Let’s discuss the Fix Issue with Entra Hybrid Joined Devices Unjoined and Rejoined after Intune Enrollment. Recently, Microsoft recognized an issue that affected these devices, which are unjoined and rejoined after enrollment.
This issue occurs when hybrid devices are unjoined and rejoined to Microsoft Entra without first being unenrolled from mobile device management (MDM). Disruption can impact users’ device experience.
This issue caused many problems in Microsoft Entra Hybrid Joined Devices. Critical device properties can become misaligned if the device isn’t unenrolled from MDM before rejoining. The device’s policies and certificates are removed.
Because the system no longer recognizes the device’s original object ID, inconsistencies in how settings and software are applied result. In this blog post, I will explain the fixes for issues in Microsoft Entra Hybrid Joined Devices After Device Enrollment and help you learn more about them.
Table of Contents
Fix Issue with Entra Hybrid Joined Devices Unjoined and Rejoined after Intune Enrollment
As mentioned above, removing the device’s policies and certificates means the system no longer recognizes the device’s original object ID, leading to inconsistencies in how settings and software are applied.
This includes attributes like the OrderID (necessary for Windows Autopilot) and OS properties that Intune uses for dynamic group targeting. The following table shows the result of Failing to manage the unjoin-rejoin process properly.
Results |
---|
Device targeting issues where policies and configurations don’t apply correctly. |
Disruptions in Windows Autopilot configurations, potentially leaving devices mismanaged or without the necessary apps and settings. |
- New Entra Phishing Resistant Passwordless Authentication | Zero-Trust Security Strategy | Explicit Verification
- Native Authentication for Microsoft Entra External ID | Complete Control Over Login Experience
- 5 New Use Cases Like Secure Azure Managed Services Access for Entra Private Access
What is the Impact of not Unenrolling from MDM/Intune?
When a hybrid device is unjoined and rejoined without being unenrolled from Intune MDM, Microsoft Entra creates a new device object with a new object ID but retains the same device ID. As a result, Intune has some problems managing compliance and policy applications. The list below shows the problems in Intune compliance and policy application.
- Policy Removal
- Static Groups – Policies assigned to static groups will be removed from the device because the new object ID breaks the link to previous group memberships.
- Dynamic Groups – Policies assigned through dynamic groups can be removed for up to two weeks until the new device object is synced, restoring the device’s group memberships.
Conditional Access policies can block access to corporate resources. Newly created Microsoft Entra device objects are treated as non-compliant by default, meaning users may be blocked from accessing corporate resources. Intune may take up to 2 weeks to fully re-evaluate the device’s compliance status and apply Conditional Access policies, causing potential downtime for the user.
Best Practices to Avoid Issues in Entra Hybrid Joined Devices
Entra Hybrid, Joined Device’s unjoined and rejoined issues can be avoided easily after they’ve been enrolled. Microsoft recommends users avoid unjoining and rejoining hybrid devices as this process can introduce complications and disruption to their users to prevent these issues.
The hybrid Microsoft Entra join process relies heavily on the integrity and consistency of device objects in Microsoft Entra. Unjoining and rejoining hybrid devices from your MDM causes considerable issues, including removing critical policies and applications.
- It’s critical to unenroll hybrid devices from MDM before unjoining and rejoining them to Microsoft Entra. If you need to unjoin and rejoin a hybrid device
- This ensures a smoother re-enrollment process and maintains the integrity of your device policies, apps, and settings.
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.
Hello, thanks for great article!
-I believe I’ve encountered the mentioned issue where one device has multiple records in Entra ID and that device also has value of Intune device ID as same as value of Entra device ID. Would re-enrollment and rejoining fix the issue? Is there anyway to un-enroll hybrid joined device from Intune before rejoining it when it is joined by group policy?
-Does this issue also happen to Entra-joined device?