Entra Hybrid Join Stuck in "Pending" — Complete Fix Guide with dsregcmd

Diagnostic commands, root causes, step-by-step remediation, and bulk fixes for experienced IT admins

Few device management problems are as deceptively frustrating as the Pending state in Microsoft Entra ID (formerly Azure AD). The device object exists in Entra — Entra Connect synced it from Active Directory — but the machine itself has never completed the cryptographic handshake that proves ownership. The result is a device that looks registered in the portal but is not actually Hybrid Joined, breaking Conditional Access policies, co-management enrollment, Hello for Business, and any policy requiring a compliant or hybrid-joined device claim.

This guide walks through the full diagnostic and remediation workflow. If you want a field-level deep dive into the Entra device registration flow, Rudy Ooms (Microsoft MVP, Intune/Entra specialist) has an excellent series on device registration internals that complements the official Microsoft documentation referenced throughout this post.

Scope: This article covers Windows Current devices (Windows 10 1607+ / Windows 11) performing Hybrid Entra Join via Entra Connect. It does not cover Workplace Join (personal device registration) or pure Entra Join. All commands assume you are running PowerShell or CMD as a local administrator on the affected machine, or deploying remediation via Group Policy / Intune.

What "Pending" Actually Means

When Entra Connect performs a directory synchronisation cycle, it projects AD computer objects into Entra ID. At the moment of sync, the Entra object is created but it has no device key — no cryptographic proof that the actual machine is the owner of that object. Microsoft marks this state as Pending in the Entra portal (Devices > All Devices).

The device must independently contact the Device Registration Service (DRS) endpoint at enterpriseregistration.windows.net, authenticate with its AD computer account Kerberos ticket, and exchange a device key pair. This process is driven by the Automatic-Device-Join scheduled task in Task Scheduler and by the dsregcmd.exe utility.

The Pending state is expected transiently (minutes to hours after first sync), but it becomes a problem when it persists for days or reappears after what should have been a successful join. The common root causes are:

The device cannot reach DRS endpoints (network/proxy/firewall)
Stale or duplicate device objects in Entra (stale msDS-DeviceID attribute on the AD object)
Stale Workplace Join certificates in the machine certificate store
The device was moved to a different OU and missed the next sync window
The scheduled task is disabled or has accumulated consecutive failures
SCP (Service Connection Point) not configured or pointing to the wrong tenant
The device's system clock is out of sync (Kerberos tolerance is ±5 minutes)

Step 1 — Baseline Diagnostic with dsregcmd /status

Run this on the affected machine as a local administrator in a standard (non-elevated) CMD or PowerShell window. The dsregcmd /status output reflects the current user context and local machine state.

Get-HybridJoinStatus.ps1

# Run as the logged-on user (not elevated) to capture SSO/PRT state
# Run as SYSTEM or elevated to see machine-level certificate state
dsregcmd /status

# Pipe to a file for remote review
dsregcmd /status | Out-File "C:\Temp\dsregcmd-output.txt" -Encoding UTF8

# Parse key fields programmatically
$dsreg = dsregcmd /status
$fields = @(
    'AzureAdJoined',
    'DomainJoined',
    'WorkplaceJoined',
    'AzureAdPrt',
    'TenantName',
    'DeviceId',
    'KeyContainerId',
    'DomainName'
)
foreach ($field in $fields) {
    $line = $dsreg | Where-Object { $_ -match "^\s+$field\s+:" }
    if ($line) { Write-Host $line.Trim() }
}

Interpret the key fields against this reference table:

Field	Healthy (Hybrid Joined)	Pending / Broken
AzureAdJoined	YES	NO
DomainJoined	YES	YES (machine is still domain-joined)
WorkplaceJoined	NO (should be NO on hybrid-joined)	YES (conflict — stale WPJ cert)
AzureAdPrt	YES	NO
DeviceId	GUID populated	Empty or mismatched
KeyContainerId	GUID populated	Empty

Step 2 — Check Event Viewer (User Device Registration Log)

The most detailed registration telemetry lives in Event Viewer > Applications and Services Logs > Microsoft > Windows > User Device Registration > Admin. The critical event IDs are:

Event ID	Meaning	Action
304	Automatic device join pre-check succeeded	SCP and network reachable — good
305	Automatic device join succeeded	Registration complete
307	Device successfully registered	Device key written to TPM/software KSP
201	Unable to find AD user account	UPN suffix mismatch or SCP misconfiguration
220	Failed to join — HTTP error from DRS	Check HTTP status code in event details
335	The device object already exists	Stale msDS-DeviceID — clear it in AD

Get-DeviceRegEvents.ps1

# Pull the last 50 User Device Registration events — run elevated
$logName = 'Microsoft-Windows-User Device Registration/Admin'
Get-WinEvent -LogName $logName -MaxEvents 50 -ErrorAction SilentlyContinue |
    Select-Object TimeCreated, Id, LevelDisplayName, Message |
    Format-Table -AutoSize -Wrap

# Filter to registration-critical event IDs only
$criticalIds = @(201, 220, 304, 305, 307, 335)
Get-WinEvent -LogName $logName -MaxEvents 200 -ErrorAction SilentlyContinue |
    Where-Object { $_.Id -in $criticalIds } |
    Select-Object TimeCreated, Id, LevelDisplayName,
        @{ N='Summary'; E={ $_.Message -replace '\s+',' ' } } |
    Format-List

Step 3 — Primary Fix: dsregcmd /leave and Re-registration

For a single device stuck in Pending, the standard first-line fix is to clear the local device registration state and force a fresh attempt. This must be done in two separate sessions: the /leave in an elevated prompt, then triggering the scheduled task in the user context.

Warning: Running dsregcmd /leave will remove the device's existing Entra registration and PRT (Primary Refresh Token). Do not run this on a machine that is only Entra Joined (non-hybrid) — it will break sign-in. On Hybrid Join machines, the domain join is preserved and sign-in continues via NTLM/Kerberos.

Fix-HybridJoinSingle.ps1

# ── PHASE 1: Run in an ELEVATED PowerShell window ──────────────────────────

# Leave current registration
dsregcmd /leave

# Remove stale Workplace Join certificates from machine store
Get-ChildItem 'Cert:\LocalMachine\My' |
    Where-Object { $_.Issuer -like '*MS-Organization-Access*' -or
                   $_.Issuer -like '*MS-Organization-P2P-Access*' } |
    ForEach-Object {
        Write-Host "Removing cert: $($_.Subject) [$($_.Thumbprint)]" -ForegroundColor Yellow
        Remove-Item $_.PSPath -Force
    }

# Restart — required for TPM key attestation state to clear
Write-Host "Restarting in 30 seconds. Save your work." -ForegroundColor Cyan
Start-Sleep -Seconds 30
Restart-Computer -Force

# ── PHASE 2: After restart, in a NON-ELEVATED window (as the end user) ──────

# Trigger the Automatic-Device-Join scheduled task immediately
Start-ScheduledTask -TaskPath '\Microsoft\Windows\Workplace Join\' `
                    -TaskName 'Automatic-Device-Join'

# Wait briefly then verify
Start-Sleep -Seconds 30
dsregcmd /status | Select-String -Pattern 'AzureAdJoined|DomainJoined|AzureAdPrt|DeviceId'

Step 4 — Stale Device Object Fix (msDS-DeviceID / Entra Connect Conflict)

If Event ID 335 appears, or if the device has been re-imaged without the old Entra object being deleted, the AD computer object may still carry a stale msDS-DeviceID attribute. Entra Connect projects this value, and Entra refuses to overwrite an existing DeviceID with a new key — the device registration attempt returns a conflict error.

Warning: The steps below modify Active Directory computer object attributes. Run from a domain controller or a machine with the AD PowerShell module (RSAT). Verify the computer name before clearing the attribute.

Clear-StaleDeviceID.ps1

Import-Module ActiveDirectory

$computerName = 'COMPUTER01'   # Replace with target hostname

# Inspect current values
$computer = Get-ADComputer $computerName -Properties 'msDS-DeviceID', 'msDS-KeyCredentialLink'
Write-Host "Current msDS-DeviceID : $($computer.'msDS-DeviceID')"
Write-Host "KeyCredentialLink count: $($computer.'msDS-KeyCredentialLink'.Count)"

# Clear the stale DeviceID so Entra Connect syncs a clean object
Set-ADComputer $computerName -Clear 'msDS-DeviceID'

# Optionally delete the stale Entra device object via Graph before next sync
# (requires Microsoft.Graph PowerShell module and Device.ReadWrite.All)
Connect-MgGraph -Scopes 'Device.ReadWrite.All'
$entraDevice = Get-MgDevice -Filter "displayName eq '$computerName'" -All |
    Where-Object { $_.TrustType -eq 'ServerAd' -and $_.ApproximateLastSignInDateTime -lt (Get-Date).AddDays(-30) }
if ($entraDevice) {
    Write-Host "Deleting stale Entra object: $($entraDevice.Id)" -ForegroundColor Yellow
    Remove-MgDevice -DeviceId $entraDevice.Id
}

# Trigger Entra Connect delta sync to project the cleaned object
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

Tip — OU Move Scenario: If you recently moved a computer object to a different OU, Entra Connect's scoping filter may have excluded it temporarily. Run a Full Sync (Start-ADSyncSyncCycle -PolicyType Initial) from the Entra Connect server after an OU move. Delta syncs may not re-evaluate scoping filters for existing objects.

Step 5 — Workplace Join Certificate Conflict

A common but overlooked cause of persistent Pending is a leftover Workplace Join (WPJ) certificate in the machine's personal certificate store. These are issued under the subject MS-Organization-Access or MS-Organization-P2P-Access and conflict with the Hybrid Join device certificate. When dsregcmd /status shows WorkplaceJoined : YES, this is the likely culprit.

Navigate in certlm.msc (Local Computer certificates) to Personal > Certificates and look for certificates with those issuers. Alternatively, use the following script — it is included in the Phase 1 fix above but reproduced here for targeted use:

Remove-WPJCerts.ps1

# Run elevated — enumerates and removes WPJ/Hybrid cert conflicts
$storePaths = @('Cert:\LocalMachine\My', 'Cert:\CurrentUser\My')
$conflictIssuers = @('MS-Organization-Access', 'MS-Organization-P2P-Access')

foreach ($storePath in $storePaths) {
    Write-Host "`nScanning: $storePath" -ForegroundColor Cyan
    Get-ChildItem $storePath -ErrorAction SilentlyContinue |
        Where-Object { $issuer = $_.Issuer; $conflictIssuers | Where-Object { $issuer -like "*$_*" } } |
        ForEach-Object {
            Write-Host "  [-] Removing: $($_.Subject) | Issued: $($_.NotBefore) | Thumbprint: $($_.Thumbprint)" -ForegroundColor Yellow
            Remove-Item $_.PSPath -Force
        }
}
Write-Host "`nDone. Restart the device then trigger Automatic-Device-Join task." -ForegroundColor Green

Step 6 — Bulk Remediation via Group Policy Startup Script

For large environments where dozens of devices are stuck in Pending — common after a mass re-image, an Entra Connect migration, or a tenant rename — a GPO startup script is the most practical remediation path. The script runs in the SYSTEM context at startup, performs the leave/cert-clean operation, and on next login the scheduled task fires automatically.

Create a new GPO, link it to the OU containing affected machines, and add the following script under Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Startup. Use the PowerShell Scripts tab, not the legacy VBScript tab.

GPO-HybridJoinRemediation-Startup.ps1

#Requires -RunAsAdministrator
<#
   GPO Startup Script — Hybrid Join Remediation
   Runs ONCE per device. Sets a registry flag after success to prevent re-running.
   Link GPO to affected OU; remove link once all devices are remediated.
#>

$regPath  = 'HKLM:\SOFTWARE\IT\HybridJoinRemediation'
$regValue = 'RemediationComplete'
$logFile  = 'C:\Windows\Temp\HybridJoinFix.log'

function Write-Log {
    param([string]$Message)
    $ts = (Get-Date).ToString('yyyy-MM-dd HH:mm:ss')
    "[$ts] $Message" | Tee-Object -FilePath $logFile -Append
}

# Skip if already remediated
if ((Get-ItemProperty $regPath -Name $regValue -ErrorAction SilentlyContinue).$regValue -eq 1) {
    Write-Log "Remediation already complete — skipping."
    exit 0
}

Write-Log "Starting Hybrid Join remediation on $env:COMPUTERNAME"

# Step 1 — Leave current Entra device registration
Write-Log "Running dsregcmd /leave"
$leaveResult = dsregcmd /leave 2>&1
Write-Log $leaveResult

# Step 2 — Remove conflicting WPJ certificates
Write-Log "Removing WPJ certificates from LocalMachine\My"
Get-ChildItem 'Cert:\LocalMachine\My' -ErrorAction SilentlyContinue |
    Where-Object { $_.Issuer -like '*MS-Organization*' } |
    ForEach-Object {
        Write-Log "  Removing: $($_.Subject) [$($_.Thumbprint)]"
        Remove-Item $_.PSPath -Force -ErrorAction SilentlyContinue
    }

# Step 3 — Enable the Automatic-Device-Join scheduled task if disabled
$task = Get-ScheduledTask -TaskPath '\Microsoft\Windows\Workplace Join\' `
                          -TaskName 'Automatic-Device-Join' -ErrorAction SilentlyContinue
if ($task -and $task.State -eq 'Disabled') {
    Write-Log "Re-enabling Automatic-Device-Join task"
    Enable-ScheduledTask -TaskPath '\Microsoft\Windows\Workplace Join\' -TaskName 'Automatic-Device-Join'
}

# Step 4 — Mark complete so script doesn't re-run
if (-not (Test-Path $regPath)) { New-Item $regPath -Force | Out-Null }
Set-ItemProperty $regPath -Name $regValue -Value 1 -Type DWord

Write-Log "Remediation script complete. Device will re-register on next user login."

Monitoring bulk progress: After 24–48 hours, query Entra for devices still in Pending state using Get-MgDevice -Filter "trustType eq 'ServerAd' and accountEnabled eq false" — accountEnabled=false is how Entra surfaces the Pending state via Graph API. Cross-reference against your AD OU scope to measure remediation progress.

Step 7 — Force Entra Connect Delta Sync

After clearing stale AD attributes or deleting an old Entra device object, you need Entra Connect to re-project the computer object before the device's registration attempt will succeed. A delta sync is sufficient for attribute changes; an initial sync is needed after OU scope changes.

Invoke-EntraConnectSync.ps1

# Run on the Entra Connect server — requires ADSync module
Import-Module ADSync

# Attribute changes (msDS-DeviceID cleared, object deleted/recreated)
Start-ADSyncSyncCycle -PolicyType Delta
Write-Host "Delta sync triggered. Check status:"

# Monitor sync status
Get-ADSyncConnectorRunStatus

# OU scope changes — use Initial (full) sync
# Start-ADSyncSyncCycle -PolicyType Initial

# Check last sync errors
Get-ADSyncRunStepResult | Where-Object { $_.StepResult -ne 'Success' } |
    Select-Object ConnectorName, RunProfileName, StepResult, StartDateTime, EndDateTime |
    Format-Table -AutoSize

Step 8 — Final Verification

A successful Hybrid Entra Join shows both AzureAdJoined : YES and DomainJoined : YES in dsregcmd /status. After a successful registration the Entra portal changes the device's Join Type from Pending to Hybrid Azure AD joined within minutes of the next Entra Connect delta sync.

Verify-HybridJoin.ps1

# Run as the logged-on user (non-elevated) for full PRT state
$raw = dsregcmd /status

$checks = @{
    'AzureAdJoined'    = 'YES'
    'DomainJoined'     = 'YES'
    'WorkplaceJoined'  = 'NO'
    'AzureAdPrt'       = 'YES'
}

$allPass = $true
foreach ($check in $checks.GetEnumerator()) {
    $line   = $raw | Select-String "^\s+$($check.Key)\s+:"
    $actual = if ($line) { ($line -split ':', 2)[1].Trim() } else { 'NOT FOUND' }
    $pass   = $actual -eq $check.Value
    $colour = if ($pass) { 'Green' } else { 'Red' ; $allPass = $false }
    Write-Host ("  {0,-20} Expected: {1,-4}  Actual: {2}" -f $check.Key, $check.Value, $actual) -ForegroundColor $colour
}

if ($allPass) {
    Write-Host "`n[PASS] Device is Hybrid Entra Joined and PRT acquired." -ForegroundColor Green
} else {
    Write-Host "`n[FAIL] One or more checks failed. Review above output." -ForegroundColor Red
}

Success indicators: AzureAdJoined = YES, DomainJoined = YES, WorkplaceJoined = NO, AzureAdPrt = YES, and a populated DeviceId GUID. The device should now appear in the Entra portal as Hybrid Azure AD joined (not Pending) within one delta sync cycle (~30 minutes by default).

Network Prerequisites Checklist

If devices consistently fail to leave Pending despite the above steps, verify network reachability from the machine to the DRS endpoints. These are required for the registration handshake to complete. See the official Microsoft Hybrid Join verification guide for the complete endpoint list.

Endpoint	Port	Purpose
enterpriseregistration.windows.net	443	Device Registration Service
login.microsoftonline.com	443	Azure AD authentication
device.login.microsoftonline.com	443	Device token endpoint
autologon.microsoftazuread-sso.com	443	Seamless SSO (if enabled)
crl.microsoft.com / ocsp.msocsp.com	80 / 443	Certificate revocation

SSL Inspection Warning: If your proxy performs TLS inspection, the DRS endpoints must be bypassed. The device registration handshake includes certificate pinning and mutual TLS elements that break when intercepted by a corporate proxy. Add enterpriseregistration.windows.net and login.microsoftonline.com to your SSL inspection bypass list.

Community Resources and Further Reading

The official Microsoft documentation for this scenario is thorough but dense. Beyond the docs, the community fills important gaps. Rudy Ooms (call4cloud.nl) is one of the most referenced Microsoft MVPs in the Intune and Entra device management space — his blog posts on device registration internals, the Azure AD device object lifecycle, and dsregcmd output interpretation are required reading if you are troubleshooting edge cases not covered by Microsoft's official guidance. His posts on PRT acquisition failures and certificate store conflicts in particular align closely with what this guide covers.

Official Microsoft references for this topic:

Troubleshoot pending device state in Entra ID — learn.microsoft.com
Troubleshoot Hybrid Entra Join for Windows current devices — learn.microsoft.com
Verify Hybrid Entra Join configuration — learn.microsoft.com

Entra Hybrid Join Stuck in Pending State — Complete Fix Guide