as both AAD joined and Hybrid Registered.
Those that are Hybrid only are in Intune and mostly compliant.

These duplicate devices won't appear in intune Endpoint management
The OS is 1803 or later

They receive a GPO with these two settings:
Register domain joined computers as devices - Enabled
Enable automatic MDM enrollment using default Azure AD credentials - Enabled

They schedule two tasks
MDMMaintenenceTask - No errors
Schedule created by enrollment client for automatically enrolling in MDM from AAD - error "0x803e0114"

Not sure what to do to reregister the devices so they appear in intune.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,093 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Neelesh Ray 76 Reputation points
    2020-01-27T10:11:24.33+00:00

    @BCK@HACH

    First, I would suggest you check the join status of the said devices.

    1. Open a command prompt as an administrator
    2. Then type dsregcmd /status

    In the result, check the values for DomainJoined and AzureAdJoined.

    If DomainJoined field is YES, it indicates the device is joined to an on-premises Active Directory.

    Now, to remove the devices completely (then have them rejoin) - Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD.
    NOTE: Deleting devices in your on-premises AD or Azure AD does not remove registration on the client. It will only prevent access to resources using device as an identity

    Now, to remove the registration from the client completely, make sure to turn off automatic registration. Then the scheduled task doesn't register the device again. Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave

    Now, reboot the device. Make sure that the entries have been removed from your On-Premises and Azure AD.
    After that run through the hybrid registration steps again.

    0 comments No comments