Windows 10 Enterprise is bundled as part of Microsoft 365
E3, which is a subscription based service.
The scenario that required Hybrid Domain Join to be
configured was, that end user devices were coming shipped with Windows 10
Professional OEM. The customer requirements stated that Windows 10 Enterprise
was required, which was included in their Microsoft 365 E3 licenses.
Although
Microsoft would like to have every customer device managed completely by Azure
AD, it is unlikely many organisations will be retiring Active Directory anytime
soon.
The point to remember here is, that if you have devices that
are AD domain-joined you will not be able to activate a subscription based
Windows 10 license, unless Hybrid Domain Join is in place. Devices should be joined to the AD domain and in
an OU which is synced by AD Connect to Azure AD.
If you join your devices directly to Azure AD,
when you try to join the on premise domain you will get an error. Devices
should be connected to AD DS, synced to Azure AD and a GPO put in place to
ensure these devices register with AAD.
· It appears from Windows 10 1803 that devices
that are being upgraded via a subscription version of Windows 10 do not need to
be activated beforehand. Previously, if you were upgrading OEM Windows 10 Pro
clients to a subscription of Windows 10 Enterprise, all of these clients had to
be activated before the subscription would work.
AD Connect facilitates the configuration of Azure AD Hybrid
Join, however in my experience it does not configure it properly. It is
possible to do many of these tasks manually, as outlined in this guide
This is the part which AD Connect does not complete
correctly (I think). Under SCP Configuration you will notice that the wizard
has only detected the onmicrosoft.com domain under Authentication Source.
Initially
I could not get this to work, if you create the SCP and direct it to your
tenant.onmicrosoft.com devices will not show up as Hybrid Domain Join, so I
downloaded the ConfigureSCP.ps1 script as it prompts for the custom domain you
have associated with you Azure AD.
When you download the script, ensure your execution policy
is set to unrestricted so that the policy can run. The script will ask you to
specify the domain you want to create the SCP point for, at this stage I
entered my unique domain.
If the script completes successfully you should get a “Configuration
Complete!” message. You can further verify the SCP has been created using ADSI
Edit. If you connect to the Configuration partition and go to Services >
Device Registration Configuration.
The SCP which is created with the script is always created
with the same identifier which ends in 30080. If this is present in ADSI Edit
you know the ConfigurationSCP.ps1 script has completed properly.
The next part which is not blatantly obvious, or well
documented is that, if you use the ConfigurationSCP.ps1 script you must still
complete the AD Connect wizard. To do this ensure that the SCP Configuration
page looks like this, and nothing is selected.
In my environment only Windows 10 devices are required, so I
never selected support for “down-level devices”.
A GPO is also required to ensure synced computer objects are
registered in AAD, this is done using a Computer Configuration >
Administrative Templates > Windows Components > Device Registration the
setting Register Domain Joined Computers as Devices should be set to Enabled.
AD Connect Device Writeback should also be enabled which is
done in a very similar way to Hybrid Azure Join.
The command “dsregcmd
/status” can be used from a client to check the status, AzureADJoined
should be set to YES if everything has worked.
Devices will also appear in the AAD portal under Devices as “Hybrid
Azure AD joined”, when I first did this I never synced the Computer OU to Azure
AD which prevented it from working.
Under Activation you should also see confirmation that
Windows 10 Enterprise has activated. I think the “call home” feature is 30
days, meaning that devices with subscription Windows 10 must contact AAD every
30 days to remain in the activated state.
