瞭解Microsoft Entra Connect 1.4.xx.x 和裝置消失

發行項
11/19/2024

隨著 Microsoft Entra Connect 1.4.xx.x 版的實作，客戶可能會看到部分或所有 Windows 裝置從 Microsoft Entra ID 中消失。這不是造成顧慮的原因，因為這些裝置身分識別不會在條件式存取授權期間Microsoft Entra ID 使用。這項變更不會刪除任何已正確向 Microsoft Entra 混合式聯結Microsoft Entra 標識符註冊的 Windows 裝置。

如果您在 Microsoft Entra 識別子 中看到超過匯出刪除閾值的裝置物件刪除，請允許刪除作業通過。如何：允許刪除在超過刪除閾值時流動刪除

Background

註冊為 Microsoft Entra 混合式聯結的 Windows 裝置會以Microsoft Entra ID 表示為裝置物件，而且可用於條件式存取。 Windows 10 裝置會透過 Microsoft Entra Connect 同步處理至雲端，而下層 Windows 裝置則直接使用 Active Directory 同盟服務（AD FS）或無縫單一登錄來註冊。

Windows 10 裝置

只有具有特定 userCertificate 屬性值的 Windows 10 裝置，Microsoft Entra 混合式聯結應該Microsoft Entra Connect 同步處理至雲端。在舊版的 Microsoft Entra Connect 中，這項需求並未嚴格強制執行，而且會將不必要的裝置物件新增至 Microsoft Entra ID。 Microsoft Entra 標識碼中的這類裝置一律會維持在「擱置」狀態，因為這些裝置並非要向 entra 標識元註冊Microsoft。

此版本的 Microsoft Entra Connect 只會同步處理正確設定為Microsoft Entra 混合式聯結的 Windows 10 裝置。不含 Microsoft Entra join 特定 userCertificate 的 Windows 10 裝置物件將會從 Microsoft Entra 標識符中移除。

下層 Windows 裝置

Microsoft Entra Connect 不應該同步處理下層 Windows 裝置。先前未正確同步Microsoft Entra ID 中的任何裝置，都會從 Microsoft Entra ID 中刪除。如果Microsoft Entra Connect 嘗試刪除下層 Windows 裝置，則裝置不是非 Windows 10 電腦 MSI Microsoft Workplace Join 所建立的裝置，而且任何其他Microsoft Entra 功能都無法使用。

某些客戶可能需要重新流覽如何：規劃您的Microsoft Entra 混合式聯結實作，以正確註冊其 Windows 裝置，並確保這些裝置可以參與裝置型條件式存取。

如何確認此更新已刪除哪些裝置？

若要確認哪些裝置已刪除，請使用PowerShell憑證報表腳本中的 PowerShell腳本。

此腳本會產生一份有關儲存在 Active Directory 計算機物件中之憑證的報表，特別是由 Microsoft Entra 混合式聯結功能所簽發的憑證。

腳本也會檢查 AD 中 Computer 物件的 UserCertificate 屬性中存在的憑證。針對每個不存在的非過期憑證，腳本會驗證是否已針對 Microsoft Entra 混合式聯結功能發行憑證;例如， Subject Name matches CN={ObjectGUID}。

在此更新之前，Microsoft Entra Connect 會同步至Microsoft包含至少一個有效憑證的任何計算機。從 Microsoft Entra Connect 1.4 版開始，同步處理引擎會識別Microsoft Entra 混合式聯結憑證，並且會使用 cloudfilter 篩選來防止計算機物件同步至Microsoft Entra ID，除非有有效的Microsoft Entra 混合式聯結憑證。

Microsoft先前同步處理至 AD 但沒有有效Microsoft Entra 混合式聯結憑證的 Entra 裝置，將會使用篩選 CloudFiltered=TRUE來刪除同步處理引擎。

PowerShell 憑證報告腳本

<#

Filename:    Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1.

DISCLAIMER:
Copyright (c) Microsoft Corporation. All rights reserved. This script is made available to you without any express, implied or statutory warranty, not even the implied warranty of  merchantability or fitness for a particular purpose, or the warranty of title or non-infringement. The entire risk of the use or the results from the use of this script remains with you.
.Synopsis
This script generates a report about certificates stored in Active Directory Computer objects, specifically, 
certificates issued by the Microsoft Entra hybrid join feature.
.DESCRIPTION
It checks the certificates present in the UserCertificate property of a Computer object in AD and, for each 
non-expired certificate present, validates if the certificate was issued for the Microsoft Entra hybrid join feature 
(i.e. Subject Name matches CN={ObjectGUID}).
Before, Microsoft Entra Connect would synchronize to Microsoft Entra ID any Computer that contained at least one valid 
certificate but starting on Microsoft Entra Connect version 1.4, the sync engine can identify Hybrid 
Microsoft Entra join certificates and will 'cloudfilter' the computer object from synchronizing to Microsoft Entra ID unless 
there's a valid Microsoft Entra hybrid join certificate.
Microsoft Entra Device objects that were already synchronized to AD but do not have a valid Microsoft Entra hybrid join 
certificate will be deleted (CloudFiltered=TRUE) by the sync engine.
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN 'CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com'
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -OU 'OU=SYNC,DC=Fabrikam,DC=com' -Filename "MyHybridAzureADjoinReport.csv" -Verbose

#>
   [CmdletBinding()]
   Param
   (
       # Computer DistinguishedName
       [Parameter(ParameterSetName='SingleObject',
               Mandatory=$true,
               ValueFromPipelineByPropertyName=$true,
               Position=0)]
       [String]
       $DN,

       # AD OrganizationalUnit
       [Parameter(ParameterSetName='MultipleObjects',
               Mandatory=$true,
               ValueFromPipelineByPropertyName=$true,
               Position=0)]
       [String]
       $OU,

       # Output CSV filename (optional)
       [Parameter(Mandatory=$false,
               ValueFromPipelineByPropertyName=$false,
               Position=1)]
       [String]
       $Filename

   )

   # Generate Output filename if not provided
   If ($Filename -eq "")
   {
       $Filename = [string] "$([string] $(Get-Date -Format yyyyMMddHHmmss))_ADSyncAADHybridJoinCertificateReport.csv"
   }
   Write-Verbose "Output filename: '$Filename'"
   
   # Read AD object(s)
   If ($PSCmdlet.ParameterSetName -eq 'SingleObject')
   {
       $directoryObjs = @(Get-ADObject $DN -Properties UserCertificate)
       Write-Verbose "Starting report for a single object '$DN'"
   }
   Else
   {
       $directoryObjs = Get-ADObject -Filter { ObjectClass -like 'computer' } -SearchBase $OU -Properties UserCertificate
       Write-Verbose "Starting report for $($directoryObjs.Count) computer objects in OU '$OU'"
   }

   Write-Host "Processing $($directoryObjs.Count) directory object(s). Please wait..."
   # Check Certificates on each AD Object
   $results = @()
   ForEach ($obj in $directoryObjs)
   {
       # Read UserCertificate multi-value property
       $objDN = [string] $obj.DistinguishedName
       $objectGuid = [string] ($obj.ObjectGUID).Guid
       $userCertificateList = @($obj.UserCertificate)
       $validEntries = @()
       $totalEntriesCount = $userCertificateList.Count
       Write-verbose "'$objDN' ObjectGUID: $objectGuid"
       Write-verbose "'$objDN' has $totalEntriesCount entries in UserCertificate property."
       If ($totalEntriesCount -eq 0)
       {
           Write-verbose "'$objDN' has no Certificates - Skipped."
           Continue
       }

       # Check each UserCertificate entry and build array of valid certs
       ForEach($entry in $userCertificateList)
       {
           Try
           {
               $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2] $entry
           }
           Catch
           {
               Write-verbose "'$objDN' has an invalid Certificate!"
               Continue
           }
           Write-verbose "'$objDN' has a Certificate with Subject: $($cert.Subject); Thumbprint:$($cert.Thumbprint)."
           $validEntries += $cert

       }
       
       $validEntriesCount = $validEntries.Count
       Write-verbose "'$objDN' has a total of $validEntriesCount certificates (shown above)."
       
       # Get non-expired Certs (Valid Certificates)
       $validCerts = @($validEntries | Where-Object {$_.NotAfter -ge (Get-Date)})
       $validCertsCount = $validCerts.Count
       Write-verbose "'$objDN' has $validCertsCount valid certificates (not-expired)."

       # Check for Microsoft Entra hybrid join Certificates
       $hybridJoinCerts = @()
       $hybridJoinCertsThumbprints = [string] "|"
       ForEach ($cert in $validCerts)
       {
           $certSubjectName = $cert.Subject
           If ($certSubjectName.StartsWith($("CN=$objectGuid")) -or $certSubjectName.StartsWith($("CN={$objectGuid}")))
           {
               $hybridJoinCerts += $cert
               $hybridJoinCertsThumbprints += [string] $($cert.Thumbprint) + '|'
           }
       }

       $hybridJoinCertsCount = $hybridJoinCerts.Count
       if ($hybridJoinCertsCount -gt 0)
       {
           $cloudFiltered = 'FALSE'
           Write-verbose "'$objDN' has $hybridJoinCertsCount Microsoft Entra hybrid join Certificates with Thumbprints: $hybridJoinCertsThumbprints (cloudFiltered=FALSE)"
       }
       Else
       {
           $cloudFiltered = 'TRUE'
           Write-verbose "'$objDN' has no Microsoft Entra hybrid join Certificates (cloudFiltered=TRUE)."
       }
       
       # Save results
       $r = "" | Select ObjectDN, ObjectGUID, TotalEntriesCount, CertsCount, ValidCertsCount, HybridJoinCertsCount, CloudFiltered
       $r.ObjectDN = $objDN
       $r.ObjectGUID = $objectGuid
       $r.TotalEntriesCount = $totalEntriesCount
       $r.CertsCount = $validEntriesCount
       $r.ValidCertsCount = $validCertsCount
       $r.HybridJoinCertsCount = $hybridJoinCertsCount
       $r.CloudFiltered = $cloudFiltered
       $results += $r
   }

   # Export results to CSV
   Try
   {        
       $results | Export-Csv $Filename -NoTypeInformation -Delimiter ';'
       Write-Host "Exported Hybrid Microsoft Entra Domain Join Certificate Report to '$Filename'.`n"
   }
   Catch
   {
       Throw "There was an error saving the file '$Filename': $($_.Exception.Message)"
   }

後續步驟

Microsoft Entra Connect 版本歷程記錄

與我們連絡，以取得說明

如果您有問題或需要相關協助，請建立支援要求，或詢問 Azure community 支援。您也可以向 Azure 意見反應社群提交產品意見反應。

共用方式為