Duplicate Items Devices Azure AD Best Practice

jpcapone 1,691 Reputation points
2022-09-04T02:51:13.4+00:00

I am getting a lot of conflicting information when it comes to dealing with duplicate devices in Azure AD. I can understand how easily a device can be duplicated depending upon the join type. My question is should this be remediated or do we leave it be. Take note in the screenshot below. I would assume that the Azure AD registered device can be removed but it is being managed by intune while the other device is not. This device is also active directory domain joined which again would lead me to believe that the Hybrid Azure AD joined device should remain but as you can see it isn't managed by intune. Please advise.
237515-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,990 questions
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. John Braakhuis 21 Reputation points
    2023-03-29T00:53:10.4+00:00

    I have spent hours diagnosing and fixing this issues in a 60 seat environment. There is a lot of missing information in the Microsoft Guides around this . The Hybrid Join configuration appears to be quite buggy and prone to all kinds of potential mishaps. In my case the dual state was preventing the Intune Update process from reporting properly on the devices. Devices that have a state of Hybrid Join and MDM - Microsoft Intune against the same device worked OK. Devices that had duplicate entries with Azure AD Registered - MDM Microsoft Intune and another entry Hybrid Join - MDM - blank do not report correctly in Intune.

    In my case the issue was the settings for Azure AD connect.( I needed to turn on Password hash sync ) and the fact that I had a local domain on server xxx.local not a routable domain. The overall steps were as follows:

    1.       Rerun Azure AD Connect with Password Hash Sync.

    https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join

     

    2.       Turn on Group Policy for Automatic Enrollment

    https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy

     

    3.       Prepare a non routable Domain for Directory Synchronisation

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide#what-if-i-only-have-a-local-on-premises-domain

    Using Step 2:-  Change the UPN suffix for existing users

     

    4.       Delete the device from Azure Active Directory and on the device run dsregcmd /debug /leave – reboot device .

    https://learn.microsoft.com/en-us/azure/active-directory/devices/faq

    Section “ I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on the device says it's still registered. What should I do? “

     

    5.  On the device Connect to your Workplace

    Settings – Accounts – Work or School Connect. I performed this step even though the Automatic enrolment should perform this step. Perhaps Microsoft can give some guidance as to whether this step is required.

    Showed up as Hybrid Joined. Logged on to the machine Accounts – Work or School – signed in  - allow your organisation to manage the device -yes came good.

    It should look like this

    User's image

    After this process it may look like this

    Picture2

    The Windows process on the PC will clean this up and convert to one device entry.  Starting from Windows 10 1803 (with KB4489894 applied), dual state being removed automatically from the device itself.

    It is also possible that an entry Azure AD registered with MDM State Microsoft Intune will also show up. This state should also be rectified automatically on devices Windows 10 1803 and above.

     

    6.       Checks

    Use the dsregcmd /status command to check the status on the machine.

     

    https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

     

    Sometimes it is necessary to wait till the automatic enrolment process kicks in and this may require rebooting a few times.

     

    __7.       Errors. 
    __
    Even when following these steps the success rate was about 50% first go. Sometimes it was necessary to cycle through the steps of deleting the device in Azure AD, Running the command  dsregcmd /debug /leave command and rebooting a few times.  Sometimes the status on the machine using the dsregcmd /status showed all OK and successful but the information in Azure AD devices sometimes contradicted the machine state even after leaving some time for the Azure portal to update.  It is also taking some days for the correct status of the device in Azure AD to show a successful outcome in the Intune Update reporting>

    You will also quite often get this error in dsregcmd /status

    Previous Registration : 2023-03-25 22:30:45.000 UTC
             Registration Type : sync
                   Error Phase : join
              Client ErrorCode : 0x801c03f3
              Server ErrorCode : invalid_request
           Server ErrorSubCode : error_missing_device
              Server Operation : DeviceRenew
                Server Message : The device object by the given id (795092fd-66a7-4bb8-82c6-c45edcs4565ds3456) is not found.
                  Https Status : 400
                    Request Id : 1f017a77-962e-4cd2-b731-33c1443ba588
        Executing Account Name : DNB\Steve, steve@dnbfakeemail.com.
    
    

    This usually fixed itself after a reboot or two

    4 people found this answer helpful.

  2. Akshay-MSFT 17,901 Reputation points Microsoft Employee
    2022-11-07T06:02:05.677+00:00

    Hello @Johnwilliam-4177,

    This is dual state of the device: Ref: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

    1. If your Windows 10 or newer domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of hybrid Azure AD joined and Azure AD registered device. Any existing Azure AD registered state for a user would be automatically removed after the device is hybrid Azure AD joined and the same user logs in.
    2. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. After removing the Azure AD registered state, Windows 10 will unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.
    3. Even though Windows 10 and Windows 11 automatically remove the Azure AD registered state locally, the device object in Azure AD is not immediately deleted if it is managed by Intune. You can validate the removal of Azure AD registered state by running dsregcmd /status and consider the device not to be Azure AD registered based on that.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well

    2 people found this answer helpful.
    0 comments No comments

  3. Ian Duff 10 Reputation points
    2024-01-09T14:15:25.3566667+00:00

    After spending hours on this same problem, here is a 'workaround' that worked for us.

    Similarly we have around 60 laptops that are automatically hybrid joined to AAD (aka EntraID/why?).
    Whenthey are joined to the on prem AD the task scheduler job runs correctly and creates a device entry in AAD labelled 'Microsoft Entra hybrid joined'.

    Now to set up intune you now need to log in with an Intune licenced user, in order for it to complete provisioning the machines.

    DO NOT connect the account YET using the wizard in Settings > Accounts > Work or school

    User's image

    If you connect now it will create a second 'dual state' device in yoru AAD. This device is the one registered to Intune, but it doesn't inherit any of your AD / AAD groups or properties, meaning that nether of the AAD devices will provison correctly as they both have half of the information they need.

    The trick we found is that once your devices is domain joined and has also joined AAD (run dsregcmd / status from cmd prompt to check) you then log the machine in to its AAD account first.
    You can either just do this from the start menu (there will also likley be an errror notification telling you there is a problem with yoiur work or school account in notifications) or from this button:

    Settings > accounts > email and accounts > Add a workplace or school account
    User's image

    Once you have logged in here and given it a minute to sync you can now go back to Settings > Accounts > Work or school > Add a work or school account.

    Now when you add this it will provision a device in Intune and correctly add Intune as the MDM provider into your single AAD device entry.

    It loosk like there is a bug / undocumented feature in the work or school wizard that creates a duplicate device if you aren't logged in to AAD already and have hybrid joined....

    Hope that helps someone and saves you the very late nights it took me to figure it out.

    2 people found this answer helpful.

  4. Cristian SPIRIDON 4,481 Reputation points
    2022-09-04T05:26:37.79+00:00

    Hi,

    According to documentation the AD Join device should be automatically removed by Azure AD.
    If that is not happening you can add a reg key to prevent that in the future:

    https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

    See BlockAADWorkplaceJoin reg key

    Hope this helps!

    0 comments No comments

  5. jpcapone 1,691 Reputation points
    2022-09-04T21:50:31.127+00:00

    Thanks for the reply. I understand what you are saying but I am more concerned about dealing with the issue as it is. The cat is out of the bag and i have quite a few devices in this state. I would assume that deleting the Azure AD registered device would be the correct course of action however it is being managed by Intune. I would appreciate someone giving me a little input on this.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.