Hybrid Azure AD Join Dual State

Question

I am in the process of getting my end users setup with SCCM Co-Management. As a requirement, I need to Hybrid Azure AD join the devices. I am starting with a small test group and applying a Group Policy to add the two reg keys to start the HAADJ process. This is working as expected. The only issue I have is that I end up with the Dual State issue described here due to the endpoint getting AAD registered when they have signed in with Office 365.: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

It is my understanding that "Any existing Azure AD registered state for a user would be automatically removed after the device is hybrid Azure AD joined and the same user logs in. " I am not seeing this and have found myself speeding up the process and deleting the AAD registered entry manually. This results in the endpoint user getting a Duo prompt. I am hoping to avoid this situation. Is there anything else I can do? Ho long am I supposed to give this process before it cleans itself up? Am I not being patient enough?

Answer 1

Generally, it should take less than 48 hours, but there are a handful of reasons why this may not happen automatically including the registration being performed by another user on the device (since Windows AAD registration is a per-user construct).

An oddity about the screenshot above is that the OS version is different between the two objects that are shown. Are you sure these are for the same device and the user that originally registered the device is the same user?