I’m working on a project whereby I needed to fix up some issues with pending hybrid join devices in Azure AD.
To kick start the process of fixing the devices, I needed to remove the userCertificate from the AD object.
To do this against all Windows 10 devices it’s as simple are running the following code, you might to be more granular in how you execute this, so long as you populate the $Windows10Computers variable with the devices you need, you will be good to go.
$Windows10Computers = Get-ADComputer -Filter {OperatingSystem -like '*Windows 10*'}
foreach($Computer in $Windows10Computers)
{
Set-ADComputer $Computer -Clear userCertificate
}When the userCertificate is removed, if an AAD Connect sync runs, the device object will be removed from Azure AD.
The userCertificate will get created again, the \Microsoft\Windows\Workplace Join scheduled task ‘Automatic-Device-Join’, which runs on logon, will see to that.
On the next sync of AAD Connect after the userCertificate is created, a new pending hybrid join object will be created in Azure AD and you can then force the registration by running that scheduled task again i.e. another login.
If you’re in a user initiated VPN scenario, then this becomes more complicated, as the scheduled task requires line of site to the domain controllers to do its thing. There is an event ID 4096, but it’s a random trigger. If I could work out what causes it I would let you know. Some devices do not run the event at all, others sporadically.
How to tackle this in a VPN scenario is one for another time.
SCCMentor - Paul Winstanley 