Find pending Hybrid Joined Devices

By PhilippDevice Management

Some time ago I had a troubleshooting case at one of our customers: The environment was configured for Hybrid Azure AD joined devices. We discovered a small subset of all devices (<1%) had issues to join the Azure AD tenant correctly. We found the root cause and we even had a local fix for the problem. The challenge now was to detect all the affected devices in a huge list.

In the Azure AD portal, you can see the affected devices as “Pending” in the Azure AD device list:

Screenshot on the Azue AD Portal: Pending Devices

Big problem: In the PowerShell scripting APIs, there is no easy way to search specifically for pending hybrid joined devices! In fact, there is just no way to get the values that you see in the portal column “Registered”. Not the date, neither the “Pending” state…

OK, here is what you can try: Search for devices that have these two attributes NOT set: DeviceObjectVersion and ApproximateLastLogonTimestamp:

Get-AzureADDevice -All $true | Where {($_.DeviceObjectVersion -eq $null) -and ($_.ApproximateLastLogonTimestamp -eq $null) } | Select DisplayName,ObjectId

That will show you a list of devices that are probably in a pending state.

Screenshot with Powershell CmdLets

Please note that the list you retrieve with this PowerShell one-liner is not 100% accurate. Some of the shown devices might be false positives, and they are not in a pending state. But the hit rate should be quite good (>95%). And there are no false negatives: All the pending state devices are in the list in all environments where we used this script.

The Microsoft solution – accurate but slow

According to Microsoft Support, the only way to be 100% sure on the Hybrid Join state of the devices is a WinRM script which scans all the workstations remotely to detect any problems: https://gallery.technet.microsoft.com/Hybrid-Azure-AD-Joined-0ea7e778
You could find all pending hybrid joined devices with this indeed. But in most cases, this WinRM script is not usable in practice, because this has pre-requisites, namely, the machines need to have the WinRM service running and also port 5985 opened (or firewall disabled). And it will take a very long time if you have thousands of devices.

So in our case, the handy on-liner with Get-AzureADDevice did its job quite well and much faster.

The root cause for pending devices

By the way, the reason for pending state Azure AD Hybrid Joined devices in this environment was the local scheduled task – it could not run correctly on the affected machines (GPO handling errors, the task was configured as disabled, could not impersonate as local system, etc.).

Screenshot with Hybrid Azure AD Join Task

Leave a Reply

Your email address will not be published. Required fields are marked *