Friday 17 July 2015

Configuring AD FS Client Settings using GPO's

Updated - 24 August 2016

Requirements for SSO to Office 365 on a Windows 7 Enterprise PC;
·         Microsoft Online Service Sign-In Assistant (installed on PC)
·         The SSO service URL added to the Intranet Zone in IE
The Microsoft Online Service Sign-In Assistant can be downloaded from the following link;
It comes pre-packaged as an MSI so you can push it out through Group Policy, if you do not have a more modern software deployment mechanism such as SCCM etc. This installer basically adds a new service called Microsoft Sign-In Assistant to the PC, this service must be running for SSO to work correctly.

To configure the Intranet Zone either create a new GPO, or add the following settings to an existing GPO. 

Click on WMI Filters, right click and create a new WMI Filter.  Give it a descriptive name, in mine I have used "Windows 7 Filter".
The following query strings will ensure that only Windows 7 endpoints are given the GPO settings.
select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" AND OSArchitecture = "64-bit"

Click on the AD FS Client Settings GPO, and from the WMI Filtering drop down, click on the new WMI filter you just created to ensure it is bound to the GPO.

It is probably best to scope this setting to the Computer instead of the User account, edit the GPO and expand Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Intern Control Panel/Security Page and double click the Site to Zone Assignment List.

Click Enabled and then Show...

In the Value Name string enter the AD FS service URL, and the value of 1. The value basically corresponds to the zone that this policy applies to.
1 = Intranet/Local Zone
2 = Trusted Sites
3 = Internet/Public Zone
4 = Restricted Sites

Review the settings from the Settings tab, now scope the GPO to the correct Domain/OU.