Forum Discussion
Azure AD Join Fails with Error 80072ee2 - EnterpriseRegistration URL Resolves OK
Hi there. Looking for some assistance with this error on a machine we have not been able to join to Azure AD/Entra ID: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/workplace-join-fail-error-0x80072ee7
Some information:
- It's on Windows 11 Pro.
- We have wiped it and tried again, no change.
- It CAN 'join' AAD if you select 'enroll in MDM only' option. No errors, it shows up in the tenant, etc. But we want a full join.
- It can resolve the enterpriseregistration.domain.com URL. Here's the output (redacted a bit):
Addresses: 2603:1037:1:18::
2603:1037:1:8::7
2603:1036:3000:8::
2603:1036:3000:10::2
2603:1037:1:10::
40.126.24.16
40.126.24.145
20.190.152.144
20.190.152.80
20.190.152.23
Aliases: enterpriseregistration.domain.com
enterpriseregistration.windows.net
na.privatelink.msidentity.com
prdf.aadg.msidentity.comI have attempted to use a provisioning package created by a deployment tool we use, and that also failed.
I got the MDMDiagReport.xml from the MDMDiagReport.cab and found this in there:
I can provide more info from the .cab logs if anyone wants to see. Does anyone have an idea of why the join would fail, while the MDM enrollment would go just fine? Any help much appreciated.
1 Reply
Hi no_thankyou,
Here are the key points which I could see from the information you provided in your question / issue:- Azure AD join fails with error 0x80072EE2 (this error code is normally connected to network issues).
- MDM enrollment works fine.
- The device can resolve the enterpriseregistration.domain.com URL.
Try these steps to address your issue:
- Check Network Connectivity:
-Ensure that the Windows 11 Pro device has stable internet connectivity without any network restrictions. - Date and Time Settings:
- Verify that the date and time settings on the device are correct. - Proxy or Firewall Settings:
- Ensure that proxy servers or firewalls do not block traffic to Azure AD services and URLs. - Check for Azure AD URL Resolution:
- Open a Command Prompt window on the device by searching for "Command Prompt" in the Start menu.
- In the Command Prompt, type the following command to test the resolution of an Azure AD URL (replace enterpriseregistration.domain.com with the actual Azure AD URL you want to test):
nslookup enterpriseregistration.domain.com
- The command should return the IP address associated with the Azure AD URL. If it returns the correct IP address, it means DNS is resolving Azure AD URLs correctly on the device.- Check DNS Server Settings:
- In the "Internet Protocol Version 4 (TCP/IPv4) Properties" window, you'll see DNS server settings.
- Ensure that either "Obtain DNS server address automatically" is selected, or if you have specific DNS server addresses to use (e.g., custom DNS servers for your organization), make sure they are correctly configured.
- Azure AD Configuration:
- Review Azure AD settings, conditional access policies, device settings, and user permissions to ensure Azure AD join is allowed. - Azure AD Device Settings:
- Check settings like "Users may join devices to Azure AD" and "Maximum number of devices per user" in Azure AD Device settings. - Review Logs:
- Examine MDMDiagReport logs for any error messages or details. Also, check Azure AD logs for sign-in or device registration failures.
Collect MDM logs - Windows Client Management | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
