Entra Hybrid Join Stuck in Pending: Troubleshooting a Systemic Device Registration Failure

We got a call about four devices that wouldn't complete Entra hybrid join. All of them showed "Pending" in Entra ID—not a per-device problem, but something systemic affecting the whole batch.

Initial Observations

Running dsregcmd /status on one of the devices (L30148) confirmed it wasn't actually joined to Entra yet. This wasn't a display glitch—the device genuinely hadn't completed registration.

One of those four had come through a recent migration that involved ForensIT, and it threw TPM error 0x8009000B during the process. That's an NGC (Next Generation Credential) key binding failure—basically the device's NGC container got broken during migration and couldn't re-establish trust with Entra.

What We Were Trying

The environment was set up for Entra-only joined devices to map on-premises drives using Cloud Kerberos Trust. This is the approach Microsoft outlined in a November 2024 KB article—it lets you skip hybrid join entirely for some devices while still getting on-prem connectivity.

But that doesn't explain why these four devices were stuck in Pending. If they were meant to be Entra-only, they shouldn't be trying to hybrid join at all.

Where We Looked

We started with the basics:

• Service Connection Point (SCP) — We needed to verify it was configured correctly for hybrid join discovery.
• Entra Connect device options — Check that the sync rules and device writeback settings made sense for this batch.
• dsregcmd /debug — Get verbose logs from L30148 to see exactly where registration was failing.

A delta sync didn't clear the Pending status, so it wasn't a temporary sync delay.

What We Didn't Get To

The call ended before we could dig into the dsregcmd output or verify the SCP configuration. A networking issue on their side interrupted us mid-investigation.

Next Steps If You Hit This

If you see all devices in a cohort stuck in Pending:

1. Run dsregcmd /status on one device to confirm it's actually not joined yet—not just a display lag.
2. Check your SCP configuration. Point your on-prem AD to the right Entra tenant.
3. Review your Entra Connect device writeback rules. Make sure you're not filtering out these devices accidentally.
4. If any devices came through a migration (especially one involving TPM operations), run dsregcmd /debug and look for NGC key binding failures or trust issues.
5. Rule out whether these devices should actually be hybrid joined at all—or if they're supposed to be Entra-only with Cloud Kerberos Trust instead.

The systemic nature of the failure points to configuration or discovery, not individual device corruption. Start at the infrastructure layer.

Where This Breaks in Production

This doesn't show up in greenfield deployments.

It shows up in hybrid environments where:

• Devices have been domain-joined, unjoined, migrated, or re-imaged — and the previous Entra registration state was never properly cleaned up
• Third-party migration tools (ForensIT, USMT, others) were involved in a domain migration, leaving TPM state from the previous join intact
• The AAD Connect sync is healthy and the device shows in Entra, but the registration state on the device itself doesn't match

The sync looks correct. Entra shows the device. But the device's local registration state points to the old tenant or old domain, and every re-registration attempt fails silently or loops back to Pending.

If This Is Happening in Your Environment

Hybrid Join issues at scale are rarely a sync problem.

They're usually a sign that device state — TPM registration, cached credentials, previous domain artifacts — hasn't been fully cleaned between migration phases.

If your devices are stuck in Pending after a migration or Entra configuration change, and re-syncing doesn't fix it, that's typically where we get brought in.

We don't rebuild from scratch — we fix and stabilize what's already there.

→ itccinc.com