了解 Azure AD Connect 1.4.xx.x 和设备消失Understanding Azure AD Connect 1.4.xx.x and device disappearance

使用 1.4.xx.x 版 Azure AD Connect 时,某些客户可能会看到其部分或所有 Windows 设备从 Azure AD 中消失。With version 1.4.xx.x of Azure AD Connect, some customers may see some or all of their Windows devices disappear from Azure AD. 不必担心,因为在条件访问授权期间 Azure AD 不会使用这些设备标识。This is not a cause for concern, as these device identities are not used by Azure AD during Conditional Access authorization. 此更改不会删除已向 Azure AD 正确注册以建立混合 Azure AD 联接的任何 Windows 设备。This change won't delete any Windows devices that were correctly registered with Azure AD for Hybrid Azure AD Join.

如果发现在 Azure AD 中删除设备对象时超出“导出删除阈值”,建议客户允许删除操作完成。If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow the deletions to go through. 如何在删除操作数超出删除阈值时允许删除操作完成How To: allow deletes to flow when they exceed the deletion threshold

背景Background

注册为混合 Azure AD 联接的 Windows 设备在 Azure AD 中表示为设备对象。Windows devices registered as Hybrid Azure AD Joined are represented in Azure AD as device objects. 这些设备对象可用于条件访问。These device objects can be used for Conditional Access. Windows 10 设备通过 Azure AD Connect 同步到云,下层 Windows 设备直接使用任一 AD FS 注册。Windows 10 devices are synced to the cloud via Azure AD Connect, down level Windows devices are registered directly using either AD FS.

Windows 10 设备Windows 10 devices

只有具有混合 Azure AD 联接配置的特定 userCertificate 属性值的 Windows 10 设备才应被 Azure AD Connect 同步到云中。Only Windows 10 devices with a specific userCertificate attribute value configured by Hybrid Azure AD Join are supposed to be synced to the cloud by Azure AD Connect. 在以前版本的 Azure AD Connect 中,未严格执行此要求,导致 Azure AD 中出现不必要的设备对象。In previous versions of Azure AD Connect this requirement was not rigorously enforced, resulting in unnecessary device objects in Azure AD. Azure AD 中的此类设备始终保持“挂起”状态,因为这些设备不打算向 Azure AD 注册。Such devices in Azure AD always stayed in the “pending” state because these devices were not intended to be registered with Azure AD.

此版本的 Azure AD Connect 仅同步已正确配置为建立混合 Azure AD 联接的 Windows 10 设备。This version of Azure AD Connect will only sync Windows 10 devices that are correctly configured to be Hybrid Azure AD Joined. 没有 Azure AD 联接特定 userCertificate 的 Windows 10 设备对象将从 Azure AD 中删除。Windows 10 device objects without the Azure AD join specific userCertificate will be removed from Azure AD.

下层 Windows 设备Down-Level Windows devices

Azure AD Connect 任何时候都不应同步下层 Windows 设备Azure AD Connect should never be syncing down-level Windows devices. Azure AD 中以前错误同步的所有设备现在将被删除。Any devices in Azure AD previously synced incorrectly will now be deleted from Azure AD. 如果 Azure AD Connect 试图删除下层 Windows 设备,则该设备不是非 Windows 10 计算机 MSI 的 Microsoft Workplace Join 创建的设备,并且它不能由任何其他 Azure AD 功能使用。If Azure AD Connect is attempting to delete down-level Windows devices, then the device is not the one that was created by the Microsoft Workplace Join for non-Windows 10 computers MSI and it is not able to be consumed by any other Azure AD feature.

一些客户可能需要重新访问如何:规划混合 Azure Active Directory 联接实现以正确注册其 Windows 设备,并确保此类设备可以完全参与基于设备的条件访问。Some customers may need to revisit How To: Plan your hybrid Azure Active Directory join implementation to get their Windows devices registered correctly and ensure that such devices can fully participate in device-based Conditional Access.

如何验证哪些设备已通过此更新删除?How can I verify which devices are deleted with this update?

若要验证哪些设备已删除,可以使用以下 PowerShell 脚本: https://gallery.technet.microsoft.com/scriptcenter/Export-Hybrid-Azure-AD-f8e51436To verify which devices are deleted, you can use this PowerShell script: https://gallery.technet.microsoft.com/scriptcenter/Export-Hybrid-Azure-AD-f8e51436

此脚本会生成有关存储在 Active Directory 计算机对象中的证书的报告,尤其是由混合 Azure AD 联接功能颁发的证书。This script generates a report about certificates stored in Active Directory Computer objects, specifically, certificates issued by the Hybrid Azure AD join feature. 它将检查 AD 中计算机对象的 UserCertificate 属性中存在的证书,并为每个未过期的证书验证是否为混合 Azure AD 联接功能颁发了证书(即,使用者名称与 CN = {ObjectGUID} 匹配)。It checks the certificates present in the UserCertificate property of a Computer object in AD and, for each non-expired certificate present, validates if the certificate was issued for the Hybrid Azure AD join feature (i.e. Subject Name matches CN={ObjectGUID}). 以前,Azure AD Connect 会将包含至少一个有效证书的任何计算机同步到 Azure AD,但从 Azure AD Connect 1.4 版本开始,同步引擎可以识别混合 Azure AD 联接证书,将“云筛选”同步到 Azure AD 的计算机对象,除非存在有效的混合 Azure AD 联接证书。Before, Azure AD Connect would synchronize to Azure AD any Computer that contained at least one valid certificate but starting on Azure AD Connect version 1.4, the synchronization engine can identify Hybrid Azure AD join certificates and will ‘cloudfilter’ the computer object from synchronizing to Azure AD unless there’s a valid Hybrid Azure AD join certificate. 同步引擎将删除已同步到 AD 但没有有效混合 Azure AD 联接证书的 Azure AD 设备 (CloudFiltered = TRUE)。Azure AD Devices that were already synchronized to AD but do not have a valid Hybrid Azure AD join certificate will be deleted (CloudFiltered=TRUE) by the sync engine.