Azure AD Device Registration – Part 1 – How to Fix the Pending Registration State Issue?

Firstly I must say, during your cloud journey you may have seen this error many times and fixed this many times. Also there can be engineers who are yet to see this error (among other errors) and want to fix this. In a Hybrid AAD Joined (HAADJ) environment, ideally what you want the device registration to be show as registered, but due to some factors the device gets the Pending state and will stop communicating with Azure AD. Ideally this is an interim state before the device gets registered in Azure AD.

My Approach is to do a deep dive on this error and to create a quick workflow to get you notified when your devices go pending so you can easily and promptly fix them and leave no Windows device behind.

The Pending state is not an acceptable state when you need your cloud journey to accelerate and when you have to enroll your corporate devices in Endpoint Manager. Pending state can make the device go to a stale state where a re-registration is required.

Device Join Process

The device registration state goes on Pending when the device is communicating with the device in order to join in to Azure AD. Usually Azure AD join mode is straight forward as the device communicates with Azure AD straight away. However when it comes to HAADJ, Azure AD sync involves as well and there are few steps involved before it gets registered in Azure AD as a device. Once the device registration flow is done, the status changes to Registered with the registered date.

An excellent article from Microsoft explaining the Device Join Mode Flows can be found here

🔗Azure AD Device Registration Flows Explained

From Microsoft Text

  • Deleting devices in your on-premises AD or Azure AD does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g. Conditional Access). Read additional information on how to remove registration on the client.
  • Deleting a Windows 10 or newer device only in Azure AD will re-synchronize the device from your on-premises using Azure AD connect but as a new object in “Pending” state. A re-registration is required on the device.

What is the Pending status?

There are some cases that this status will go Pending and will stay in that stage in a Hybrid AAD Joined environment

  1. During the device registration process there can be a communication breakdown between the device and Azure AD device registration service

OR

  1. The device was once in a AAD synced OU and moved it to a non-syncing OU and Azure AD will deletes it’s record as its now not syncing. However the device may have moved back in to the syncing OU and Azure AD have already done the device registration once for the same and will not perform again

OR

  1. Azure AD SCP Details cannot be found in ADSI or in the device’s registry

dsregcmd /status Errors

As you can see AzureAdJoined and AzureadPrt is NO as there’s no connectivity to AzureAD.

Troubleshooting

Test Device Registration Connectivity

Check 1

Use the Test Device Registration Connectivity script from Microsoft to get more information about the device|
https://docs.microsoft.com/en-us/samples/azure samples/testdeviceregconnectivity/testdeviceregconnectivity/

Check 2

  • Open an elevated CMD and run dsregcmd /leave /debug
  • Make sure the Azure AD device record has been removed
  • Reboot the device
  • When rebooting, the device will be joined to the Azure AD and re-registered
  • Run dsregcmd /status to identify the Azure AD Joined states (YES or NO)

If dsregcmd /leave /debug is unable to complete, most probably the device is unable to connect with the Azure AD Device Registration Service.

My Winning Check: Looking for Azure AD SCP (Service Connection Point) Details

In my case, the device somehow have removed the Azure AD SCP details and now the device can’t communicate with cloud.

There are two ways you can check the Azure AD SCP details.

  1. If you did a controlled deployment with the Azure AD SCP details setup in a Group Policy Preference type policy, check for below registry key in the device.
    KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
    TenantID and TenantName should be matching with your Azure AD details.
  1. If you have activated the HAADJ mode in the Azure AD connect tool, Make sure the TenantID and the TenantName attributes are there in the below path in ADSI Configuration node

Configuration > go to CN=Device Registration Configuration > CN=62a0ff2e-97b9-4513-943f-02d221bd30080 > right-click and select Properties

Go to Keywords and look for the Tenant ID and the tenant name details.

I had to manually create the registry key in this device to test this.

Few minutes after I ran the dsregcmd /leave /debug and it was successful

Then I rebooted the computer and ran dsregcmd /join /debug on an elevated CMD and noticed the device has already went through the join process.

As you can see below, the SSO State is now populated as the Azure AD Primary Refresh Token has been received.

How to check all the Pending state devices in your AAD?

Get all pending devices and save the returned data in a CSV file:

  1. Connect to Azure AD Powershell module

  2. Run the below command
    Get-AzureADDevice -all $true | Where-Object{($_.DeviceTrustType -eq"ServerAd") -and ($_.ProfileType -ne"RegisteredDevice") -and (-not $_.AlternativeSecurityIds)} | select-object -Property AccountEnabled, ObjectId, DeviceId, DisplayName, DeviceOSType, DeviceOSVersion, DeviceTrustType | export-csv pendingdevicelist-summary.csv -NoTypeInformation

Not Finished Yet

Hope I helped you to figure out the issue and gave a you few options to fix the issue.

The next part of the Azure AD Device Registration is me coming up with a way to get notified in Teams when your devices go Pending mode. Isn’t that neat? Rather than apply the SCP and thinking all your devices will behave well and register properly it’s nice to know what are the Black Sheep devices in your fleet that needs special treatment and you can be on top of the device registration and Endpoint Manager enrollments.

Check for the 2nd post of this troubleshooting series👇🏽
Azure AD Device Registration – Part 2 – Use Azure Automation to Get Notified When Devices Go Pending State

Feature Image: Computer Vectors by Vecteezy

2 thoughts on “Azure AD Device Registration – Part 1 – How to Fix the Pending Registration State Issue?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.