Hybrid AAD domain join without SCP – without AADconnect hybrid setup

To Hybrid domain join a device you have to configure your Azure AD Connect which creates a Service Connection Point (SCP) in your Active Directory.

However in some environments it’s not possible to set up a SCP.

First of all check your AD if there is a SCP configured. To do this start ADSIEDIT.MSC and then right-click on the “ADSI Edit” root node and choose “Connect to…”.  Change to the “Configuration” naming context.

Expand the results and browse to “Services” container and the “Device Registration Configuration” container.

If it does not exist that means there is no SCP configured.

Otherwise you will see a GUID 62a0ff2e-97b9-4513-943f-0d221bd30080.
You may view the properties of the container by Right-clicking on it and choose “Properties.” 
Scroll down to the “keywords” attribute where you will to see your Azure AD tenant information.


To use AD Hybrid join in an environment without a SCP we have to add 2 registry keys to the workstation or server you want join to AAD.

It is also important that the computer objects are set to sync to Azure AD. So the OU where the computer object resides must be in sync with AAD.

You have to create two registry settings on each computer :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD]
"TenantName"="<name>.onmicrosoft.com"
"TenantId"="<tenant id>"

To easily find your tenantid and name it’s the best to use powershell :

#Get tenant name and id

Connect-MsolService
(Get-MsolDomain|Where-Object{$_.isInitial}).name


If you need to deploy this to more PC’s I would recommend deploying these keys using a GPO via the Group Policy Preferences Registry item. 

After setting the key (or deployment) open an elevated PowerShell.

Run the command “dsregcmd /join

Wait a few minutes.
Now run the command  “dsregcmd /status” to show the status

The output shows the value “IsDeviceJoined: YES

Refresh the browser window in Azure AD -> Devices.

add Screenshots – also error waiting ….

It’s not necessary to run dsregcmd /join on every device. 

if you have time to wait the devices wil join by themselves otherwise run “dsregcmd /join” .

In Endpoint manager you may create a device collection for your hybrid joined devices with this query:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name,

SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System

inner join SMS_Client_ComanagementState on SMS_Client_ComanagementState.ResourceId = SMS_R_System.ResourceId

where SMS_Client_ComanagementState.HybridAADJoined = 1

On AAD joined devices it’s possible to store the Bitlocker key in AAD.
To store the BitLocker key in AAD just run this PowerShell script :

$KeyProtectors = (Get-BitlockerVolume -MountPoint $env:systemdrive).KeyProtector

BackupToAAD-BitLockerKeyProtector $env:systemdrive -KeyProtectorId ($KeyProtectors | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorID

Errors & Failures

Hybrid Azure AD Join Failure

As mentioned before OU’s with the computer objects need to be in sync with AAD. Otherwise you may get this error “Hybrid Azure AD Join Failure – Error Missing Device”

If you get this error you should verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see Organizational unit–based filtering as I see following error from above logs, which indicate device object is not found.

Azure AD Connect sync: Configure filtering

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#organizational-unitbased-filtering

Hybrid Device Join error – Unregistered statusPending

I found this process on the internet which helped me solving this problem after which the device state successfully changed:

  • dsregcmd /debug /leave
  • Confirmation from Azure AD that device object was removed
  • Reboot machine
  • Confirmation that the device had been trying to register itself again to Azure AD (AAD audit logs)
  • Confirmation of device status from AAD (changed from pending to “registered with timestamp”)
  • dsregcmd /status (which should now have PRT included)

More documentation

Also, check out the troubleshooting guide.  https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

Troubleshoot hybrid Azure AD-joined devices. https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

Set up enrollment for Windows devices https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll

1 thought on “Hybrid AAD domain join without SCP – without AADconnect hybrid setup

  1. Koos Reply

    Thanks a lot, this blog saves me 🙂
    I has a customer with a child domain, and installing the SCP was not allowed (no Enterprise permission). I have only permission for the child domain. But with the regkey’s I was able to join the devices to AAD as hybrid join.

Leave a Reply

Your email address will not be published. Required fields are marked *