Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, May 25, 2016 3:38 PM
Hi,
We're in the process of moving to O365 and have Azure AD configured and syncing OK. When we manually add a work account (via settings > Accounts) we are able to SSO to the O365 and myapps portal without any issues.
What I want to do is configure a group policy to do this automatically so that there is no manual configuration required. Can this be done? I've configured a GP to enable Device Registration (Computer Config/Admin Templates/Windows Components/Device Registration) but it doesn't seem to work?
I've read about a policy to configure 'Automatically workplace join client computers' but can't seem to find this policy? Is this the one I need, and where can I find it? I've copied up the W10 and W10 LTSB templates so would expect to see it?
Am I missing something, or is there anything else which needs to be configured to allow this to happen?
Thanks for any help in advance
All replies (9)
Monday, February 6, 2017 9:34 AM âś…Answered | 1 vote
Hi Tony,
We enabled the group policy "Register domain joined computers as devices" under windows components/device registration and it worked, it does take a few reboots though.
We stopped using LTSB now, as at the time, this only worked with enterprise. We aren't using ADFS, but the older ADsync and this seems to work OK, although, when you change your password, you get a prompt to type in the new one. We'll be upgrading to the newer version of ADSync soon though so I'm hoping that will sort the prompts.
Hope this helps?
Thursday, May 26, 2016 6:46 AM
Hi TheWookie5375,
The main issue is to join all the Windows 10 machines to Azure AD automatically, right?
You may be interested in this link:
Connect domain-joined devices to Azure AD for Windows 10 experiences
https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/
"I've read about a policy to configure 'Automatically workplace join client computers' but can't seem to find this policy?"
On the Server, it is located in Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join>Automatically workplace join client computers
On Windows 10, it is located in Computer Configuration/Policies/Administrative Templates/Windows Components/Device Registration
For Azure AD issue, we could try to ask for help here.
Azure AD
https://social.msdn.microsoft.com/forums/azure/en-US/home?forum=WindowsAzureAD
Best regards
Please mark the reply as an answer if you find it is helpful.
If you have feedback for TechNet Support, contact [email protected]
Thursday, May 26, 2016 12:09 PM
Thanks MeipoXu,
I have looked at most of these sites and still haven't been able to get it working? Whats getting me is if I add ad work account manually, it works?
Its the Group policy which doesn't seem to be working?
I have found one thing though, we have LTSB, and I've noticed that a prereq is build ver10551, but our LTSB is 10240, but it's upto date? Could this be the reason?
Friday, May 27, 2016 3:05 AM
Hi TheWookie5375,
Have you checked both locations as I pointed out before?
"I've noticed that a prereq is build ver10551"
That could be the reason. I didn`t have a LTSB and Azure AD to test. Please try to ask for help from our Azure AD forum for help as I posted out before.
Best regards
Please mark the reply as an answer if you find it is helpful.
If you have feedback for TechNet Support, contact [email protected]
Friday, May 27, 2016 7:50 AM
Hi MeipoXu,
Yes, I had seen this pages previously, but I didn't realise that one of the powershell scripts needs to be ran on the Azure connect server, which I having run for me today so I hope that's all that required? On the build version, I'm hoping this won't affect LTSB(?) otherwise we'll have to rethink!
Thanks again
I'll mark it as an answer once I know the outcome of when the scripts are ran.
Cheers
Saturday, February 4, 2017 1:24 AM
We're in the process of moving to O365 and have Azure AD configured and syncing OK. When we manually add a work account (via settings > Accounts) we are able to SSO to the O365 and myapps portal without any issues.
What I want to do is configure a group policy to do this automatically so that there is no manual configuration required. Can this be done?
Thanks for any help in advance
I have the exact same problem! Did you ever find a solution?
-Tony
Monday, February 6, 2017 7:05 PM
Hi Tony,
We enabled the group policy "Register domain joined computers as devices" under windows components/device registration and it worked, it does take a few reboots though.
We stopped using LTSB now, as at the time, this only worked with enterprise. We aren't using ADFS, but the older ADsync and this seems to work OK, although, when you change your password, you get a prompt to type in the new one. We'll be upgrading to the newer version of ADSync soon though so I'm hoping that will sort the prompts.
Hope this helps?
Thank you for replying. I'll try that GP setting.
Does the ADsync tools synchronize your computer accounts too? We are using ADFS, but we only sync the user accounts. I am wondering if we need to sync the computer accounts too.
Here is a link to my issue: https://social.technet.microsoft.com/Forums/windows/en-US/61946478-56a3-4135-96f8-c78438df4780/auto-signin-to-a-work-or-school-account-on-windows-10?forum=win10itprogeneral#61946478-56a3-4135-96f8-c78438df4780
If you have any other helpful ideas, please let me know.
Thanks!
-Tony
Tuesday, February 7, 2017 9:28 AM
No problem, I can't remember off the top of head, but I think it does, it's just a tick box.
Doing a device registration via group policy does do this part in the link you sent .
It'll add the account (work) you've logged into automatically. The new ADSync addresses most of the "normal" obstacles, and I think they have sorted the password thing. ADFS is the best option I believe, as that does offer true single sign on. Like I said though, we haven't upgraded to the new ADSync just yet, but will be soon, so hopefully what I have just said in the last paragraph is correct !?
Hope this helps
Wednesday, February 8, 2017 10:35 PM
Thank you. Yes, the device registration is key it seems. I discovered that if the device is registered to AAD, then the user is automatically registered (sort-of). At least it performs SSO as if the user has manually connected to AAD. In fact, if the users tries to connect, they get a message that the device is already connected.
Thanks for helping.
-Tony