瞭解 Microsoft Entra Connect 1.4.xx.x 和裝置註冊
透過實作 1.4.xx.x 版的 Microsoft Entra Connect,客戶可能會看到部分或所有 Windows 裝置從 Microsoft Entra ID 消失。 這不會造成考慮,因為 Microsoft Entra ID 在條件式存取授權期間不會使用這些裝置身分識別。 這項變更不會刪除已正確向 Microsoft Entra ID 註冊 Microsoft Entra 混合式聯結的任何 Windows 裝置。
如果您在超過匯出刪除閾值 Microsoft Entra ID 看到刪除裝置物件,請允許刪除進行。 如何:允許刪除在超過刪除閾值時流動
Background
註冊為混合式聯結 Microsoft Entra Windows 裝置會在 Microsoft Entra ID 中表示為裝置物件,而且可用於條件式存取。 Windows 10 裝置會透過 Microsoft Entra Connect 同步至雲端,而下層 Windows 裝置則是直接使用 Active Directory 同盟服務 (AD FS) 或無縫單一登錄來註冊。
Windows 10 裝置
只有 Windows 10 Microsoft Entra 混合式聯結所設定特定 userCertificate 屬性值的裝置,才應該透過 Microsoft Entra Connect 同步至雲端。 在舊版的 Microsoft Entra Connect 中,此需求並未嚴格強制執行,而且不必要的裝置物件已新增至 Microsoft Entra ID。 Microsoft Entra ID 中的這類裝置一律會停留在「擱置中」狀態,因為這些裝置並非要向 Microsoft Entra ID 註冊。
此版本的 Microsoft Entra Connect 只會同步 Windows 10 已正確設定為 Microsoft Entra 混合式聯結的裝置。 Windows 10 沒有 Microsoft Entra 加入特定 userCertificate 的裝置物件將會從 Microsoft Entra ID 中移除。
Down-Level Windows 裝置
Microsoft Entra Connect 絕對不應該同步處理下層 Windows 裝置。 Microsoft Entra ID 先前未正確同步處理的任何裝置都會從 Microsoft Entra ID 刪除。 如果 Microsoft Entra Connect 嘗試刪除下層 Windows 裝置,則裝置不是 Microsoft Workplace Join 針對非 Windows 10 電腦 MSI 所建立的裝置,且任何其他 Microsoft Entra 功能都無法取用該裝置。
有些客戶可能需要重新流覽如何:規劃您的 Microsoft Entra 混合式加入實作,以正確註冊其 Windows 裝置,並確保這些裝置可以參與裝置型條件式存取。
如何使用此更新來確認哪些裝置已刪除?
若要確認哪些裝置已刪除,請使用 PowerShell憑證報表腳本中的PowerShell腳本。
此腳本會產生儲存在 Active Directory 計算機物件中之憑證的相關報告,特別是 Microsoft Entra 混合式聯結功能所簽發的憑證。
腳本也會檢查 AD 中 Computer 物件之 UserCertificate 屬性中存在的憑證。 針對每個未過期的憑證,腳本會驗證是否已針對 Microsoft Entra 混合式聯結功能發行憑證;例如 Subject Name matches CN={ObjectGUID}
在此更新之前,Microsoft Entra Connect 會同步處理為 Microsoft Entra 包含至少一個有效憑證的任何計算機。 從 Microsoft Entra Connect 1.4 版開始,同步處理引擎會識別 Microsoft Entra 混合式聯結憑證,並且會使用 cloudfilter 篩選器來防止計算機物件同步處理至 Microsoft Entra ID,除非有有效的 Microsoft Entra混合式聯結憑證。
Microsoft Entra 先前已同步處理至 AD,但沒有有效 Microsoft Entra 混合式聯結憑證的裝置,將會由同步處理引擎使用 篩選CloudFiltered=TRUE來刪除。
PowerShell 憑證報表腳本
<#
Filename: Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1.
DISCLAIMER:
Copyright (c) Microsoft Corporation. All rights reserved. This script is made available to you without any express, implied or statutory warranty, not even the implied warranty of merchantability or fitness for a particular purpose, or the warranty of title or non-infringement. The entire risk of the use or the results from the use of this script remains with you.
.Synopsis
This script generates a report about certificates stored in Active Directory Computer objects, specifically,
certificates issued by the Microsoft Entra hybrid join feature.
.DESCRIPTION
It checks the certificates present in the UserCertificate property of a Computer object in AD and, for each
non-expired certificate present, validates if the certificate was issued for the Microsoft Entra hybrid join feature
(i.e. Subject Name matches CN={ObjectGUID}).
Before, Microsoft Entra Connect would synchronize to Microsoft Entra ID any Computer that contained at least one valid
certificate but starting on Microsoft Entra Connect version 1.4, the sync engine can identify Hybrid
Microsoft Entra join certificates and will 'cloudfilter' the computer object from synchronizing to Microsoft Entra ID unless
there's a valid Microsoft Entra hybrid join certificate.
Microsoft Entra Device objects that were already synchronized to AD but do not have a valid Microsoft Entra hybrid join
certificate will be deleted (CloudFiltered=TRUE) by the sync engine.
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN 'CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com'
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -OU 'OU=SYNC,DC=Fabrikam,DC=com' -Filename "MyHybridAzureADjoinReport.csv" -Verbose
#>
[CmdletBinding()]
Param
(
# Computer DistinguishedName
[Parameter(ParameterSetName='SingleObject',
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[String]
$DN,
# AD OrganizationalUnit
[Parameter(ParameterSetName='MultipleObjects',
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[String]
$OU,
# Output CSV filename (optional)
[Parameter(Mandatory=$false,
ValueFromPipelineByPropertyName=$false,
Position=1)]
[String]
$Filename
)
# Generate Output filename if not provided
If ($Filename -eq "")
{
$Filename = [string] "$([string] $(Get-Date -Format yyyyMMddHHmmss))_ADSyncAADHybridJoinCertificateReport.csv"
}
Write-Verbose "Output filename: '$Filename'"
# Read AD object(s)
If ($PSCmdlet.ParameterSetName -eq 'SingleObject')
{
$directoryObjs = @(Get-ADObject $DN -Properties UserCertificate)
Write-Verbose "Starting report for a single object '$DN'"
}
Else
{
$directoryObjs = Get-ADObject -Filter { ObjectClass -like 'computer' } -SearchBase $OU -Properties UserCertificate
Write-Verbose "Starting report for $($directoryObjs.Count) computer objects in OU '$OU'"
}
Write-Host "Processing $($directoryObjs.Count) directory object(s). Please wait..."
# Check Certificates on each AD Object
$results = @()
ForEach ($obj in $directoryObjs)
{
# Read UserCertificate multi-value property
$objDN = [string] $obj.DistinguishedName
$objectGuid = [string] ($obj.ObjectGUID).Guid
$userCertificateList = @($obj.UserCertificate)
$validEntries = @()
$totalEntriesCount = $userCertificateList.Count
Write-verbose "'$objDN' ObjectGUID: $objectGuid"
Write-verbose "'$objDN' has $totalEntriesCount entries in UserCertificate property."
If ($totalEntriesCount -eq 0)
{
Write-verbose "'$objDN' has no Certificates - Skipped."
Continue
}
# Check each UserCertificate entry and build array of valid certs
ForEach($entry in $userCertificateList)
{
Try
{
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2] $entry
}
Catch
{
Write-verbose "'$objDN' has an invalid Certificate!"
Continue
}
Write-verbose "'$objDN' has a Certificate with Subject: $($cert.Subject); Thumbprint:$($cert.Thumbprint)."
$validEntries += $cert
}
$validEntriesCount = $validEntries.Count
Write-verbose "'$objDN' has a total of $validEntriesCount certificates (shown above)."
# Get non-expired Certs (Valid Certificates)
$validCerts = @($validEntries | Where-Object {$_.NotAfter -ge (Get-Date)})
$validCertsCount = $validCerts.Count
Write-verbose "'$objDN' has $validCertsCount valid certificates (not-expired)."
# Check for Microsoft Entra hybrid join Certificates
$hybridJoinCerts = @()
$hybridJoinCertsThumbprints = [string] "|"
ForEach ($cert in $validCerts)
{
$certSubjectName = $cert.Subject
If ($certSubjectName.StartsWith($("CN=$objectGuid")) -or $certSubjectName.StartsWith($("CN={$objectGuid}")))
{
$hybridJoinCerts += $cert
$hybridJoinCertsThumbprints += [string] $($cert.Thumbprint) + '|'
}
}
$hybridJoinCertsCount = $hybridJoinCerts.Count
if ($hybridJoinCertsCount -gt 0)
{
$cloudFiltered = 'FALSE'
Write-verbose "'$objDN' has $hybridJoinCertsCount Microsoft Entra hybrid join Certificates with Thumbprints: $hybridJoinCertsThumbprints (cloudFiltered=FALSE)"
}
Else
{
$cloudFiltered = 'TRUE'
Write-verbose "'$objDN' has no Microsoft Entra hybrid join Certificates (cloudFiltered=TRUE)."
}
# Save results
$r = "" | Select ObjectDN, ObjectGUID, TotalEntriesCount, CertsCount, ValidCertsCount, HybridJoinCertsCount, CloudFiltered
$r.ObjectDN = $objDN
$r.ObjectGUID = $objectGuid
$r.TotalEntriesCount = $totalEntriesCount
$r.CertsCount = $validEntriesCount
$r.ValidCertsCount = $validCertsCount
$r.HybridJoinCertsCount = $hybridJoinCertsCount
$r.CloudFiltered = $cloudFiltered
$results += $r
}
# Export results to CSV
Try
{
$results | Export-Csv $Filename -NoTypeInformation -Delimiter ';'
Write-Host "Exported Hybrid Microsoft Entra Domain Join Certificate Report to '$Filename'.`n"
}
Catch
{
Throw "There was an error saving the file '$Filename': $($_.Exception.Message)"
}
後續步驟
與我們連絡,以取得說明
如果您有問題或需要相關協助,請建立支援要求,或詢問 Azure community 支援。 您也可以將產品意見反應提交給 Azure 意應見反社群。
意見反應
即將登場:在 2024 年,我們將逐步淘汰 GitHub 問題作為內容的意見反應機制,並將它取代為新的意見反應系統。 如需詳細資訊,請參閱:https://aka.ms/ContentUserFeedback。
提交並檢視相關的意見反應