Azure AD Join Fails with Error 80072ee2 - EnterpriseRegistration URL Resolves OK
Hi there. Looking for some assistance with this error on a machine we have not been able to join to Azure AD/Entra ID: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/workplace-join-fail-error-0x80072ee7 Some information: It's on Windows 11 Pro. We have wiped it and tried again, no change. It CAN 'join' AAD if you select 'enroll in MDM only' option. No errors, it shows up in the tenant, etc. But we want a full join. It can resolve the enterpriseregistration.domain.com URL. Here's the output (redacted a bit): Addresses: 2603:1037:1:18:: 2603:1037:1:8::7 2603:1036:3000:8:: 2603:1036:3000:10::2 2603:1037:1:10:: 40.126.24.16 40.126.24.145 20.190.152.144 20.190.152.80 20.190.152.23 Aliases: enterpriseregistration.domain.com enterpriseregistration.windows.net na.privatelink.msidentity.com prdf.aadg.msidentity.comI have attempted to use a provisioning package created by a deployment tool we use, and that also failed. I got the MDMDiagReport.xml from the MDMDiagReport.cab and found this in there: I can provide more info from the .cab logs if anyone wants to see. Does anyone have an idea of why the join would fail, while the MDM enrollment would go just fine? Any help much appreciated.
WMI unknown account in security permissions
Hi everyone, We are using WMI on Azure AD computers to give our NAC system (PortNox) access to read a certain process in the client. We have an issue where for some reason the account was mistakenly deleted and in this case when opening the WMI CIMV2 namespace security we see that an unknown account remained in the security permissions. When I try to use PowerShell to remove the unknown account I get unknown error. Anyone has any idea what I can do to get out of this mess? Thanks in advance, Rahamim.
How to restrict admin rights on Windows 10 Azure AD/Office 365 joined machine?
Hi all, I just joined a new W10 Pro laptop to Azure AD by logging into the laptop with my Office 365 email address. It asked me to setup a pin for Windows 10 Hello. However I'm automatically an admin and I wanted to know how can I remove myself as an admin. I tried setting up a local account as admin and then logged in as that and removed my AzureAD user account from the "administrators" group in "local users and groups" but still have admin rights when I log in under my office 365 account. I also went into Windows 10 account settings and set my account type to standard (signed out and back in) and I can still install apps and open cmd as admin with no admin prompt. Anyone know how I can remove admin rights? Thanks GerryWindows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled
Hello, I'm looking for some clarification on the behaviour around Windows Hello for Business after Hybrid Azure AD joining Windows 10 devices. I recently enabled HAADJ in AAD Connect. As expected first of all, the devices acquire a userCertificate attribute as part of the WorkplaceJoin schedule task, sync to AzureAD as part on the next AADConnect sync cycle and show up in the Azure AD tenant as a HAAD device. The issue I encounter is with the Windows Hello for Business prompt. When a synced user logs in, they're prompted to setup a Windows Hello for Business PIN. You can skip the process and continue but every subsequent login ask you to set-up a PIN which you can sync. The devices are HAADJ but not enrolled into Intune for MDM. In the AzureAD Portal under Microsoft Intune\Device Enrollment\Windows Enrollment\Windows Hello for Business, it was set as Not Configured. I also changed this to Disabled, but the users still get the prompt. I only way forward I'm finding to deal with this is by setting the settings “Use Windows Hello for Business” under "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled. It was previously set to Not Configured. This stops the setup PIN prompt coming up after login, however, notifications still appear in the notification area after login saying that The system is configured to use Windows Hello for Business, Click here to setup you PIN. I do not get this behaviour in other environments where I have HAADJ configured, with seemingly the same settings. End goal is wanting to retain HAADJ but disable all the prompts for setting up Windows Hello for Business. Any ideas?
