When Windows devices get stuck in a Pending state during Hybrid Azure AD Join, Intune enrollment never completes and the device remains only partially registered. This usually shows up when a device appears as Entra Registered but never transitions to Hybrid Azure AD Joined.
Quick Fix Checklist (Try in This Order)
Before deep troubleshooting, check these common blockers:
- Run
dsregcmd /statusand confirm join state - Verify Automatic-Device-Join scheduled task
- Confirm device OU is synced in Microsoft Entra Connect
- Ensure Microsoft registration endpoints are reachable
- Re-register the device using
dsregcmd /leaveand/join
If the device still shows Pending, continue below.
What Does “Pending” Mean in Hybrid Azure AD Join?
A Pending status means the device has started registration but failed to complete the full Hybrid Join process. In most cases:
- The device is domain joined
- The device is Entra Registered
- Hybrid join token exchange or device writeback failed
At this stage, Intune waits for the join to complete, but never receives confirmation.
Hybrid Azure AD Join vs Entra Registered (Key Difference)
This is critical for troubleshooting:
- Entra Registered: Partial registration only. Device identity exists, but it is not trusted for Hybrid Join.
- Hybrid Azure AD Joined: Full trust established between Active Directory and Entra ID. Required for Intune auto-enrollment in hybrid setups.
If a device remains Entra Registered, it will stay Pending in Intune.
Why Hybrid Azure AD Join Gets Stuck During Intune Enrollment
The most common root causes include:
- Automatic Device Join scheduled task not running
- OU not included in Entra Connect sync scope
- Network or proxy blocking Microsoft registration endpoints
- Broken or stale Workplace Join artifacts
- Group Policy not applying MDM auto-enrollment
- Time skew or certificate validation failure
These issues usually occur locally on the device, not in the cloud.
Check Device Registration Status Using dsregcmd
On the affected device, open Command Prompt as Administrator and run:
dsregcmd /statusExpected Output When Hybrid Join Is Stuck
| Field | Value | Meaning |
|---|---|---|
| DomainJoined | YES | Device is joined to Active Directory |
| AzureAdJoined | NO | Hybrid join not completed |
| WorkplaceJoined | YES | Partial / broken registration |
This confirms the device started registration but never finished Hybrid Join.
How to Read dsregcmd Output When Hybrid Join Is Failing
Pay close attention to these fields:
- AzureAdJoined: NO
- Indicates Entra ID registration failed or never finalized.
- WorkplaceJoined: YES
- Usually means old or incomplete device artifacts exist.
- DeviceAuthStatus: FAILED
- Token acquisition, certificate, or network issue.
These values point directly to local registration failure.
Confirm Network Access to Microsoft Registration Endpoints
Hybrid join requires uninterrupted access to Microsoft identity services.
Ensure these URLs are reachable over HTTPS:
https://enterpriseregistration.windows.nethttps://login.microsoftonline.com
SSL inspection, restrictive firewalls, or proxy authentication often block device registration tokens and silently break Hybrid Join.
Manually Re-register the Device (Most Effective Fix)
If the device is stuck, force a clean registration:
dsregcmd /leave
dsregcmd /joinThen reboot the system and run:
dsregcmd /statusIn most cases, this immediately transitions the device to Hybrid Azure AD Joined.
Verify the Automatic-Device-Join Scheduled Task
The Hybrid Join process is triggered by a scheduled task.
Go to:
Task Scheduler → Microsoft → Windows → Workplace Join
Check Automatic-Device-Join:
- Status: Ready
- Last Run Result: Successful
If needed, right-click and run it manually.
If this task never runs, the device will remain Pending indefinitely.
Review Group Policy for MDM Auto-Enrollment
Hybrid join alone is not enough — Intune auto-enrollment must also apply.
Check this policy:
Computer Configuration
→ Administrative Templates
→ Windows Components
→ MDM
→ Enable automatic MDM enrollment using default Azure AD credentialsEnsure:
- Policy is Enabled
- Applied to the correct device OU
Confirm OU Sync Scope in Microsoft Entra Connect
Devices located in excluded OUs will never complete Hybrid Join.
Open Microsoft Entra Connect and verify:
- OU filtering includes the device’s OU
- No sync errors are present
- Device objects are syncing successfully
OU misconfiguration is one of the most overlooked causes.
Check Event Viewer for Hybrid Join Errors
On the device, open:
Event Viewer
→ Applications and Services Logs
→ Microsoft
→ Windows
→ User Device Registration
→ AdminCommon Event IDs
| Event ID | Description |
|---|---|
| 304 | Device registration failure |
| 307 | Token or authentication issue |
| 404 | Sync or policy failure |
These logs often reveal the exact cause of the pending state.
Validate System Time and Device Certificates
Hybrid Join relies on certificate-based trust.
- Ensure system time matches domain time (within 5 minutes)
- Check device certificates under:
certmgr.msc → Personal → CertificatesExpired or missing certificates can invalidate device authentication.
How to Confirm Hybrid Join Status in Microsoft Intune
After fixes are applied:
- Go to Microsoft Intune Admin Center
- Navigate to Devices → Windows
- Check:
- Join Type: Hybrid Azure AD joined
- Enrollment Status: Enrolled / Compliant
Allow 15–30 minutes for sync after successful registration.
Final Verification Checklist
Run dsregcmd /status and confirm:
- DomainJoined: YES
- AzureAdJoined: YES
- Device State: Hybrid Joined
Then verify the device appears in Microsoft Entra ID → Devices with Join Type set to Hybrid Azure AD joined.
FAQs
Why is Hybrid Azure AD Join stuck in pending?
Hybrid Azure AD Join gets stuck in pending when device registration starts but fails to complete due to local issues such as dsregcmd registration failure, Automatic-Device-Join task errors, blocked Microsoft endpoints, or the device OU not being synced in Entra Connect.
How long should Hybrid Azure AD Join take to complete?
Hybrid Azure AD Join usually completes within 5 to 30 minutes, and if the device remains pending beyond this time, it typically indicates a registration failure rather than a normal synchronization delay.
Can a device be Entra Registered but not Hybrid Azure AD Joined?
Yes, a device can appear as Entra Registered but still fail Hybrid Azure AD Join, which is one of the most common reasons devices remain stuck in a pending state during Intune enrollment.
Does dsregcmd fix Hybrid Azure AD Join stuck in pending?
In most cases, running dsregcmd /leave followed by dsregcmd /join forces a clean re-registration and successfully resolves Hybrid Azure AD Join stuck in pending.
What does AzureAdJoined NO mean in dsregcmd?
If dsregcmd /status shows AzureAdJoined as NO, it means the device did not complete Entra ID registration, which directly explains why Hybrid Azure AD Join remains in a pending state.
Why does Intune enrollment stay pending after Hybrid Azure AD Join?
Intune enrollment stays pending when MDM auto-enrollment Group Policy is not applied, the device OU is incorrect, or Hybrid Azure AD Join never fully completes on the device.
Which scheduled task is required for Hybrid Azure AD Join?
Hybrid Azure AD Join depends on the Automatic-Device-Join scheduled task under Microsoft → Windows → Workplace Join, and if this task does not run successfully, the device will remain pending.
Can OU filtering in Entra Connect cause Hybrid Azure AD Join pending?
Yes, if the device’s OU is excluded from Entra Connect synchronization, Hybrid Azure AD Join cannot complete because the device object never reaches Entra ID.
Do proxies or firewalls affect Hybrid Azure AD Join?
Proxies, SSL inspection, or blocked access to Microsoft registration endpoints can silently interrupt Hybrid Azure AD Join and cause devices to remain stuck in a pending state.
How do I confirm Hybrid Azure AD Join is fixed?
Hybrid Azure AD Join is fixed when dsregcmd /status shows AzureAdJoined as YES, the device appears as Hybrid Azure AD joined in Entra ID, and Intune shows the device as enrolled and syncing normally.
When Hybrid Azure AD Join is stuck in a Pending state, the issue is almost always caused by local device registration failure, not Entra ID or Intune itself. Checking dsregcmd, validating the scheduled task, confirming OU sync, and re-registering the device resolves the problem in the majority of environments.
