Validate and troubleshoot device identity and trust issues

  • 8 minutes

When devices fail to authenticate, enroll, or appear correctly in Entra ID, use a structured troubleshooting approach. This unit gives a checklist, common checks and commands, and where to gather logs to resolve device trust problems.

Quick troubleshooting checklist

  1. Confirm the device join type and enrollment status in the Microsoft Entra admin center.
  2. Run dsregcmd /status on Windows to inspect local join and device authentication state.
  3. Verify Intune device enrollment status in the Microsoft Intune admin center.
  4. Check Microsoft Entra Connect sync health for hybrid join issues.
  5. Review device event logs and diagnostic reports for specific error codes.

Useful commands and outputs

  • dsregcmd /status — Shows device join status, tenant info, and last errors.
  • dsregcmd /leave — Remove device from Entra ID (use carefully for troubleshooting).
  • Get-WinEvent / Event Viewer — Look in Applications and Services Logs > Microsoft > Windows > User Device Registration for errors.

Warning

Removing a device from Entra ID with dsregcmd /leave will immediately unenroll the device and Conditional Access and Intune Management won't work anymore.

Log sources and what to look for

  • Windows event logs: Authentication issues and Windows Hello for Business errors.
  • dsregcmd output: Look for AzureAdJoined, DomainJoined, TenantId, and any error messages.
  • Intune device diagnostics: Use the Intune admin center to collect diagnostics and check MDM enrollment logs.
  • Microsoft Entra Connect logs: For hybrid join, confirm device writeback and sync operations succeeded.
  • Network logs/firewall: Ensure devices reach login.microsoftonline.com, enterpriseregistration.windows.net, and Intune endpoints.

Common issues and fixes

  • Device shows as Registered but not managed

    • Cause: User registered the device but did not enroll in Intune.
    • Fix: Confirm automatic enrollment scope or provide enrollment instructions.

  • Hybrid joined devices not appearing in Entra as hybrid

    • Cause: Microsoft Entra Connect misconfiguration or device not in a synced OU.
    • Fix: Verify Microsoft Entra Connect device options, OU selection, and run a sync. Check sync errors.

  • Windows Hello for Business key or cert errors

    • Cause: TPM not available, policy mismatch, or PKI issues.
    • Fix: Confirm TPM presence, review WHfB policy settings, and validate PKI enrollment if using certificate trust.

Collecting and sharing data for support

When escalating, collect:

  • dsregcmd /status output from the device.
  • Intune device diagnostic logs (export from Intune admin center).
  • Relevant Windows event logs (User Device Registration and Windows Hello for Business).
  • Microsoft Entra Connect sync logs and status if hybrid.

Tip

Start with dsregcmd /status — it often points you to the root cause and which service (Intune, Entra, Microsoft Entra Connect) needs attention.

Verification after fixes

  • Confirm AzureAdJoined or Entra Hybrid joined as expected.
  • Verify the device appears as managed in Intune and shows a compliant status if policies apply.
  • Confirm users can access resources protected by conditional access policies.

Follow a simple sequence: check join state, inspect local dsregcmd output, verify Intune enrollment, and review Microsoft Entra Connect sync logs for hybrid scenarios. Collect logs and diagnostic exports.