We are beginning to sync our devices to AAD in preparation for intune co-management. On a percentage of devices, we get them getting stuck in a 'pending state'. As per https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices it would seem these have been synced previously, and then removed (this makes sense as apparently this was performed in our environment a few years back accidentally, where a OU was selected by accident). Is it possible to predict which of our devices will enter this state? I understand the devices are effectively hidden in AAD until they get re-synced. Can we see these dormant devices somehow? We have experience an issue when the device gets synced that our users lose their Windows hello settings and need to re-enroll. Additionally SSO breaks and they need to re-login - is this an expected behaviour? Many thanks

Hi Alfred, AFAIK, this is a expected behaviour and did you tried the command mentioned in the article to export the existing devices that are in AAD? Also I will suggest to refer to this article and use the troubleshooting steps to export the existing device state, so you can extract the pending and registered devices for analysis. howto-hybrid-join-verify Hope this helps. Regards, Jimmy

Hybrid AD Join Pending

Alfred 1

We are beginning to sync our devices to AAD in preparation for intune co-management. On a percentage of devices, we get them getting stuck in a 'pending state'. As per https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices it would seem these have been synced previously, and then removed (this makes sense as apparently this was performed in our environment a few years back accidentally, where a OU was selected by accident).

Is it possible to predict which of our devices will enter this state? I understand the devices are effectively hidden in AAD until they get re-synced. Can we see these dormant devices somehow?
We have experience an issue when the device gets synced that our users lose their Windows hello settings and need to re-enroll. Additionally SSO breaks and they need to re-login - is this an expected behaviour?

Many thanks

Shweta Mathur 28,196 Reputation points Microsoft Employee

2022-07-14T14:09:22.647+00:00

Hi @Alfred ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

1 answer

JimmySalian-2011 41,936 Reputation points

2022-07-06T20:32:54.713+00:00

Hi Alfred,

AFAIK, this is a expected behaviour and did you tried the command mentioned in the article to export the existing devices that are in AAD?

Also I will suggest to refer to this article and use the troubleshooting steps to export the existing device state, so you can extract the pending and registered devices for analysis.

howto-hybrid-join-verify

Hope this helps.

Regards,
Jimmy
Please sign in to rate this answer.
Alfred 1 Reputation point

2022-07-06T20:54:38.75+00:00

Pending devices only occur after the sync so we cannot do this ahead of time unfortunately. I am trying to predict the devices we are going to have these issues with. We are not at the point where we are comfortable syncing entire OU's until we understand this behavior (particularly around getting knocked out of o365 and windows helllo etc)

JimmySalian-2011 41,936 Reputation points

2022-07-06T21:20:42.893+00:00

So you are looking for stale devices in AAD and it seems there will be some work required on the end user devices so please check the FAQs here and there is a tool to remove the configuration from the devices.

Stale Devices info - manage-stale-devices
FAQs - faq

Alfred 1 Reputation point

2022-07-06T21:23:50.047+00:00

They are not stale devices - they are not listed, but clearly there is some state that remains even after they are deleted in AAD. As per the article:

The device object is moved to another organizational unit (OU) that isn't in the sync scope in Azure AD Connect Sync.

Azure AD Connect Sync recognizes this change as the device object being deleted in the on-premises Active Directory. Therefore, it deletes the device in Azure AD.

The device object was moved back to the OU in the sync scope.

Azure AD Connect Sync creates a pending device object for this device in Azure AD.

The device fails to complete the device registration process because it was registered previously.

This must mean that even though the device is deleted, something is left - otherwise why would it enter the pending state when others don't?

JimmySalian-2011 41,936 Reputation points

2022-07-06T21:34:31.907+00:00

Yes, hence my suggestion was to carry out the analysis on the End user devices. Either you can check via the dsreg command or use the custom script.

Functions%5CInvoke-AnalyzeHybridJoinStatus.ps1

Disclaimer this is external link and script is not tested on my lab so please test on your lab environment.
Sign in to comment

Share via

Hybrid AD Join Pending

1 answer