Azure AD Join Fails with Error 80072ee2 - EnterpriseRegistration URL Resolves OK
Hi there. Looking for some assistance with this error on a machine we have not been able to join to Azure AD/Entra ID: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/workplace-join-fail-error-0x80072ee7 Some information: It's on Windows 11 Pro. We have wiped it and tried again, no change. It CAN 'join' AAD if you select 'enroll in MDM only' option. No errors, it shows up in the tenant, etc. But we want a full join. It can resolve the enterpriseregistration.domain.com URL. Here's the output (redacted a bit): Addresses: 2603:1037:1:18:: 2603:1037:1:8::7 2603:1036:3000:8:: 2603:1036:3000:10::2 2603:1037:1:10:: 40.126.24.16 40.126.24.145 20.190.152.144 20.190.152.80 20.190.152.23 Aliases: enterpriseregistration.domain.com enterpriseregistration.windows.net na.privatelink.msidentity.com prdf.aadg.msidentity.comI have attempted to use a provisioning package created by a deployment tool we use, and that also failed. I got the MDMDiagReport.xml from the MDMDiagReport.cab and found this in there: I can provide more info from the .cab logs if anyone wants to see. Does anyone have an idea of why the join would fail, while the MDM enrollment would go just fine? Any help much appreciated.Allow user to AAD Join & InTune Enroll company devices only , not personal owned Win Pro/Ent device
I am trying to work out the best way of achieving the following restrictions: Allow Staff user accounts to be able to AAD Join and InTune AutoEnroll company owned devices Block Staff from AAD Joining and AutoEnrolling personal devices The obvious configuration for this is to set the staff users accounts group in AAD to be allowed to AAD Join and in InTune allow them to Auto Enroll whilst setting an Enrollment Restriction Policy for blocking personal devices. That is all good in theory , but the reality of that is that if a staff user has a personal devices that has Windows Pro, Enterprise or Education installed this configuration means they can still AAD Joined and InTune AutoEnroll. Is there a way to make certain only company owned devices can be Joined/Enrolled? The fact that most personal users will have Windows Home mitigate some of the risk and we are planning to use AutoPilot registration as an additional way of controlling things so we can design the InTune app and policy assignments groups so that they are populated only by devices with the HWID registered, so if done correctly even if they do enroll a personal device it wont receive any apps or policies anyway. There is the setting to restrict users to only be able to enroll or AAD join 1 device that could be configured but that doesn't stop them enrolling a personal device if they haven't enrolled a device already plus it is a tenant wide setting so removes flexibility for users that we might want to allow to enroll and join multiple devices. I cant help but wonder if there is a simpler , more robust way of doing this? The ideal scenario for us is to simply be able to say - only devices with registered HWID can be enrolled. Am I missing something that enables this? Thanks
