question

BindeshPatel-1995 avatar image
BindeshPatel-1995 asked ·

On-premise AD devices to Azure AD - Hybrid join - Dual state issue

We are planning the enrolment all of our on-prem Windows 10 devices to Azure AD via Azure AD connect to make them all Hybrid Azure AD joined then will we enrol them into intune.


At the moment I am currently in the testing phase with a handful of devices. However, I am experiencing a dual state for some of the devices. From reading the Microsoft documentation if the user has AD registered the device before the Hybrid join then a dual state will occur. If devices are on 1803 or above when the same user logs into the device the dual state/AD registered part will be removed and Azure AD will be left with the Hybrid joined one.


This is not the case for me I am still seeing a dual state for the device even after signing back into the machine it has not removed the dual state. My devices are on 1903, therefore, the AD registered dual state should be removed and I should be left with only the Hybrid joint device in azure. I have also read somewhere if the device is managed by intune it will not remove the dual state, I can confirm the device is not managed by intune either at the moment.


Can anyone help? , ideally, I don't want to be asking users to remove the AD registered manually on each device. Is there an option for me to remove all AD registered devices opposite to doing it manually? before I hybrid join the devices.

Thanks in advance

Bindesh

azure-active-directoryazure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaiVerma-7010 avatar image
JaiVerma-7010 answered ·

If you have SCCM, you are lucky and can deploy script which can first check if the device is in dual state and run dsregcmd /leave, followed by restart of the device, which will add the device back to AAD.

Did you deploy original image 1903 or upgrade from older version?

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply,

We do have SCCM in place, I will look into trying this out I only have a few machines in a dual state which are my test machines. So I will just need to run dsregcmd /leave on all the machines whether they are AD registered or not so it's all covered. Then I can reconfigure the Azure AD Connect to sync all the OU's with the devices to get them to hybrid join.


Its a mix of deployments, half the machines are 1903 original image and half are upgraded from an older version.

Thanks

Bindesh

0 Votes 0 · ·
SathishKumarPatchaiappan-2219 avatar image
SathishKumarPatchaiappan-2219 answered ·

Hi @BindeshPatel-1995,

The best way to do the removal in bulk is by running ps commands.

You can use the below command

$dt = [datetime]’2018/12/12’

Get-MsolDevice -All -LogonTimeBefore $dt | select-object -Property DeviceId | foreach {$.DeviceID} | foreach {$.Guid} | Remove-MsolDevice -Force

To delete with a time older than specific date

Reference : https://docs.microsoft.com/en-us/powershell/module/msonline/remove-msoldevice?view=azureadps-1.0

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply,

The PS commands will remove the devices from Azure AD but the connection will be left on the clients PC side right? I have read somewhere that this will cause issues for users not being able to sign office 365 apps? is that right? , the connection has to be removed from the client device before removing them before Azure AD ?


Thanks

Bindesh

0 Votes 0 · ·