Duplicate Items Devices Azure AD Best Practice

jpcapone 1,301 Reputation points
2022-09-04T02:51:13.4+00:00

I am getting a lot of conflicting information when it comes to dealing with duplicate devices in Azure AD. I can understand how easily a device can be duplicated depending upon the join type. My question is should this be remediated or do we leave it be. Take note in the screenshot below. I would assume that the Azure AD registered device can be removed but it is being managed by intune while the other device is not. This device is also active directory domain joined which again would lead me to believe that the Hybrid Azure AD joined device should remain but as you can see it isn't managed by intune. Please advise.
237515-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,355 questions
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. John Braakhuis 21 Reputation points
    2023-03-29T00:53:10.4+00:00

    I have spent hours diagnosing and fixing this issues in a 60 seat environment. There is a lot of missing information in the Microsoft Guides around this . The Hybrid Join configuration appears to be quite buggy and prone to all kinds of potential mishaps. In my case the dual state was preventing the Intune Update process from reporting properly on the devices. Devices that have a state of Hybrid Join and MDM - Microsoft Intune against the same device worked OK. Devices that had duplicate entries with Azure AD Registered - MDM Microsoft Intune and another entry Hybrid Join - MDM - blank do not report correctly in Intune.

    In my case the issue was the settings for Azure AD connect.( I needed to turn on Password hash sync ) and the fact that I had a local domain on server xxx.local not a routable domain. The overall steps were as follows:

    1.       Rerun Azure AD Connect with Password Hash Sync.

    https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join

     

    2.       Turn on Group Policy for Automatic Enrollment

    https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy

     

    3.       Prepare a non routable Domain for Directory Synchronisation

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide#what-if-i-only-have-a-local-on-premises-domain

    Using Step 2:-  Change the UPN suffix for existing users

     

    4.       Delete the device from Azure Active Directory and on the device run dsregcmd /debug /leave – reboot device .

    https://learn.microsoft.com/en-us/azure/active-directory/devices/faq

    Section “ I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on the device says it's still registered. What should I do? “

     

    5.  On the device Connect to your Workplace

    Settings – Accounts – Work or School Connect. I performed this step even though the Automatic enrolment should perform this step. Perhaps Microsoft can give some guidance as to whether this step is required.

    Showed up as Hybrid Joined. Logged on to the machine Accounts – Work or School – signed in  - allow your organisation to manage the device -yes came good.

    It should look like this

    User's image

    After this process it may look like this

    Picture2

    The Windows process on the PC will clean this up and convert to one device entry.  Starting from Windows 10 1803 (with KB4489894 applied), dual state being removed automatically from the device itself.

    It is also possible that an entry Azure AD registered with MDM State Microsoft Intune will also show up. This state should also be rectified automatically on devices Windows 10 1803 and above.

     

    6.       Checks

    Use the dsregcmd /status command to check the status on the machine.

     

    https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

     

    Sometimes it is necessary to wait till the automatic enrolment process kicks in and this may require rebooting a few times.

     

    __7.       Errors. 
    __
    Even when following these steps the success rate was about 50% first go. Sometimes it was necessary to cycle through the steps of deleting the device in Azure AD, Running the command  dsregcmd /debug /leave command and rebooting a few times.  Sometimes the status on the machine using the dsregcmd /status showed all OK and successful but the information in Azure AD devices sometimes contradicted the machine state even after leaving some time for the Azure portal to update.  It is also taking some days for the correct status of the device in Azure AD to show a successful outcome in the Intune Update reporting>

    You will also quite often get this error in dsregcmd /status

    Previous Registration : 2023-03-25 22:30:45.000 UTC
             Registration Type : sync
                   Error Phase : join
              Client ErrorCode : 0x801c03f3
              Server ErrorCode : invalid_request
           Server ErrorSubCode : error_missing_device
              Server Operation : DeviceRenew
                Server Message : The device object by the given id (795092fd-66a7-4bb8-82c6-c45edcs4565ds3456) is not found.
                  Https Status : 400
                    Request Id : 1f017a77-962e-4cd2-b731-33c1443ba588
        Executing Account Name : DNB\Steve, steve@dnbfakeemail.com.
    
    

    This usually fixed itself after a reboot or two

    4 people found this answer helpful.

  2. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2022-11-07T06:02:05.677+00:00

    Hello @Johnwilliam-4177,

    This is dual state of the device: Ref: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

    1. If your Windows 10 or newer domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of hybrid Azure AD joined and Azure AD registered device. Any existing Azure AD registered state for a user would be automatically removed after the device is hybrid Azure AD joined and the same user logs in.
    2. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. After removing the Azure AD registered state, Windows 10 will unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.
    3. Even though Windows 10 and Windows 11 automatically remove the Azure AD registered state locally, the device object in Azure AD is not immediately deleted if it is managed by Intune. You can validate the removal of Azure AD registered state by running dsregcmd /status and consider the device not to be Azure AD registered based on that.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well

    2 people found this answer helpful.
    0 comments No comments

  3. Cristian SPIRIDON 4,471 Reputation points
    2022-09-04T05:26:37.79+00:00

    Hi,

    According to documentation the AD Join device should be automatically removed by Azure AD.
    If that is not happening you can add a reg key to prevent that in the future:

    https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

    See BlockAADWorkplaceJoin reg key

    Hope this helps!

    0 comments No comments

  4. jpcapone 1,301 Reputation points
    2022-09-04T21:50:31.127+00:00

    Thanks for the reply. I understand what you are saying but I am more concerned about dealing with the issue as it is. The cat is out of the bag and i have quite a few devices in this state. I would assume that deleting the Azure AD registered device would be the correct course of action however it is being managed by Intune. I would appreciate someone giving me a little input on this.

    0 comments No comments

  5. Luis Alberto Montecinos 1 Reputation point
    2022-09-26T18:46:11.697+00:00

    Same problem here, I already deleted the "Azure AD Registered" record and nothing happens.
    The next device used to be duplicates as "Hybrid Azure AD Joined" And "Azure AD Registered", as I say before I deleted de entrance fot Azure AD Registered and is not working.
    In my case I already deleted this record before but (moving it from the syncronized OU to an offline OU, after delete, and then y restore the computer to the syncronized OU), after delete the record, registering field it appears as "Pendiente"
    Any advice?

    ![244905-image.png]1

    0 comments No comments