Part of the Microsoft Qualified Multi-Tenant Hosting program allows a QMTH to enable partners to run Windows 10 enterprise within their shared infrastructure. Green Cloud does not sell Windows 10 Enterprise licenses, but partners can bring their subscriptions for Windows 10 Enterprise E3 or Microsoft 365 E3. Green Cloud will provide partners with the underlying Windows 10 Pro license needed for the Windows 10 Enterprise activation. To apply a Windows 10 Enterprise license to your Green Cloud DaaS desktops you have 2 options: Hybrid Azure AD Sync (HAADS), or Controlled HAADS.
It is recommended prior to creating desktops you create an OU in your Active Directory environment for the your DaaS desktops. During pool creation, you will specify this OU as the target for the computer accounts. This same OU will be linked to the Group Policy Object with the optimizations for DaaS.
Option 1 – HAADS
Hybrid Azure AD Sync (HAADS) is the Microsoft recommended method of enabling Azure AD Hybrid Domain through the Azure AD Sync tool. This method is well documented by MS. Please refer to this article for more information on how to configure Hybrid Azure AD sync.
Option 2 – Controlled HAADS
The second option is called Controlled Hybrid Azure AD Sync. This method utilizes group policy to create a client specific service connection point to Azure AD for hybrid join. Using this approach, you can target a specific set of computers within a domain and/or OU. Please refer to this article for more information on Controlled HAADS.
Controlled HAADS Preparation
- You are familiar with group policy.
- Your domain has not previously been setup for Hybrid Azure AD.
- Your environment is not ADFS Federated.
- You have created an OU for your DaaS desktop computer accounts to be placed and for you to link the GPO.
Configure client-side registry setting for SCP
Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring an SCP entry in the registry of your devices.
- Open a Group Policy Management console and create a new Group Policy Object in your domain.
- Provide your newly created GPO a name (for example, ClientSideSCP).
- Edit the GPO and locate the following path:
Computer Configuration > Preferences > Windows Settings > Registry - Right-click on the Registry and select New > Registry Item
- On the General tab, configure the following
- Action: Update
- Hive: HKEY_LOCAL_MACHINE
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
- Value name: TenantId
- Value type: REG_SZ
- Value data: The GUID or Directory ID of your Azure AD instance (This value can be found in the Azure portal > Azure Active Directory > Properties > Directory ID)
- Click OK
- On the General tab, configure the following
- Right-click on the Registry and select New > Registry Item
- On the General tab, configure the following
- Action: Update
- Hive: HKEY_LOCAL_MACHINE
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
- Value name: TenantName
- Value type: REG_SZ
- Value data: Your verified domain name or your onmicrosoft.com domain name.
- Click OK
- On the General tab, configure the following
- Close the editor for the newly created GPO
- Link the newly created GPO to the desired OU containing domain-joined computers that belong to your controlled rollout population