0

On a Windows PC joined to a 'traditional' Active Directory domain, querying Win32_ComputerSystem or Win32_NTDomain returns the domain name.

It seems that if it's Azure anything [joined], those classes return nothing.

Our software won't run unless it is domain joined (and to a specific domain) to prevent rogue users from accessing data.

How can one determine if a laptop is actually a corporate laptop and not a rogue home user if an Azure AD [joined/registered] computer doesn't store that information in CIM? Surely it does, but I have not found anything useful beyond this, which isn't practical:

dsregcmd /status

Sounds like a Jurassic question, but there you go.

SamErde
  • 3,324
  • 3
  • 23
  • 42
SKidd
  • 33
  • 1
  • 6
  • 1
    You're asking how you can determine if the computer is Azure AD joined, but you don't need to do that. You need to determine if the computer is or is not AD joined, which you've already done. If Win32_ComputerSystem returns nothing then the computer is not AD joined. Whether or not it's Azure AD joined is immaterial. – joeqwerty Jul 20 '22 at 14:51
  • Yep, that's true. So up-voting for that. More complex so maybe another question - have someone that is on Azure, is a legit corporate user, but has _not_ AD joined. Technically, that's a legit user, but from our end it's not really possible to know. The tool dsregcmd will show if they are Azure AD joined, but it fails unless run from a cmd window. If you script it (be it .BAT or .VBS) it reports nothing. – SKidd Jul 21 '22 at 13:09
  • Explained more here [link](https://superuser.com/questions/1733347/determining-if-client-is-azure-ad-joined-using-dsregcmd-fails-if-called-from-a-s) – SKidd Jul 24 '22 at 13:47
  • `dsregcmd /status` wont run if inside an executable be it as "shelling out" to a batch file or PowerShell. And that seems to be the ONLY reliable way to see if it's domain joined. – SKidd Jul 27 '22 at 14:50
  • What do you want to know it for? Do you want to physically walk up to a client, hit some buttons and read this personally? or do you want to use that information in a script, so you'd need a command? or do you just want to be able to check this information in a portal? If the latter: Intune – Manu Jul 28 '22 at 06:14
  • In your case, might the devices be pure Azure AD Joined or Hybrid Azure AD Joined? Do you need to check for both of those scenarios, or will all devices be either one or the other? – SamErde Aug 08 '22 at 07:03

2 Answers2

0

I must admit your ask is confusing, what is it that you want to accomplish? do you want to:

If your ask is none of the above, can you try to clarify what is it that you want to accomplish?

Noor Khaldi
  • 3,829
  • 3
  • 18
  • 28
  • The objective is that _only_ PCs that are in an actual Domain, be it on prem or Azure are allowed to run the software. When the app loads is checks for domain membership using WMI from Win32_ComputerSystem > objItem.domain. That _ought_ to be enough but Azure has some wrinkles where that may not be 100% accurate. dsregcmd /status is the preferred method, but that fails if called from an .exe, even if written out to a batch file or PS or vbscript - it ONLY succeeds if run from a CMD window or PS window. So not a go. That's it. And yes, there is a legit case for this. – SKidd Aug 01 '22 at 12:28
  • Can you please clarify what do you mean by Azure? Do you mean your own VM running Active Directory? Or Azure AD? Or Azure AD Domain Services? Also what wrinkles? Are you getting false positives using the WMI? Can you describe your setup so I may try to reproduce the issue? – Noor Khaldi Aug 02 '22 at 20:59
  • @Noot Khalid It's not my setup, it's other users. Meaning we offer software for use on a Windows domain. We need to ascertain they the PC it's installed on is domain joined, a piece of cake with traditional on-prem domain. Azure has _a lot_ of 'flavors', and many (most) are not an exact match to a "domain" with GPO, etc. As indicated earlier dsregcmd is **the** best way, but it will not work when called from a compiled .exe - nor even if you launch a visible cmd window via a batch file. So, what is a foolproof way (registry will do) to know "Yes it's a domain"? – SKidd Aug 03 '22 at 09:50
  • So with a bit of googling, you can use these options: Option1) Returns the output of dsregcmd /status as a PSObject. All returned values are accessible by their property name. Now per section as a subobject: https://www.powershellgallery.com/packages/ModernWorkplaceClientCenter/0.1.17/Content/Functions%5CGet-DsRegStatus.ps1 Option2) A PowerShell module that wraps "dsregcmd.exe" executable''s output. It also supports pulling the output from a remote computer through WinRM (using PSSessions): https://github.com/Yevrag35/DsRegModule – Noor Khaldi Aug 09 '22 at 21:46
0

"Azure Ad Domain Join Registry Keys," by Michael Herndon, explains that you can query a registry key for cloud domain join info:

HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo/{Guid}

Check two subkeys under the GUID to find the tenant ID and the user email values. This example uses PowerShell:

$subKey = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"

$guids = $subKey.GetSubKeyNames()
foreach($guid in $guids) {
    $guidSubKey = $subKey.OpenSubKey($guid);
    $tenantId = $guidSubKey.GetValue("TenantId");
    $userEmail = $guidSubKey.GetValue("UserEmail");
}

You should be able to combine this check with your existing scripts that look for on-premises Active Directory domain join information.

SamErde
  • 3,324
  • 3
  • 23
  • 42