LsAgent and Azure Ad Joined devices

WANOLOIS · ‎08-10-2021

Hi,

LsAgent doesn't seem to recognise the domain on Azure AD joined laptops, and displays the logged on user as WORKGROUP\username.

Is there a way to correct this or will LsAgent fix this in the future and recognise the device and users are part of an Azure AD domain?

Thanks!

hyvokar · 4 weeks ago

I have same issue, running 11.4.0.3

Autopilot/azure-ad joined machines are shown being part of "Workgroup" instead of the domain.
Would it possible to indicate somehow that the machine is azure-ad joined, even if the domain name is not possible to show?

altu · 4 weeks ago

We are currently migrating to Azure AD and are at 50%

Lansweeper became pretty useless for those devices in Azure AD. Very confusing reports.

Hope they will fix this soon.

dwinters2022 · ‎08-14-2023

Hello! We are migrating to Autopilot and Intune and joining our devices to AzureAD.
This will make Lansweeper not very useable for us if it can't see these machines anymore...

KrisK · ‎09-04-2023

Hello,

This problem should have been resolved in Lansweeper version 10.3 and higher. It is assumed to be LAN-13956 in our changelog (https://www.lansweeper.com/changelog/ ).

If you would still encounter this problem with the latest version, please contact Support@lansweeper.com.

Thanks!

altu · 4 weeks ago

This issue is still not resolved.

We are running version v. 11.2.0.3 and still see our AAD Joined devices as "WORKGROUP" joined.

__PRESENT

KrisK · 2 weeks ago

Actually, LAN-13956 was about Entra Id(Azure Ad) users being erroneously identified as WORKGROUP\username. That should have been fixed.

The assets are indeed still identified as being a member of WORKGROUP, because that's what they report back to us via the WMI calls. Currently, we only scan users and groups from Entra Id. See https://community.lansweeper.com/t5/scanning-your-network/scan-microsoft-entra-id-azure-ad-users-and... for more details.

altu · 2 weeks ago

I got mixed signals when I contacted support about this. To me it was suggested to enable user and group scan in Entra as a solution (though I couldn't understand how that would have fixed the issue).

I hope that Lansweeper acknowledges this issue as something serious. It honestly messes up all your reports and compliancy checks because you cannot distinguish domain joined, Azure AD joined and rogue (workgroup joined) devices.

It is true that WMI does return either the domain or Workgroup. But I guess Lansweeper could work around this by also querying the registry.

I have a PowerShell script where I query WMI and the registry for that info...

# Get the computer system information
$ComputerSystem = Get-WmiObject -Class Win32_ComputerSystem

# Initialize join type and description variables
$JoinType = "Unknown"
$JoinDescription = ""

# Check if the device is part of a domain
if ($ComputerSystem.PartOfDomain) {
    # Check the domain role and output the domain name
    switch ($ComputerSystem.DomainRole) {
        0 { 
            $JoinType = "Standalone Workstation" 
            $JoinDescription = "The computer is not connected to a domain and operates as a standalone workstation in a workgroup."
        }
        1 { 
            $JoinType = "Member Workstation" 
            $JoinDescription = "The computer is part of the domain '$($ComputerSystem.Domain)' and operates as a workstation managed by a domain controller."
        }
        2 { 
            $JoinType = "Standalone Server" 
            $JoinDescription = "The computer is a standalone server, not part of a domain."
        }
        3 { 
            $JoinType = "Member Server" 
            $JoinDescription = "The computer is part of the domain '$($ComputerSystem.Domain)' and operates as a server managed by a domain controller."
        }
        4 { 
            $JoinType = "Backup Domain Controller" 
            $JoinDescription = "The computer is a backup domain controller in the domain '$($ComputerSystem.Domain)'. It helps manage domain authentication and services."
        }
        5 { 
            $JoinType = "Primary Domain Controller" 
            $JoinDescription = "The computer is the primary domain controller in the domain '$($ComputerSystem.Domain)'. It is responsible for managing domain resources, authentication, and policies."
        }
    }
}
else {
    # Check if the device is Azure AD joined by querying the correct registry key
    $RegistryPath = "HKLM:\SOFTWARE\Microsoft\Enrollments"
    $Enrollments = Get-ChildItem -Path $RegistryPath -ErrorAction SilentlyContinue

    $AzureADJoined = $false

    foreach ($Enrollment in $Enrollments) {
        $EnrollmentPath = $Enrollment.PSPath
        $JoinTypeKey = Get-ItemProperty -Path $EnrollmentPath -ErrorAction SilentlyContinue

        # Check if the enrollment is related to Azure AD
        if ($JoinTypeKey -and $JoinTypeKey.AADTenantID -ne $null) {
            $AzureADJoined = $true
            break
        }
    }

    # Set the join type based on the registry check
    if ($AzureADJoined) {
        $JoinType = "Azure AD Joined"
        $JoinDescription = "The device is joined to Azure Active Directory."
    }
    else {
        # If not Azure AD joined, assume it's a Workgroup device
        $JoinType = "Workgroup"
        $JoinDescription = "The computer is not part of a domain or Azure AD, and is in a workgroup."
    }
}

# Output the join type and description
$JoinType
$JoinDescription

__PRESENT

Faros · ‎01-26-2023

Hi,

I would like to know if you managed to solve this problem, or if the Lansweeper support helped with a solution, because I am facing the same error with my device

Thanks

Marcus · ‎01-24-2022

WANOLOIS wrote:
Hi,

LsAgent doesn't seem to recognise the domain on Azure AD joined laptops, and displays the logged on user as WORKGROUP\username.

Is there a way to correct this or will LsAgent fix this in the future and recognise the device and users are part of an Azure AD domain?

Thanks!

Hey, we have this issue too. Our estate is modern and we are looking to Drop all domain controllers this year. I approached support looking for a way to MAP the user.name from the /workgroup user and 365 sync user.

Support unfortunately said no. Hopefully, they consider this soon!

Hello Marcus,

Thank you for contacting Lansweeper support!

Currently, the only relationships you can set are
assets to users
assets to other assets
You cannot create user relations or map local users to domain users.
Users are believed to be unique (like in Windows you have a unique SID for users) and there is no mechanism in our application to link these.

Kind regards,

LsAgent and Azure Ad Joined devices

New to Lansweeper?

Try Lansweeper For Free