Issue with Hybrid Azure AD Joined devices that switch /unjoin from Hybride Azure AD Joined to Unjoin at logon when the device is on a non enterprise network ( from home without VPN)

Question

Hello,

We came across a strange behaviour since few weeks with Hybrid Azure AD Joined devices that connecting from a non enterprise network ( from home without VPN)

For no visible reason, we have some computers that lose Hybride Azure AD Joined status .

When we check the event viewer, we can see that the computer trigger a "device unjoin" just after logon but we do not known why and how
Then the device take the status Azure AD registered.

Logs from User Device Registration - Event 102

18/08/2021 : JoinRequest : 7 (DEVICE_AUTO) --> Computer became Hybride Azure AD Joined when we give the computer to the user

The user open his session from home network without the VPN
23/03/2022 8 AM: JoinRequest : 8 (DEVICE_UNJOIN) --> I can't figure out why this happenned, that cause the computer to lose Hybride Azure AD Joined status
23/03/2022 10 AM: JoinRequest : 5 (WORKPLACE) --> Computer take Azure AD Register status

24/03/2022 : JoinRequest : 10 (DEVICE_AUTO_FED) --> We correct the hybrid status of the computer ( dsregcmd /leave / Disconnect account / ...)

Do you have any idea / infos about a device that unjoin from Hybride Azure AD on a non entreprise network ?

Thanks in advance

Answer 1

Hello,

Thanks for your answer, it help me to better understandand these events log.

We advanded in our troubleshooting ( thanks to Azure Microsoft support too): the issue seems to come from Microsoft Intune & MDM enrolment.

Let me explained :

• Few months some action were made with SCCM/MECM to configure co-magement and all our device were enrolled on Intune. It was not really expected and a rollback was made on SCCCM/Intune appliance BUT not and the devices.
• As a result, troobleshooting the issue, we discovered this week that most of our devices are still MDM enrolled localy ( We do not see any devices on MDM Intune appliance).
• We also discover on event log "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", this event that seems to explain why the device lose the Azure Hybrid state:
• On local devices, we find registry key, Scheduled task and certificate that confirme that our device are still MDM enroled ...

So for now we know why our device lose hybrid state : they lose it when the MDM enrolment is deleted.

What we do not know is:

• What triggers this MDM enrolment event on the device as we do not manage MDM ? Is is a token timeout or something else ?
• Is there a good practice to correct all our devices ? Delete MDM enrolment policy without losing all the hybrid state ?

Answer 2

Hi @Florian ARGUAIROLLES ,

I understand that you are having an issue with a device that is unjoining and losing its hybrid Azure AD joined status after a user opens his session from home without a VPN.

The machine needs connectivity to a domain controller to finalize the Hybrid Azure AD Join process. This can be either through the internal network or via VPN.

If the machine was not registered properly or had not completed the hybrid join, you can run into this issue. If this is the case, you may need to un-register the device, re-register it, remove the SSL certs on the PC, and reinitiate them to fix the problem. This will need to be done while the device is on the internal network or connected via VPN.

There are additional troubleshooting steps in this guide that goes over potential hybrid join issues and how to fix them. From the guide:

Sometimes, a machine can be in an inconsistent registration state in Azure Active Directory. This can happen because:

The machine was shut down during a long time, and the Azure AD device registration certificate is expired (located in Local Machine / Certificates / Personal)
Someone manually deleted the device registration certificate
Someone manually deleted the device object in the Azure AD portal
The machine is registered in another Azure AD tenant

Another possibility is that there might be a policy in place that is blocking the user, especially if the user may have attempted a password change. You always need a VPN with Hybrid Join if the user changed the password on the corporate network and then went home.

The FAQ discusses this scenario here:

What happens if a user changes their password and tries to sign in to their Windows 10/11 hybrid Azure AD joined device outside the corporate network?

When a device does not have line of sight to the domain controller, it is unable to validate the new password. So, user needs to establish connection with the domain controller (either via VPN or being in the corporate network) before they're able to sign in to the device with their new password. Otherwise, they can only sign in with their old password because of cached sign in capability in Windows. However, the old password is invalidated by Azure AD during token requests and hence, prevents single sign-on and fails any device-based Conditional Access policies until the user authenticates with their new password in an app or browser.

Note also that Event ID 102 will be logged when the auto enrollment task is complete, regardless of whether or not the auto enrollment succeeds.

Let me know if these steps are helpful to you and if you still run into this issue.

Additional troubleshooting steps:
Troubleshoot Hybrid Join
Manually re-register a Windows 10 or Windows Server machine in Hybrid Azure AD Join
Troubleshooting Windows 10 Group Policy-based auto-enrollment in Intune

-

If this answer helped you resolve the issue, please consider marking as answer so that others in the community with similar problems can more easily find a solution.