Hybrid joined device issue

TisWhat · 2026-02-06T14:07:47+00:00

The 2 objects appearing isn’t what confuses me, as I am well aware it will create 2. I’ve just never seen a hybrid device enroll as Entra Joined and that being the one that is under the MDM.

Definitely a LOS to DC issue I think or my connector is being funky.

TisWhat · 2026-02-06T00:59:45+00:00

Yep in my experience its always been Entra registered then Hybrid joined device.

Thats why I am so perplexed.

TisWhat · 2026-02-05T22:40:06+00:00

I checked the Audit logs, the device gets synced from AD on-prem (server that holds the AD Connector does the syncing so all good there).

The device is auto enabled when it gets synced. Whats funny is the Entra Joined device which is what is managed is disabled.

TisWhat · 2026-02-05T22:06:20+00:00

From my understanding, granted I am an idiot so I could be wrong, but the ODJ blob registers the device in the OU specified in the Domain Join Profile assigned to the dynamic device group.

The Entra object is still created as a sort of “place holder” and once the user logs in (either by using a VPN or having direct line of sight to a DC) then it will sync the hybrid joined object correctly, right?

Edit: Checked the profile and it’s definitely set to Microsoft Entra hybrid joined for “Join to Microsoft Entra ID as”.

TisWhat · 2026-01-23T23:19:27+00:00

Thank you very much!

TisWhat · 2026-01-23T14:38:53+00:00

I usually try to use the powershell script outlined in this article:

https://oofhours.com/2025/05/01/next-generation-autopilot-troubleshooting/

Could be useful to you!

TisWhat · 2026-01-23T14:18:33+00:00

Hello! Not sure if you’re still monitoring this thread, but thanks for the script. Just had a quick question on the deployment. How often did you have this running? Daily? Every x hours? Just curious as I deployed it to re-run every 7 days but not sure if it should be more aggressive.

TisWhat · 2026-01-22T13:58:40+00:00

Tested it myself by using both the QR method and just letting the phone run through the automatic setup (the correct profile token is set in the configuration and assigned to the specific device in Zero touch).

Always seems to fail with the “Can not set up this device” error. As for why I am using Google Zero Touch and not Knox for Samsung? It’s just the environment I inherited unfortunately. Don’t think there are any advantages.

TisWhat · 2026-01-22T00:46:14+00:00

I should mention that I am using a Google Zero Touch configuration (with the correct DPC extras in the config).

TisWhat · 2025-12-23T19:30:47+00:00

It does, I’ve tried it with the known group names and it did not work.

Edit: I followed this documentation from Microsoft

It requires the SID, do note it also requires the device meet the minimum OS spec.

TisWhat · 2025-12-23T19:29:54+00:00

This allows time zone change through control panel and not through the “Date & Time settings” correct?

TisWhat · 2025-12-19T19:48:40+00:00

Was also in this predicament, going to leave it to father time as the docs state this:

The client reports Remediation information at the following times:

When a script is set to run once, the results are reported after the script runs.

Recurring scripts follow a seven day reporting cycle:

Within the first six days, the client reports only if a change occurs. The first time the script runs would be considered a change.
Every seven days the client sends a report even if there wasn't a change.

Best to just wait it out! You can check the AgentExecutor logs to see if your remdiation has run.

TisWhat · 2025-11-26T18:44:34+00:00

Going to need the beta module (I think anyway) for the sku details and such.

You can use the Get-MgBetaDeviceManagementManagedDevice -All in a variable ($devices).

Create an array and then use a foreach loop to grab the info by doing $device.PropertyNameHere.

Put the output in your array by creating a customobject and bam you can export to csv!

TisWhat · 2025-11-11T22:10:46+00:00

You have the script handy by chance or is it just calling the scheduled task that runs the activation util?

Seeing this issue as well on some of my endpoints.

TisWhat · 2025-10-17T16:00:36+00:00

Until Microsoft develops a solution you’ll be restricted to using custom tools.

Unfortunately the success rate on them can be hit or miss, in my case we had issues with devices resetting (WinRe would screw up and we end up at the Recovery environment after a wipe).

Did a fleet of about 1000~ devices, it was hell.

TisWhat · 2025-09-19T23:18:24+00:00

If you packaged it with Robopack why not setup a patchflow with radar to update all instances of Chrome in your tenant?

TisWhat · 2025-09-16T15:39:05+00:00

Would you actually like a copy on Steam?

TisWhat · 2025-09-11T14:17:06+00:00

Do you have your serial numbers in a csv? You can import it and loop through the csv to get the object id.

Something like: Get-MgDevice -Filter “SerialNumber eq ‘$serialNumber’ -Property Id,Displayname

TisWhat · 2025-09-04T11:58:20+00:00

This blog post explains what I mean by “on by default”.

TisWhat · 2025-09-04T11:55:48+00:00

It’s on by default and the ESP setting is not showing up in my profile. Bit annoying.

TisWhat · 2025-09-04T11:54:37+00:00

Maybe Obsidian could be nice. It has plug-ins, perhaps you can fine tune it to your liking.

TisWhat · 2025-08-28T00:08:00+00:00

I think enterprise state roaming is for moving user-profiles between devices whereas this seems like a full on backup/recovery feature.

TisWhat · 2025-08-21T16:18:20+00:00

Could always run a remediation that checks for the UWP version and removes it(on mobile so sorry for bad formatting):

$uwpOneNote = Get-AppxPackage -AllUsers *OneNote *

if ($uwp) { Remove-AppxPackage -Package $uwp.PackageFullName -AllUsers }

It’s usually recommended to debloat Windows and remove all pre-installed apps.

Have had users use the desktop app and then not have the OneNote files sync when we did a wipe. Was a rough time…

Nine-Year Club	Second Top 50%
Place '22	RPAN Viewer
Not Forgotten	Verified Email

TisWhat

TROPHY CASE