If we need to perform controlled deployment of Hybrid Azure AD Joined devices, we need to perform below steps.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (to be Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (to be Intune Managed)

Clear the SCP from AD:

Run adsiedit.msc

Right click ADSI Edit, and click Connect to….

In Select a well known Naming Context, select Configuration and click OK.

Navigate to ADSI Edit -> Configuration naming context -> CN=Configuration,DC… -> CN=Service -> CN=Device Registration Configuration.

Right click on the entry in the middle pane and click Properties.

In the window that opens, scroll down, select the keywords entry and click Edit.

Select the entry starting with azureADId and click Remove.

That value will come in Value to add text box. Delete it from there also.

Select the entry starting with azureADName and click Remove.

That value will come in Value to add text box. Delete it from there also.

Click OK.

Click OK.

Create a group of device which will be configured for Hybrid Azure AD Join.

Open Active Directory Users and Computers. Right click Users -> New and click on Group.

Enter group name and click OK.

I have used Hybrid AADJ Controlled.

Open the Group properties and Navigate to Members tab.

Click on Add and add the devices in the group. Click OK when completed.

Note: I have not added one test device to show controlled deployment.

Create a Group Policy to configure Hybrid Azure AD join.

Start Group Policy Management.

Right click your domain and click on Create a GPO in this domain, and Link it here….

Enter GPO Name and click OK. I have entered Hybrid AADJ Controlled.

Right click on the created GPO and click Edit.

Navigate to Computer Configuration -> Preferences -> Windows Settings -> Registry.

Right click Registry, select New and click Registry Item.

Enter Below and click OK.

Action: Update

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD

Value name: TenantId

Value type: REG_SZ

Value data: The GUID or Directory ID of your Azure AD instance (This value can be found in the Azure portal > Azure Active Directory > Properties > Directory ID)

Right click Registry, select New and click Registry Item.

Enter below and click OK.

Action: Update

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD

Value name: TenantName

Value type: REG_SZ

Value data: Your verified domain name in Azure AD (for example, contoso.onmicrosoft.com or any other verified domain name in your directory)

Close the window.

Select the created GPO. In Security Filtering section, click Add.

Add the group created above.

Navigate to Delegation tab and click Advanced.

Select Authenticated Users and uncheck Apply group policy. Click OK.

Close the window.

Testing:

You can see a Windows 10 device with name SKYTENTEST.

The device is not part of the group.

In client machine, you can see that it is connected to on-premises AD.

You can also see that the registry entry configured in the GPO is not there.

Even the device entry is not listed in Azure AD portal.

Add the device in group

In client machine:

Update group policy by executing gpupdate /force.

Restart the machine.

You can see the entry coming in Azure AD portal.

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *