I have been struggling past weeks to get Automatic Device Registration Service (DRS) working in my DEV environment. All the necessary pre-requirements were configured per instructions and AAD Connect (AADC) was running at version 1.1.486.0 which should be enough considering pre-requirements. I was trying to get both down level clients and current devices automatically registered but it was unsuccessful. The breakthrough was to upgrade AAD Connect to the latest version 1.1.524.0. Immediately after AADC upgrade I found all my devices registered successfully to Azure AD.
Before going too deep in DRS troubleshooting I recommend to upgrade AADC to latest version availble.
How to configure DRS, shortened version from docs.microsoft.com:
- Up-to-date version of Azure AD Connect
- Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD
Pre-requisites for Windows Current devices (W10 or W2016)
- Recommendation is to have Windows 10 devices using Anniversary Update version 1607 or later (I used 1703 with creators update).
- Registration is supported with federated and non-federated environments
Pre-requisites for Windows down-level devices (W10 or W2016)
- Windows 7 & 8.1 are supported
- Windows Server 2008 R2, Server 2012 and Server 2012 R2 are supported
- BUT registration of these down-level devices is not supported in non-federation environments
Task 1 – Configure Service Connection Point (SCP)
If service connection point is not in place you need to configure it. You can check status of SCP with powershell or ADSIedit.msc. (If your AAD Connect has been installed with express installation everything should be in place).
If your SCP is not where it should be then you need to create one. Commands to run
Task 2 – Configure Claims to ADFS
In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a 3rd party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).
Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service.
When using AD FS, one of the endpoints must be enabled from both ADFS and Web Application Proxy (WAP) if later one is in use:
Azure DRS for device registration needs following claims in token to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
If you have more than one verified domain name, you need to provide the following claim for computers:
Note – If you have created O365 trust with “SupportMultipleDomain” switch then you already have 3th claim and this rule created earlier needs to be removed before configuring claim rules for AAD DRS.
Configure Claims with helper script
I prefer to use Microsoft ADFS helper script for configuring all claim rules, detailed information about needed parameters found from here. In my environment I configured variables as follow
- $multipleVerifiedDomainNames = $true
- $immutableIDAlreadyIssuedforUsers = $false
- $oneOfVerifiedDomainNames = ‘feta.fi’ # Replace feta.fi with one of your verified domains
- Helper configuration appends existing rules
- Do not run script twice
- If you have multiple verified domains names as I do, set $multipleVerifiedDomainNames = $true, for this reason you need to remove 3th claim if you have used SupportMultipleDomain switch when creating O365 trust to ADFS
Task 3 – Enable Windows down-level devices
If you are using down-level clients (W7, W8, W2008, W2008R2) you need to perform following tasks, link to instructions
- Set Azure AD to allow device registration from Azure AD -> Configure -> Devices tab
- Configure ADFS to support IWA
- Get configuration
- Add custom claim rule to O365 relaying party trust
- Configure browsers to avoid certificate prompts during certificate authentication
- Add http://device.login.onmicrosoft.com to Local Intranet zone
Task 4 – Rollout
Current devices (W10 & W2016)
Are registered automatically when all pre-requirements are configured properly and group policy for registration is not needed. If you need to control rollout then GPO for current devices is needed.
Down level clients
Group Policy or Windows Installer package is needed for rollout and Microsoft recommends to use Windows Installer Package to register all Windows down level clients. Installer package can be downloaded from here
Package for down level clients
Task 5 – Verify Registered Devices
To verify registered devices with PowerShell, either MsOnline or AzureAD module.
W10DRS3 and FetaW8 are are the ones registered by DRS
Verify registration from device with dsregcmd /status. If device AzureAdJoined status is YES it has been successfully registered to Azure AD.
When domain joined devices are registered to Azure AD organization can leverage device based conditional access scenarios and organization gets extra layer to control access to cloud based applications from security point of view.