Hybrid join succeeds but primary refresh token missing

Scenario

A Windows device appears joined correctly, but users do not receive SSO because the primary refresh token never issues.

Recommended Resolution Path

1. Run dsregcmd status and compare device registration versus user sign-in state.
2. Verify proxy, TLS inspection, and time synchronization on the endpoint.
3. Check whether the user profile was created before hybrid join completed successfully.
4. If only one device model is affected, compare image baselines and enrollment timing.

Technician Notes

Document what changed, what confirmed the fix, and whether the issue points to a broader standards gap worth addressing for the client.