Before I begin, you should not use Hybrid Azure AD Join unless the organization truly needs it. This was a unique situation where due to a compliance requirement, MDM needed to be implemented in less than a week. There wasn’t time to move to AADJ in the very short term. Therefore, it was decided to go from AD joined devices to HAADJ. After starting the project, I discovered many of these domain joined devices are off-site with no connectivity back to a DC (*sigh*). As previously mentioned, converting those devices to AADJ was not an option due to the client timeframe, and the difficulty they’d have with users getting a new profile or having to wipe/autopilot the machines. So, the alternative was to get those devices back into the office, and then set something up for them so they could have periodic connectivity back to the on-prem domain after they were hybrid joined. So, a bad situation from the start, and no time to implement the proper solution (in the short-term, at least).
The Hybrid Join issue:
As the remote devices started returning to the office to get line-of-sight to a DC so they could be properly hybrid joined, I had an issue with several devices being stuck in a pending registration state in Azure AD. Deleting and allowing them to rejoin resulted in the same device state. Windows was on the latest build, and there was no proxy or firewall blocking anything.
Issuing dsregcmd /status on an affected machine showed the below output.
The error causing the problem indicates: “FAILED. Device is either disabled or deleted.” I verified the device had not lost its trust relationship with the domain, and that it wasn’t having any DNS issues. To fix this, we need to manually unregister the device from AzureAD. After that, we can manually run the scheduled task to perform the Automatic device join, which results in the hybrid Azure AD Join:
dsregcmd /leave
schtasks.exe /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"
After dsregcmd /leave:
When launching the scheduled task from CMD, we can see it was successful (I am doing this as SYSTEM via RMM while the user is logged in):
If we check the join status of the device with dsregcmd /status we can see now the device auth shows SUCCESS, and the device is properly HAADJ in AzureAD.