Wednesday 1 August 2018

Hybrid AAD Join for Microsoft 365 Windows 10 Enterprise Activation

Windows 10 Enterprise is bundled as part of Microsoft 365 E3, which is a subscription based service.

The scenario that required Hybrid Domain Join to be configured was, that end user devices were coming shipped with Windows 10 Professional OEM. The customer requirements stated that Windows 10 Enterprise was required, which was included in their Microsoft 365 E3 licenses. 

Although Microsoft would like to have every customer device managed completely by Azure AD, it is unlikely many organisations will be retiring Active Directory anytime soon.

The point to remember here is, that if you have devices that are AD domain-joined you will not be able to activate a subscription based Windows 10 license, unless Hybrid Domain Join is in place. Devices should be joined to the AD domain and in an OU which is synced by AD Connect to Azure AD.

     If you join your devices directly to Azure AD, when you try to join the on premise domain you will get an error. Devices should be connected to AD DS, synced to Azure AD and a GPO put in place to ensure these devices register with AAD.

·    It appears from Windows 10 1803 that devices that are being upgraded via a subscription version of Windows 10 do not need to be activated beforehand. Previously, if you were upgrading OEM Windows 10 Pro clients to a subscription of Windows 10 Enterprise, all of these clients had to be activated before the subscription would work.

AD Connect facilitates the configuration of Azure AD Hybrid Join, however in my experience it does not configure it properly. It is possible to do many of these tasks manually, as outlined in this guide

This is the part which AD Connect does not complete correctly (I think). Under SCP Configuration you will notice that the wizard has only detected the domain under Authentication Source. 

Initially I could not get this to work, if you create the SCP and direct it to your devices will not show up as Hybrid Domain Join, so I downloaded the ConfigureSCP.ps1 script as it prompts for the custom domain you have associated with you Azure AD. 

When you download the script, ensure your execution policy is set to unrestricted so that the policy can run. The script will ask you to specify the domain you want to create the SCP point for, at this stage I entered my unique domain.

If the script completes successfully you should get a “Configuration Complete!” message. You can further verify the SCP has been created using ADSI Edit. If you connect to the Configuration partition and go to Services > Device Registration Configuration.

The SCP which is created with the script is always created with the same identifier which ends in 30080. If this is present in ADSI Edit you know the ConfigurationSCP.ps1 script has completed properly. 

The next part which is not blatantly obvious, or well documented is that, if you use the ConfigurationSCP.ps1 script you must still complete the AD Connect wizard. To do this ensure that the SCP Configuration page looks like this, and nothing is selected. 

In my environment only Windows 10 devices are required, so I never selected support for “down-level devices”. 

A GPO is also required to ensure synced computer objects are registered in AAD, this is done using a Computer Configuration > Administrative Templates > Windows Components > Device Registration the setting Register Domain Joined Computers as Devices should be set to Enabled.

AD Connect Device Writeback should also be enabled which is done in a very similar way to Hybrid Azure Join.

The command “dsregcmd /status” can be used from a client to check the status, AzureADJoined should be set to YES if everything has worked. 

Devices will also appear in the AAD portal under Devices as “Hybrid Azure AD joined”, when I first did this I never synced the Computer OU to Azure AD which prevented it from working. 

Under Activation you should also see confirmation that Windows 10 Enterprise has activated. I think the “call home” feature is 30 days, meaning that devices with subscription Windows 10 must contact AAD every 30 days to remain in the activated state.