Azure AD Connect is a great tool to On-board your On-Premise Identities to the Azure Cloud. If you like to use a Hybrid Join of your Windows 10 Devices – Local Domain join & Azure AD join – you can configure Device Registration. What is the benefit if you enable this option?
- You can use Windows Hello for Business
- You can use Device-based conditional access
- You can use Enterprise roaming of settings
PREPARE
Since a few version back of Azure AD Connect it allows you to use the wizard to configure the necessary options for you. First of all, make sure you use the latest version of Azure AD Connect. You can also check the Auto-Upgrade Option of the engine by using the PowerShell command on the server where AAD Connect is installed:
Get-ADSyncAutoUpgrade
Further information can found here.
CONFIGURE AZURE AD CONNECT
Run Azure AD Connect – Configure – and select “Configure device options”
On the “Overview” page click Next.
On the “Connect to Azure” page enter your Global Admin credentials and click Next.
On the “Device options” page select “Configure Hybrid Azure AD Join” and click Next.
On the next step you will configure the Service Connection Point (SCP) to help your Windows 10 devices to find the necessary Azure Tenant information’s. To configure the SCP you need to provide Enterprise Admin Credentials. If you cannot provide this credentials during the wizard, you will be able to download the script to set the SCP in a later phase or offline.
This step helps you also to verify your current configuration. AAD Connect is checking the configured configuration on your AD. You can manually to that by browsing your ADSI Editor. Connect to the configuration naming context and then load the CN: “CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=xy,DC=xy”
Back to the wizard, provide the Enterprise Admin credentials and click “Next”.
Device Registration is also supported for Windows Downlevel Devices, like Windows 10 prior 1607 build, Windows 8.1, 8 & 7. For further information regarding downlevel devices visit the docs.microsoft.com page.
This will configure the Device Registration for a Hybrid Join. Click configure.
This will complete your On-Prem configuration for Device Registration.
POST CONFIGURATION TASKS
https://docs.microsoft.com/de-ch/azure/active-directory/connect/active-directory-azure-ad-connect-hybrid-azure-ad-join-post-config-tasks
Check out point 10 on the post tasks. You should create a GPO to make sure your devices getting Hybrid joined in Azure:
- Create a new GPO and Name it
- Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration
- Select : Register domain-joined computers as devices
- OK
- Link the policy to your Windows 10 Devices
blog.alschneiter.com 
Question: What will happen to the clients after the azure ad hybtid join configuration is set? What will the clients that are scoped within the OU we specified to sync out to AAD? And what will happen to the rest of the clients not scoped if they find the SCP?
LikeLiked by 1 person
As long your not setting an Intune policy to Azure Hybrid joined devices, nothing will happen. They will appear in your Azure Portal as Hybrid Joined devices. If no GPO is scoped to a specific group or OU of devices, they will not apear in the portal and not been hybrid joiend. You can find details in this article:
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control
Let me know if you have more questions.
Regards,
Al
LikeLike
Hi Al,
First of all , i like to thank you for the article. it has helps me understand device registration and how windows 10 is getting registered in Azure Ad (manage and federated)
I have question on backout plan for device registration – After implementation of device registration (it is updated in schema). If i decide to back out (i.e no more device registration). What steps do i follow or you have an article on it.
LikeLike
Hi,
You can remove the SCP (Service Connection Pont) in the local Forest or / and remove the ADFS configuration for device registration. Also disable the Automatic MDM enrollment in Intune and remove the local GPO to register and ernroll in MDM. This will stop devices to appear in Azure AD.
Hope this helps.
Cheers,
Al
LikeLike
Thanks for your mention!
LikeLike
Bpnjour, tout d’abord merci pour votre tuto,
Pouvez vous m’expliquer plus en detail cette etape :
“Cette étape vous aide également à vérifier votre configuration actuelle. AAD Connect vérifie la configuration configurée sur votre AD. Vous pouvez y parvenir manuellement en parcourant votre éditeur ADSI. Connectez-vous au contexte de dénomination de la configuration, puis chargez le CN : « CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=xy,DC=xy »”
je ne comprends pas trop comme la mettre en place.
Merci d’avance
LikeLike
Hi & thank you for your comment.
You need to run “ADSIEdit.msc” on a Domain Controller or mutch better from a Mangement Workstation where the AD Admintrative Tools are installed. From there, you will be able to browse truogh the path I have mentioned in my blog. You can also refer to this Microsoft learn article:
https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-join-control#clear-the-scp-from-ad
Hope this helps. Best, Al
LikeLike