u/No-Cobbler-5653

Hey everyone, been stuck on this for a while and need fresh eyes.

Environment:

Windows 11 Multi-session (Build 10.0.26200) — Azure Virtual Desktop
Hybrid Entra ID join setup
On-prem AD synced via Entra Connect

The issue: New AVD session hosts in a newly created OU refuse to complete Hybrid Entra ID join. The device always attempts DeviceRenew instead of DeviceRegister even after full domain unjoin → AD object deletion → fresh rejoin.

AzureAdJoined        : NO
Kerberos Ticket Test : FAIL [0x80090311]
Server ErrorSubCode  : error_missing_device
Server Operation     : DeviceRenew  ← should be DeviceRegister

What's weird: Kerberos tickets are valid under SYSTEM (klist -li 0x3e7 shows 3 tickets) but dsregcmd still reports Kerberos FAIL. All other diagnostic tests pass (AD, DRS, connectivity).

Already tried:

dsregcmd /leave + /join multiple times
Clearing msDS-KeyCredentialLink from AD
Full domain rejoin with fresh computer object
Clearing all CloudDomainJoin and Enrollment registry keys
Entra Connect delta + full sync
DeviceWriteback is disabled

Key clue: Older VDIs in a different OU enrolled perfectly fine with the same GPO. Only difference is the new OU.

My questions:

Why does dsregcmd fail Kerberos when tickets clearly exist under SYSTEM?
Why does it always attempt DeviceRenew instead of DeviceRegister after a completely fresh join?
Could Entra Connect OU sync scope be causing error_missing_device?

Any help appreciated! 🙏

Hybrid Entra ID Join failing with error_missing_device DeviceRenew instead of DeviceRegister even after full domain rejoin [Windows 11 Multi-session AVD]