DGhost's Blog

A sysadmin thoughts about the Internet and technologies…

My Journey in Search of Windows Hello (for Business) – Part 2/3

| 0 comments

Alright, part 2 is now available for my journey in Search of Windows Hello (for Business). Read part 1 here if you haven’t already done so. The second part of this journey will be much shorter compare to the first one but it’s still an important step before proceeding further on our quest. In this scenario, we are going with the setup of “Hybrid Key Trust Deployment”

Server Side Configuration

Configuration for the Entra ID Sync Service

Let’s start by checking 2 things with the Azure AD Sync/Entra:

Next from the Azure AD Connect GUI, make sure that Password hash synchronisation or Pass-Through Authentication is enabled along with Device write back. It should already be so with most of the configuration out there. AD FS is not supported and that is for bigger and more complicated environment. For sysadmins who are already running AD FS, this is no suprise for you. Do you homeworks!


Create a Virtual DC

Now here’s what I consider the weird part. This is also why you need to have this new KDC certificate template being pushed to all the DC. We will create a new virtual DC inside the AD. This new “DC” only exist to make the gateway for communication between Entra ID and your internal DC. It’s not a server, it’s a computer object that exist within the AD domain. All the details and documentation from MS is available right here. I highly suggest that you read this before proceeding. We will be using the following powershell script to create this false DC. Start by installing the AzureADHybridAuthenticationManagement module for powershell:

# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
# Install the AzureADHybridAuthenticationManagement PowerShell module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber

Here’s the script now – note that there are alternative to this script available on the MS doc referenced just above:

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN
# Enter a UPN of an Azure Active Directory global administrator
$userPrincipalName = "administrator@contoso.onmicrosoft.com"
# Enter a domain administrator username and password.
$domainCred = Get-Credential
# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Azure AD.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred

Once this has succesfully ran, you should see a new computer object within your ADUC under the Domain Controllers OU, of course.

This image has an empty alt attribute; its file name is KDC_Template06.png


Client Side Configuration

Device hybrid joined to EntraID/AzureAD

For the next step, it’s important that you get your Entra ID tenant ID. To do so, login to Entra ID or the Azure portal and copy your tenant ID and paste it somewhere, we’ll get back to that pretty soon.


Group Policy Configuration Deployment

Now, let’s create a GPO that we will push to our client devices in order to ask them to register as an hybrid joined device. This GPO, that I named ConfigureSCP, will configure 2 options and push 2 registry keys. From the 2 options, one of them is mandatory, the second one is optional but I like having it there. Let’s start with the 2 options:

  • Computer Configuration – Policies – Administrative Templates – Windows Components – Device Registration – Register domain joined computers as devices: Enabled
  • Computer Configuration – Policies – Administrative Templates – Windows Components – MDM – Disable MDM Enrollment : Enabled


Like I said, the second option about the MDM is totally useless here, unless… you aim to use an MDM like Intune in the future… This is where you can configure the existing device to enroll to intunes.

Now let’s create the 2 registry keys that we’ll push to all of the devices in order to register with your Entra ID tenant. These 2 values are the tenant ID and the tenant name.

  • Computer Configuration – Preferences – Windows Settings – Registry

The tenant ID is the string you already copied earlier and the tenant name will be the domain name of your tenant, like contoso.com


As you can see these 2 registry key need to be saved under the following hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
– as a string value.

That’s it, save the GPO and push it to your devices. Note that it will take some hours or even days before the registration is done. You can double check the state of the device from the Entra ID admin portal under “All Devices”. What you need to look for will be under the “Registered” column, if you have a date/time stamp, congratulation, you made it! Your device is now officially hybrid joined. If you see pending, you have an issue – or the sync hasn’t finished yet.

Hold on! did I mention days? Yes! Why? That’s because the device registration is creating a schedule task to launch the registration process. And what are the condition for this schedule task to run? When a user log on, after rebooting! You can look for the schedule task under:

  • Task Scheduler Library – Microsoft – Windows – Workplace Join – Automatic-Device-join


If you don’t want to wait to reboot, you can run the task manually!

Troubleshooting device registration

Here’s some usefull thing to look for when you want to troubleshoot why a device hasn’t registered to Entra ID. The magic command here is dsregcmd. You can use this to manually register your device and check the current status of the registration of the device. But of course, since you already use a GPO to register all of your device, you shouldn’t need to manually register a device. But you never know. So to manually join a device as an hybrid Entra ID joined, run this:

dsregcmd /debug /join

This will give you a lot of information about the communication between your end device and Entra ID. If you would like to check on your current status of the device, wether it’s joined in hybrid mode or not, run this instead:

dsregcmd /status

So when you run this command, you should look for some specific line like:

  • AzureADJoined: YES
  • DomaineJoined: YES
  • DeviceAuthStatus: SUCCESS

And on the client device, you can look under the event viewer – Applications and Services Logs – Microsoft – Windows – User Device Registration – Admin. Event ID 360 is about the error, if you have any issue.


Wow, part 2 is finished!
Next will be the last step, part 3!

Author: DGhost

System Administrator and consultant for more than 23 years. I've always used computers since I was a kid. I' ve specialized in networking, servers and the inner workings of the Internet. My blog is aimed as a personnel point of view on some technologies, the web, sciences and the Internet in general. If you are wondering why this website is in French and English, that's because I'm a french Canadian who also speaks English and sometimes, when I'm drunk, dabble in Spanish.

Leave a Reply

Required fields are marked *.



 

This site uses Akismet to reduce spam. Learn how your comment data is processed.