Do not remove the successfully HAAD Joined computer from Azure AD if the userCertificate attribute was deleted on prem (mode)
when the userCertificate attribute is changed/Corrupt on prem (source of change unknown yet), the computer objects gets deleted from Azure AD due to current sync rules and logic. there should be no reason to depend on this attribute after the station was successfully registered. And since the computer is not aware of this sync change between AD and AAD its local state still tells the station its registered and no re-registration attempt is made. we can allways block registration by deleting the device from AAD or block the user. and WAM is Disabled to bypass. case 120021424002034 The point is the DCR for auto healing (faster, no time) Haaj so users are not having auth issues.
Aaron Shvarts commented
Fix option: Do not remove AAD computer object via AAD Connect sync if on prem computer userCertificate is removed/changed after the successful registration was completed.