Sep 04
SCCM – Identify Azure AD Joined device

Following my post to create an SCCM device collection for Windows Core (https://t.co/ZGdL91Vkht), I wanted to do the same to identify all Azure AD Joined device.

So the first thing was to find how to identify an Azure AD Joined device; and the answer is with the following registry key which only exist if the device is joined to Azure AD:

HKLM\System\CurrentControlSet\Control\CloudDomainJoin

You will need to use the sub key TenantInfo\<your Azure tenant ID> to be able to use it with SCCM for the rule membership; just using the CloudDomainJoin seems to have no effect.

As there is a limitation, you will need to rename all the values defined by this key – meaning replace all values containing the Azure tenant ID.

This gives you something like for the MOF file to be imported

// Identify Windows Azure AD Joined
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("<your Azure tenant ID to be replaced>", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("<your Azure tenant ID to be replaced>"),SMS_Class_ID("<your Azure tenant ID to be replaced>"),
SMS_Context_1("__ProviderArchitecture=32|uint32"),
SMS_Context_2("__RequiredArchitecture=true|boolean")]
Class <your Azure tenant ID to be replaced>: SMS_Class_Template
{

Content removed from clarify of this post
};

#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("<your Azure tenant ID to be replaced>_64", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("<your Azure tenant ID to be replaced>_64"),SMS_Class_ID("<your Azure tenant ID to be replaced>_64"),
SMS_Context_1("__ProviderArchitecture=64|uint32"),
SMS_Context_2("__RequiredArchitecture=true|boolean")]
Class <your Azure tenant ID to be replaced>_64 : SMS_Class_Template
{
Content removed from clarify of this post
};

 

and for the configuration to be added into the configuation.mof file

// Identify Azure AD Joined devices
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("<your Azure tenant ID to be replaced>", NOFAIL)
[DYNPROPS]
Class <your Azure tenant ID to be replaced>
{
Content removed from clarify of this post
};

[DYNPROPS]
Instance of <your Azure tenant ID to be replaced>
{
KeyName="AADJoined_32";
Content removed from clarify of this post
};

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("<your Azure tenant ID to be replaced>_64", NOFAIL)
[DYNPROPS]
Class <your Azure tenant ID to be replaced>_64
{
Content removed from clarify of this post
};

[DYNPROPS]
Instance of <your Azure tenant ID to be replaced>_64
{
KeyName="AADJoined_64";
Content removed from clarify of this post
};

By the way, the subkeys give you all the AAD Joined configuration details, from the Azure tenant ID to the user which registered the device.

So once the identification method has been identified, just follow the steps detailed in my previous post to include this registry key in the SCCM discovery process (https://t.co/ZGdL91Vkht) and then create the SCCM device collection with the following rule

image

which gives the following query

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_AADJoined on SMS_G_System_AADJoined.ResourceId = SMS_R_System.ResourceId where SMS_G_System_AADJoined.DisplayName is not null

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Copyright

 Follow Me On

 Share This

 Translation Tool

Translate this page