Azure AD registration “Pending” issue – User certificate not found error

Hello friends

Hope you all are doing good. I am going to discuss about a hybrid domain join issue where device get stuck in “Pending” state as below:

We will discuss possible cause and then resolution. So lets get started.

Hybrid Azure AD join task must be configured using Configure Device Options in Azure AD Connect.

This action syncs device object in Azure AD and registered device are in “Pending” state temporarily, later to get registered. However there are times when device is stuck in Pending state. This is possible for new devices as well as existing device.

How to check the issue

  1. Start by checking device registration status in Azure portal>Azure Active Directory>Devices>All devices. Screenshot is attached at the top.
  2. Once you confirm that device is in pending state, login to device and run dsregcmd /status in command prompt.

Value of AzureAdJoined is “No” indicating device is not joined to AzureAD.

3. Scroll down towards the end and you will find error in Diagnostic data. Server message is “The user certificate is not found on device“.

4. Hybrid join process also creates Automatic-Device-Join task in Task Scheduler under Microsoft>Windows>Workplace Join. Check for Last Run Result status error.

Root cause and resolution

Automatic-Device-Join task creates a self signed certificate for device when it runs. If this certificate is not created or get modified before device joins the issue, you get user certificate error. You can locate the certificate in Active Directory Users and Computers> Device property> Attribute Editor>userCertificate.

Note: Please enable Advanced Features from View tab to see Attribute Editor.

To resolve the issue follow these steps:

  1. Delete the certificate if its already there.
  2. Delete pending device in Azure AD
  3. Run Start-ADSyncSyncCycle -PolicyType -Initial from PowerShell. It will re-sync device. Ensure that Azure AD Connect wizard is closed

4. Run Automatic-Device-Join task from Task Scheduler. This task has trigger to run on schedule too, but we have ran it manually to resolve the issue. This time task last run status should be successful.

    And bingo, your device should be registered in Azure AD in sometime.

    So that was all in this post. Next week is colorful Holi so Happy Holi in advance. Enjoy your day 🙂

    See you soon with some other tech post. Till then signing off.


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s