Maxime Rastello

Manually re-register a Windows 10 / Windows 11 or Windows Server machine in Hybrid Azure AD Join

Hybrid Azure AD Join devices are machines under Windows 10+ or Windows Server 2016+ that are:

  • Joined to an on-premises Active Directory domain
  • Registered in Azure AD as a hybrid device

Having a Hybrid Azure AD Joined device enables the following features:

  • Automatic device enrollment in Microsoft Intune
  • Device-based conditional access for corporate devices
  • Backup of the BitLocker recovery key in Azure AD
  • Sync of some Windows settings by the Enterprise State Roaming

Sometimes, a machine can be in an inconsistent registration state in Azure Active Directory. This can happen because:

  • The machine was shut down during a long time, and the Azure AD device registration certificate is expired (located in Local Machine / Certificates / Personal)
  • Someone manually deleted the device registration certificate
  • Someone manually deleted the device object in the Azure AD portal
  • The machine is registered in another Azure AD tenant

Please note that this method will only succeed if your organization meets all the prerequisites for Hybrid Azure AD Join. For more information, please refer to this documentation.

Step 1: Unregister the device from Azure AD

Follow this procedure:

  • On the machine to unregister, launch a Command Prompt as an administrator and type the following command:
dsregcmd /leave

  • Make sure the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been deleted from the local machine Personal certificate store:

  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:
dsregcmd /status

| Device State                                                         |
AzureAdJoined : NO  <-----
EnterpriseJoined : NO
DomainJoined : YES  <-----

Step 2: Re-register the device as a Hybrid Azure AD Join

Follow this procedure:

  • On the machine to re-register, run the Task Scheduler as an administrator.

  • Go to Task Scheduler Library > Microsoft > Windows > Workplace Join and manually start the task “Automatic-Device-Join“.

  • Make sure the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been created in the local machine Personal certificate store:

  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:
dsregcmd /status

| Device State                                                         |
AzureAdJoined : YES  <-----
EnterpriseJoined : NO
DomainJoined : YES

  • Reboot the PC.

  • Start an Azure AD Connect delta synchronization.


    1. Hello Chris, yes the machine needs connectivity to a domain controller to finalize the Hybrid Azure AD Join process. Could be on the internal network or through VPN.

  1. Hi Maxime,

    This is a great article that helped me solving a CAA50021 error, making it impossible for the end user to logon to any office desktop application, like Outlook, Teams, Excel, Word .
    It turned out the PC was not registered properly in Azure Active Directory.
    After the proedure as described, removing the SSL certs on the PC and reinitiate them, it works flawless again.

  2. Hi,
    What does that mean co-managed ?
    i tried this tuto i get the computer name under devices but i think it doesn’t fully enrolled.

  3. I’m using your Reset-HybridADJoin.ps1 script to re-join a load of naughty PCs. It runs in a SCCM script perfectly – thank you.

    1. hello Andy, did you just import it in the sccm console as a script?
      Then right click on the device and chose run script?

      thank you

  4. Hey
    Unfortunatly didn’t work for me. I could unregister the device but when I run the scheduled task the client doesn’t get the two needed certificates… and therefore it won’t make the hybrid Azure AD join. The client is in the same network as other clients who’ve successfully enrolled the two certificates and are hybrid Azure AD joined. Very strange behavior. Do you have other ideas on how to troubleshoot this?

    Best regards

    1. It took a bit longer than I expected for the certs to show up in my personal store or for the dsregcmd /status command to show that my device was rejoined to our tenant. I believe it was nearly a half hour before it showed up in my instance; however, even though I was able to connect to our company portal again the company portal is only showing another device assigned to my coworker and doesn’t even have the problematic device listed as an option. Nor does it allow me to add this device to the user’s device list unfortunately.

  5. Hi Chris,

    We have 100 machines that are domain joined to our on prem AD and are AD registered to Azure AD. We would like to get these machines into a Hybrid Azure AD join state. Is there a way to test this with 1-2 machines first without setting up Azure AD Connect?

  6. The windows server is a vm with no tpm.
    Does the device if get passed also without a prt? In some case it seams that prt is not necessary for device filtering in other cases it does not work.

    Can someone please elaborate?

Leave a Comment