Tech

Procedure to re-join devices

When you use a conditional access policy with "Require Microsoft Entra hybrid joined device", if the device is not configured properly or the PRT token was not refreshed successfully, you'll see the error "You can't get there from here".

I've asked MS support and tried to fix the root cause, but I gave up and realized re-joining the device is a quick fix... So this article shows how to re-join the device as hybrid domain-joined.

Ref: Troubleshoot Microsoft Entra hybrid joined devices

1. Check device status

Run the command as the user. You may see the device status as FAILED. Or you may see AzureAdPrt : NO at the SSO State section.

dsregcmd /status

2. Delete device from Entra ID

Run the command as administrator. See the device deleted from Entra ID.

dsregcmd /leave /debug

3. Run join command

Run the command as administrator. Make sure the device can reach the domain controller.

dsregcmd /join

4. Run task to join device

Run the command as administrator. Make sure the device can reach the domain controller. Basically, this task runs at user logins.

schtasks /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"

5. Check device registered on Entra ID

Logs about the registration on Event Viewer are in Application and Service - Microsoft - Windows - User Device Registration - Admin.

We want to see this part say YES by the command.

dsregcmd /status

Leave a Reply

Your email address will not be published. Required fields are marked *

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security