Before rolling out passwordless, it helps Allthenticate's team scope the deployment correctly if we have a clear picture of two things on your fleet:
📝 Fastest path: fill out our short Windows Environment Scoping Form. It takes about 3 minutes, lets you pick from preset answers, and you can attach the CSVs from the fleet-wide checks below if you ran them. Prefer to do it the long way? Read on.
This page walks through how to answer both questions. Each section has two paths: a single-machine check anyone on your team can run in a couple of minutes, and a fleet-wide check for capturing the full picture across your environment. Either level of detail is useful — use whatever's easier on your end.
Knowing the join state tells us whether identity for each machine lives in on-prem AD, in Entra, in both (hybrid), or nowhere managed at all (workgroup). This shapes how Allthenticate Desktop integrates with your sign-in flow.
Open Command Prompt (no admin rights needed)
Run:
dsregcmd /status
In the output, look at the top section for these three lines:
| Field | What it means |
|---|---|
AzureAdJoined : YES/NO |
Whether the machine is joined to Microsoft Entra (cloud) |
EnterpriseJoined : YES/NO |
Legacy on-prem federation; almost always NO in modern environments |
DomainJoined : YES/NO |
Whether the machine is joined to on-prem Active Directory |
How to interpret the result:
DomainJoined: YES and AzureAdJoined: NO → Pure on-prem AD-joined (most common with Connect Sync)DomainJoined: YES and AzureAdJoined: YES → Hybrid joinedNO → Workgroup / standalone — the machine isn't managed by AD at all (worth flagging)Sign in to a Domain Controller (or any machine with the RSAT Active Directory PowerShell module)
Open PowerShell as Administrator
Run:
Get-ADComputer -Filter * -Properties OperatingSystem, LastLogonDate |
Select Name, OperatingSystem, LastLogonDate |
Export-Csv C:\\Temp\\domain-computers.csv -NoTypeInformation