On September 10, 2019, Microsoft signed off on the first build of Azure AD Connect in the 1.4 version branch. Currently, this version is only available for organizations that have the Automatic Upgrade feature enabled. In the What’s Fixed section of the release notes for this version, Microsoft stated that:
Fixed a bug where non-Windows 10 computers were syncing unexpectedly.
Previously, Windows down-level computers joined to on-premises Active Directory Domain Services environments were incorrectly synchronized to Azure AD under some circumstances.
As an example of these circumstances, the userCertificate attribute value for Windows down-level devices in Active Directory is populated. But such devices in Azure AD always remained in the pending state because these Windows versions were not designed to be registered with Azure AD via Azure AD Connect.
Starting with version 1.4.x.0 of Azure AD Connect:
- Azure AD Connect stops synchronizing Windows down-level computers to Azure AD
- Azure AD Connect removes the previously incorrectly synchronized Windows down-level devices from Azure AD.
- Azure AD Connect might run into the Export Deletion Threshold.
If admins see the deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.
Some Azure AD admins may see some or all of their Windows down-level devices disappear from Azure AD.
However, Azure AD Connect will not delete any Windows down-level devices that were correctly registered with Azure AD by using the Workplace Join for non-Windows 10 computers package. Those devices will continue to work as expected for the purposes of device-based Conditional Access.
Microsoft is cleaning up device objects in Azure AD tenants, that add no value.
This is not a cause for concern, as these device identities were never actually used by Azure AD during Conditional Access authorization.
To get their Windows down-level devices registered correctly and ensure that such devices can fully participate in device-based conditional access, the devices need to Hybrid Azure AD Join, correctly.
Changes in Azure AD Connect functionality to allow for increased security levels (in this case by removing stale and non-functional objects) may have an impact on the way Azure AD Connect behaves in your organization.
KnowledgeBase: Azure AD Connect 184.108.40.206 enables Auto Upgrades in AD FS Scenarios
KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal
Azure AD Connect 1.4 introduces refined AD FS Management Capabilities
Azure AD Connect 220.127.116.11 fixes an elevation of privilege vulnerability (CVE-2019-1000)
HOWTO: Enforce Azure AD Connect to use TLS 1.2 only