远程协助/ RDP AAD加入了Windows机器 [英] Remote Assist/RDP AAD Joined Windows Machines

问题描述

使用AAD远程协助用户的最佳方法在没有本地活动目录的情况下加入Windows 10 Pro设备会是什么？

我想要两个场景 -  



1.用户可以在局域网上远程登录自己的机器， 

2.帮助台可以请求查看/访问的权限 



基本上，就像使用本地AD一样，但只使用Azure。



我目前的工作是让用户创建远程协助邀请并将其发送给服务台用户协助。这增加了额外的步骤，我宁愿不让用户通过。



首先我首先看到这个：

https：// docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc



完全不起作用。



两台机器，同一局域网。两台AAD都加入了机器。两者（仅差异）是版本1703而不是1607



机器A尝试连接到机器B.用户jtest之前签署了一次。 jtest登录到机器A并尝试RDP到机器B."登录尝试失败"
$




尝试：jtest @ contoso。 COM; AzureAD\jtest; AzureAD\jtest@contoso.com - 所有三个相同的错误。



$
我在注册表中禁用了Credential Guard（KEY_LOCAL_MACHINE \ System \ CurrentControlSet \Control\Lsa \DisableRestrictedAdmin = 1）
$




我尝试添加到RDP文件：

https://superuser.com/questions/951330/windows-10-remote-desktop-connection-using-azure-ad-credentials



这不仅显示其他用户登录屏幕 - 与以前相同的登录失败。



    enablecredsspsupport：i：0

   认证级别：i：2





本地帐户可以正常工作，只需要AAD ...



我做错了什么？ 

What would be the best approach to remotely assist users with AAD Joined Windows 10 Pro devices with no on-prem active directory?
I would like two scenarios - 

1. where a user can remotely sign into their own machine on LAN, 
2. Help Desk can request permission to view/access 

Basically, the same way you'd do it on with on-prem AD, but just using Azure.

My current work around is to have the user create a remote assistance invitation and send it to the help desk user assisting. This adds extra steps I'd rather not put the user through.

First thing is first I viewed this:
https://docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc

Totally did not work.

Two machines, same LAN. Both AAD Joined machines. Both (only difference) are version 1703 not 1607

Machine A tries to connect to Machine B. User jtest has signed into each once before. jtest signs into Machine A and attempts to RDP to Machine B. "The Logon attempt failed"


Tried: jtest@contoso.com; AzureAD\jtest; AzureAD\jtest@contoso.com - all three same error.


I disabled the Credential Guard in the registry (KEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin = 1)


I tried adding to the RDP file:
https://superuser.com/questions/951330/windows-10-remote-desktop-connection-using-azure-ad-credentials

This does not just show an Other User screen to login - same Logon failure as before.

    enablecredsspsupport:i:0
    authentication level:i:2


Local accounts work fine any which way, just no AAD...

What am I doing wrong? 

推荐答案

您无法为远程连接指定单独的Azure AD帐户。

You cannot specify individual Azure AD accounts for remote connections.

请参阅链接中支持的配置 -
https://docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc  

Refer to supported configurations in the link - https://docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc 

如果您在这方面需要进一步的帮助，请告诉我们。

Let us know if you need further assistance in this regards.

这篇关于远程协助/ RDP AAD加入了Windows机器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！