Monitor Windows Hello and AAD Hybrid join enrollment with MEMCM

Dsregcmd.exe is one of the most important troubleshooting tools on a Windows device when working with Azure AD Hybrid Join or Windows Hello. But this tool is only available as a command line tool and not in PowerShell. I wrote a translation function to change that. The Get-DsRegStatus function can be used to access these values in a simple PowerShell object. I included the function in the ModernWorkplaceClientCenter module on PsGallery to make it available to everybody. You can install it by executing:

Install-Module ModernWorkplaceClientCenter

dsregcmd in PowerShell

The Get-DsRegStatus method looks as follows:

function Get-DsRegStatus {
<# .Synopsis Returns the output of dsregcmd /status as a PSObject. .Description Returns the output of dsregcmd /status as a PSObject. All returned values are accessible by their property name. Now per section as a subobject. .Example # Displays a full output of dsregcmd / status. Get-DsRegStatus #>
$dsregcmd = dsregcmd /status
$o = New-Object -TypeName PSObject
foreach($line in $dsregcmd){
 if($line -like "| *"){
  if(-not [String]::IsNullOrWhiteSpace($currentSection) -and $null -ne $so){
   Add-Member -InputObject $o -MemberType NoteProperty -Name $currentSection -Value $so -ErrorAction SilentlyContinue
  }
  $currentSection = $line.Replace("|","").Replace(" ","").Trim()
  $so = New-Object -TypeName PSObject
 } elseif($line -match " *[A-z]+ : [A-z0-9\{\}]+ *"){
  Add-Member -InputObject $so -MemberType NoteProperty -Name (([String]$line).Trim() -split " : ")[0] -Value (([String]$line).Trim() -split " : ")[1] -ErrorAction SilentlyContinue
 }
}
if(-not [String]::IsNullOrWhiteSpace($currentSection) -and $null -ne $so){
Add-Member -InputObject $o -MemberType NoteProperty -Name $currentSection -Value $so -ErrorAction SilentlyContinue
} return $o }

The returned object can be used in PowerShell and contains per section a subobject.

MEMCM Configuration Items

Deploying and operating Windows Hello for business or enabling Azure AD Hybrid join is in normal cases simple, but as soon you experience issues troubleshooting is always on client side. There are several checks done by dsregcmd which can help troubleshooting or proactively resolve them.

For example if the device has a TPM, but in  some cases during the enrollment the Windows couldn’t access it, then the TpmProtected value will return NO and the KeyProvider is not “Microsoft Platform Crypto Provider”. For these cases I created multiple Configuration Items which you can deploy via MEMCM to your clients. The following checks are done in the CI’s:

  • Azure AD Hybrid Joined Status
    There are already multiple places were you find this information in the SCCM Console, but this CI will return in case of non compliance the Diagnostic Data available with dsregcmd. Therefore, you can group and centrally troubleshoot the root cause.
  • TPM Protected
    It checks if the Privat key used for Hybrid Join and Windows Hello for Business is TPM protected. I saw a lot of companies which said that they are using the TPM, but haven’t on a lot of machines for various reasons.
  • Key Storage Provider
    If you have multiple installed, these can be different. In normal cases it should be “Microsoft Platform Crypto Provider” when it is TPM protected and “Microsoft Software Key Storage Provider” when not.
  • Windows Hello for Business
    This CI needs to be deployed to users and executed in user context, then it will check if the NgcSet is set to YES and if not return Diagnostic Data for central analytics.

I have uploaded the four configuration items to Github. You can easily import the CAB files or create your own CI’s with the ps1 files.

When monitoring the deployment you can see which Configuration Item is Non-Compliant and when clicking on a specific asset you can also see what the actual value is on the device.

Follow me

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.