Posted in : Active Directory, Azure, Microsoft, Windows By Tobias Sandberg Translate with Google ⟶

3 years ago

In a migration phase to Windows 10 we wanted to be able to benefit from the fairly new Windows 10 Subscription Activation method for the existing environment. One of the requirements for us was that we could do this with Hybrid Azure AD Joined devices. With this post I will try to guide you through the settings and steps for the setup to work properly.
In this scenario the environment looked like this from the beginning:

Domain functional level: Windows Server 2012 R2
Windows 7 machines ready to be upgraded to Windows 10
All Windows clients domain-joined to an on-premise domain
An active Office 365 tenant existed
Azure AD Connect was configured with password synchronization only
An active Azure AD Premium P1 subscription existed

Now when we got the background information about the environment, lets start listing the things we needed to do before we successfully could make the Windows 10 Subscription Activation work for the new Windows 10 devices.

  1. Configure a service connection point
  2. Enable device writeback in Azure AD Connect
  3. Sync computers accounts via Azure AD Connect
  4. Create a GPO so domain joined computers automatically and silently register as devices with Azure Active directory
  5. Upgrade existing computer or install a new one with Windows 10 Pro 1709 and on-premise domain-join the device
  6. Verify that the Windows 10 computer register as a Hybrid Azure AD Joined device in Azure Active Directory admin center
  7. Assign a Windows 10 E3/E5 license to a user in Office 365 Admin Center
  8. Log onto the computer with the user you assigned the license to
  9. Confirm that the Windows 10 Pro 1709 computer steps up to Enterprise

Now I will describe most of the steps in more detail so it’s easier for you to understand what needs to be done.

To configure a service connection point, follow the steps below:
In newer versions of Azure AD Connect and when running Express settings, this SCP is created automatically here:

CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=dc,DC=dc;

You can also retrieve the setting with PowerShell:

$scp = New-Object System.DirectoryServices.DirectoryEntry; $scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=dc,DC=dc;
$scp.Keywords;

In this case, it had not been created, probably because older version of Azure AD Connect was installed that did not perform this. Run the commands below as admin from the Microsoft Azure Active Directory Module for Windows PowerShell on the Azure AD Connect server which also needs to have RSAT-ADDS installed to create the SCP. Make sure you have 1.1.166 of the module installed.

Connect-MsolService
Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";
$aadAdminCred = Get-Credential;
Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount yourADConnectorAccount -AzureADCredentials $aadAdminCred;

Verify that the SCP has been created with the retrieve PowerShell command above.
To enable device writeback in Azure AD Connect and sync computer accounts, follow the steps below:
This is done from the Azure AD Connect server.

Azure AD Connect > Customize synchronization
Connect to Azure AD > With an admin account
Add Registered Devices for Domain and OU filtering
Add your computer OU for Domain and OU filtering
Next
[v] Password synchronization
[v] Device writeback
Device writeback forest: Choose your forest
Next > Finish

To create the GPO for domain joined computers to automatically and silently register as devices with Azure Active directory, follow the steps below:

Create new GPO
Computer Configuration/Policies/Administrative Template/Windows Components/Device Registration
Enable: Register domain joined computers as devices
Save and apply GPO to your Windows 10 computers


To verify that the Windows 10 computer register as a Hybrid Azure AD Joined device in Azure Active Directory admin center, follow the steps below:

Login to Azure Active Directory admin center
Azure Active Directory > Devices > All devices
Verify that the Windows 10 computer is synced and Hybrid Azure AD Joined


You should also see msDS-Device records in the RegisteredDevices OU in Active Directory.

To assign a Windows 10 E3 or E5 license to a user in Office 365 Admin Center, follow the steps below:
In your Office 365 admin portal, find the user who should log onto the Windows 10 Pro computer and activate the Windows 10 Enterprise license that you bought beforehand. This license can be purchased as a separate license or via Microsoft 365 E3 or E5 license bundle.

To verify that the computer has been activated through Windows 10 Subscription Activation, follow the steps below:
After logging onto the Windows 10 Pro computer, verify that the Enterprise version has been activated.

Settings > Update & Security > Activation
Verify Windows 10 Enterprise subscription is active

Please note that you need to have a Windows 10 Pro license activated to get this to work. If you have a Windows 7 Pro licensed computer today and you have bought the Windows 10 E3/E5 or Microsoft 365 E3/E5 license you can upgrade your existing Windows 7 Pro computer to Windows 10 Pro by using your existing Windows 7 Pro key. This will give you a valid Windows 10 Pro license that can be used in this scenario.

A good to know command in this hybrid scenario is dsregcmd.exe /status. It will give you the status of your local computer, like if the device is Azure joined or if the user is in Azure.

Update 2020-12-23:
A lot of people that are experiencing issues with the Windows 10 Subscription Activation doesn’t have a valid Windows 10 Pro license for their machine. Since this is an requirement you need to provide one or it won’t work. So if your having issues related to this, please check the following two things:

  1. The computer has a valid Windows 10 Pro license key. Normally these keys are embedded in the firmware of the computer itself, so please use the following command to see if your computer has a Windows 10 Pro product key or not. The command will show you the product key if any exist.

    wmic path SoftwareLicensingService get OA3xOriginalProductKey

    If you don’t have any embedded product key in the firmware you need to manually add one (that you purchased or got from some other source) via the following command:

    cscript.exe c:\windows\system32\slmgr.vbs /ipk <PRODUCT KEY>
  2. Check that you are using Windows 10, version 1803 or above. From Windows 10, version 1803, Windows 10 Subscription Activation are enabled for pulling the activation keys directly from firmware for devices that support firmware-embedded keys. In these case it is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise.

If you still having issues with the activation, even if you got the product key in the firmware and at least Windows 10 1803, try to activate the Windows 10 Pro license key manually with the command:

cscript.exe c:\windows\system32\slmgr.vbs /ato

If you have any questions, feel free to email me at tobias.sandberg@xenit.se.

Please see Microsoft documentation here for additional questions.

Tags : 1803, dnsregcmd, Hybrid Azure AD Join, Intune, license, Microsoft Intune, Subscription Activation, Windows 10, Windows 10 Pro, Windows 10 Professional, Windows Subscription Activation

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Comments

Wsia says

Nice article but do you actually need this hybrid azure ad configuration to register devices to AAD and to activate Windows 10 1709?
Shouldn't W10 1709 get activated based purely on user identity (synced to the cloud) which has been granted W10 Enterprise E3 or E5 license?

Tobias Sandberg says

In this scenario we want the computer to be a member of a on-premise AD to get GPO:s and other on-premise related stuff. So that is why we use the Hybrid Azure AD Joined devices solution, so we can benefit from both Azure AD and on-premise AD.
But to answer your question; if your environment is cloud-only (does't contain an on-premise AD) or the computers doesn't need to reach the on-premise AD in any way, you can use another option which is called Azure AD joined devices which register the devices directly to your Azure AD environment. In that way you can use the license of your choice, like the E3/E5.
If you have any other question, feel free to email me at tobias.sandberg@xenit.se.

P Thakor says

Hello Tobias.sandberg ,
We have On Premises AD synced to Office365 (Azure) and Users having E3 Licences .
Dell Desktops with Windows 10 PRO 1803 version joined to On-Premises AD and they are Activated to Windows PRO using Dell Embedded Digital License .
Also Windows 10 Machines are showing in Azure AD Portal with "Hybrid Azure AD joined"
and dsregcmd /status shows AzureAdJoined : YES
But Machines are not getting upgraded from PROD to Enterprise ,
Can you please help me what can be done in this issue.
Please see attached for better understating
Is there any alternate Method or some Manual command or tool from which we can Upgrade them to Enterprise https://uploads.disquscdn.com/images/3b7f71637ec307c5d8a639a3cf04cb3e408d1f89fb9aacb18c83c71645551ecd.png
Thanks
P.Thakor

Michal Bachtin says

The same situation here. Anyone has solution? Thank you

Tobias Sandberg says

Hi Michal Bachtin,
Firstly, I would like to thank you for reading my blogpost. Could you do the same thing and check the following in your environment?
1. Run the dsregcmd /status command and check the User State information
-> We would like to see that the user logged in to the computer is found in Azure AD
2. Check that the user has the same UPN in the local on-premise AD as in Azure AD
3. Check that the user has the correct license in Azure AD
4. If 1,2 and 3 above is correct it’s probably GPO related
-> Please disable any GPOs that could interfere with the Activation Subscription
Please let me know how it goes.

Tobias Sandberg says

Hi P.Thakor,
Firstly, I would like to thank you for reading my blogpost. I will try to help you with the problem you are describing below so you will get it to work in your environment.
I would like you to do the following things:
1.From the dsregcmd /status command, send me the User State information
-> We would like to see that the user logged in to the computer is found in Azure AD
2. Check that the username and prefix is the same in the local on-premise AD as in Azure AD
3. Check that the user has the correct license in Azure AD
4. If 1,2 and 3 above is correct it’s probably GPO related
-> Please disable any GPOs that could interfere with the Activation Subscription
Please let me know how it goes.

Tobias Sandberg says

Hi P.Thakor,
Firstly, I would like to thank you for reading my blogpost. I will try to help you with the problem you are describing below so you will get it to work in your environment.
I would like you to do the following things:
1. Run the dsregcmd /status command and check the User State information
-> We would like to see that the user logged in to the computer is found in Azure AD
2. Check that the user has the same UPN in the local on-premise AD as in Azure AD
3. Check that the user has the correct license in Azure AD
4. If 1,2 and 3 above is correct it’s probably GPO related
-> Please disable any GPOs that could interfere with the Activation Subscription
Please let me know how it goes.

P Thakor says

Hello Tobias
1. dsnregcmd /status show : AzureADJoined : Yes
2. UPN is same in Local on-Primise AD and Azure AD
3. Yes User have Correct Office E3 License and Enterprise Option is also Enabled .
4. We Do not have any GPO Regarding Activation .
Please suggest what can be do in this case , Is there any Manual Method using which we can Activate E3 License .
Please check the attachment in the First reply .
Thanks
P.Thakor

Tobias Sandberg says

Is the Windows 10 Pro machine licensed correctly? Could you go into Settings > Update & Security > Activation and confirm that the Pro edition is activated? Unfortunately there is no manual method to do this so we will have to dig a little deeper into the problem.

P Thakor says

Yes ,

P Thakor says

Yes , It shows Windows 10 Pro Activated .

Tobias Sandberg says

Great, thanks. Do you have Skype? It would be easier to chat with your directly so we can dig a little deeper regarding this issue.

P Thakor says

Hello Tobias
1. In Our AD "Registered Devices" OU is not showing in Active Directory.
2. Also is it necessary to Setup "Configure device Write-Back in AAD ??
What is difference between both option in AAD Device configuration .
- Configure Hybrid Azure AD Join
- Configure Device writeBack

Tobias Sandberg says

In my example the computer is joined to an on-premise AD (not joined to a Azure AD directly) and synced to the Azure AD through Azure AD Connect. With this method the device gets registered in Azure AD instead of joined (please read more about the differences on the link - https://docs.microsoft.com/en-us/azure/active-directory/devices/overview#hybrid-azure-ad-joined-devices). So the way I see that the device are correctly registered through my on-premise AD is to look at that RegisteredDevices OU. This is the same information that you would find in Azure AD where it then should be listed as Hybrid Azure AD Joined. To see the RegisteredDevices OU you need to activate Advanced Features in your ADUC console (View -> Advanced Features). But as we saw on your first picture one of your devices shows up as Hybrid Joned Azure AD Joined, so I still think that the issue here would be related to the useraccount you using or some GPO that interfering with these settings.

P Thakor says

Hello Tobias ,
One more thing. , We have Azure Active Directory which is Free or Basic and not the Premium as you have . Is this Activation because of this ?

Patrick says

Thank you so much, I was strugling with this until I found out my SCP was not properly configured ! Thank you

Add comment

Your comment will be revised by the site if needed.