- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
Why is this an issue? Well, in Windows Enterprise, there are a lot of security features that are not available in the Pro SKU.
Subscription not valid
Windows 10/11 blocks the addition of more than one work account using "Settings > Accounts > Access work or school" by default, as there are multiple issues with having more than one. However, other Microsoft products prompt you to register your device when you sign into Microsoft 365 apps, for example, and now also with the Remote Desktop app.
Stay signed in prompt in M365 apps
This dialog box is a really bad user experience, as it bypasses the built-in block already in place to prevent the addition of more than one Azure AD account. I really wish that Microsoft could either stop prompting in all its apps or let us control it with a Microsoft 365 app policy instead, so we could apply it to unmanaged devices and not only managed ones. If we try to add a second account, we are blocked with the following dialog box:
Set up work or school account dialog box
Set up work or school account dialog box
Let's look at the details.
- Troubleshoot activation issues
- Turn off workplace join using the Settings catalog
- Use proactive remediation to check the Windows SKU
Troubleshoot activation issues
Windows 10/11 activation on Azure AD joined devices is handled by two scheduled tasks on the device, EnableLicenseAcquisition and LicenseAcquisition, for which multiple triggers are defined.
Schedule tasks
If there is more than one Azure AD account added, they will fail with the error "0x87E10BF2". The error can be seen in the Store Event log, as shown in the picture below.
Service Fault: status: 400 code: SingleTenantIdExpectedForAadUsers: description: All Aad users provided in the request are expected to be associated to a single Tenant. data: ["3"] (Corr: XXXXXXXXXXXXX, Svr: ent-XXXXXXXXXX), token broker error: 0x00000000, number of MSA tickets: 1, number of AAD tickets: 3
Store event log
The error message is pretty clear: "All Aad users provided in the request are expected to be associated to a single Tenant." On this device, we added three AAD accounts, which is also pretty clear in the error message "Number of AAD tickets: 3." So activation will fail.
On my device, it looked like this under Access work or school accounts:
Access work or school accounts
The problem is easy to solve: Remove both additional accounts and restart the computer. Activation is automatically triggered and successful. However, we need to block this, as when the end user starts Outlook, for example, after removing the Work account, they will be prompted once more to register the device.
Turning off Workplace join using the Settings catalog
There are many ways of configuring settings. In the Intune Device Configuration Profile Settings picker, the setting is called "Allow Workplace," as shown in the picture below. If we set it to block the dialog box from being shown by Microsoft apps, it is not shown to the end user.
Settings picker Allow workplace
We can also set the registry value, but it is more work, of course. The following registry values can also be set to block the dialog box:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001
Use proactive remediation to check the Windows SKU
Now that we know how to solve the issue, I put together a small detection script that can be used in Proactive Remediations, which is one of my absolute favorite features in Endpoint Analytics. We then get a nice report showing which devices are running Windows 10 Enterprise and which are not. This is, as I wrote before, a big deal, as we rely on security features in Windows 10 Enterprise to be enabled; if the devices are running Pro, we have a problem.
The report produced in Proactive Remediations looks like this:
Proactive Remediations report
The detection script is really simple; it checks whether the Windows SKU is "4," which is Enterprise edition. The full list of Windows SKU values can be found here:
OperatingSystemSKU Enum (Microsoft.PowerShell.Commands) | Microsoft Docs
The script:
$WindowsSKU = (Get-WmiObject Win32_OperatingSystem).OperatingSystemSKU
if ($WindowsSKU -eq 4) {
Write-Output "Windows edition is Enterprise"
Exit 0
} else {
Write-Output "Windows edition is not Enterprise"
Exit 1
}
Adding the script as a detection script in proactive remediation is done with the settings shown below.
Proactive Remediation
There is no easy way of remediating the activation issue, as the user has added the account themselves, but by automating the result, we could email to the end user or create a Service Desk ticket. The possibilities with PowerShell, Graph, and proactive remediations are endless.
Subscribe to 4sysops newsletter!
I hope this will save time and help everyone make sure Enterprise SKU is used and Workplace Join is blocked.
Hi Jorgen,
I had a look on my device which is domain joined under task scheduler Windows -> Subscription -> LicenseAcquistion it shows (0x8007000D). Also, i don’t have other account added accepted domain joined.
Any ideas what will be the reason behind this?
Thanks,
Hello Jorgen,
I have been using your Proactive Remediation for many months. Microsoft has been trying to determine why over 40% of our corporate systems stop sync’ing with Intune and drop from ENT to PRO. We’ve bypassed certain M365 apps from MFA, but it comes down to users not clicking “Fix Work or School Account” when prompted to. I was hoping to create a dynamic group that when a computer drops from ENT to PRO, a PS script could run a process to resolve the issue…..but unfortunately, dynamic groups don’t have a filter expression for Pro, from what I see. Any thoughts on this? Thanks for all you do!