Do you have dual state devices in your AAD tenant?

We have observed recently many customers are asking why they do see the same device has two device objects on Azure AD, and connected twice to Azure AD as Azure AD Registered and Hybrid Azure AD Joined device.

In this article, I am going to describe what does dual state mean and how to get rid of this state in the recommended way in the following points:

  • Dual state appears when the device being connected to Azure AD as Azure AD Registered, and you enable Hybrid Azure AD Joined. So the device will be connected twice to Azure AD, and you will see two different computer objects for the same device name.
  • Starring form Windows 10 1803 (with KB4489894 applied), dual state being removed automatically from the device itself.
  • For pre-Windows 10 1803, its recommended to upgrade them to 1803 with (with KB4489894 applied) at least to remove dual state. Otherwise, dual state should be removed manually from the device itself.
  • Also, IT professionals can execute the cleanup tool on pre-Windows 10 1803 devices (by GPO or SCCM) which will unjoin the device and clean workplace account. The device will re-join automatically on the next sign-in.
  • You can prevent your domain joined device from being Azure AD registered (which may led to dual state) by adding this registry key:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, create REG_DWORD value BlockAADWorkplaceJoin = 1.
  • Removing dual state from the devices themselves may not remove them from AAD, so we need to remove them from AAD manually.
  • Also, you can use the following PowerShell script to troubleshoot all devices join types, verify health state for the device including if it is in dual state or not.
    https://aka.ms/DSRegTool
  • Using the following script, you can verify the health status for multiple devices remotely including dual state, and get HTML report when choosing the correct parameter:
    http://aka.ms/HAADJHealthChecker

Stay safe until the next article 🙂