If you received the error message "Windows 10 Enterprise subscription is not valid," this post will show you how to troubleshoot subscription-based activation issues on Windows 10 and Windows 11 for Azure AD joined devices. I've run into this issue a couple of times now; it only shows up 30 days after adding a second work account on an Azure AD joined device.

Why is this an issue? Well, in Windows Enterprise, there are a lot of security features that are not available in the Pro SKU.

Subscription not valid

Subscription not valid

Windows 10/11 blocks the addition of more than one work account using "Settings > Accounts > Access work or school" by default, as there are multiple issues with having more than one. However, other Microsoft products prompt you to register your device when you sign into Microsoft 365 apps, for example, and now also with the Remote Desktop app.

Stay signed in prompt in M365 apps

Stay signed in prompt in M365 apps

This dialog box is a really bad user experience, as it bypasses the built-in block already in place to prevent the addition of more than one Azure AD account. I really wish that Microsoft could either stop prompting in all its apps or let us control it with a Microsoft 365 app policy instead, so we could apply it to unmanaged devices and not only managed ones. If we try to add a second account, we are blocked with the following dialog box:

Set up work or school account dialog box

Set up work or school account dialog box

Set up work or school account dialog box

Let's look at the details.

  • Troubleshoot activation issues
  • Turn off workplace join using the Settings catalog
  • Use proactive remediation to check the Windows SKU

Troubleshoot activation issues

Windows 10/11 activation on Azure AD joined devices is handled by two scheduled tasks on the device, EnableLicenseAcquisition and LicenseAcquisition, for which multiple triggers are defined.

Schedule tasks

Schedule tasks

If there is more than one Azure AD account added, they will fail with the error "0x87E10BF2". The error can be seen in the Store Event log, as shown in the picture below.

Service Fault: status: 400 code: SingleTenantIdExpectedForAadUsers: description: All Aad users provided in the request are expected to be associated to a single Tenant. data: ["3"] (Corr: XXXXXXXXXXXXX, Svr: ent-XXXXXXXXXX), token broker error: 0x00000000, number of MSA tickets: 1, number of AAD tickets: 3

Store event log

Store event log

The error message is pretty clear: "All Aad users provided in the request are expected to be associated to a single Tenant." On this device, we added three AAD accounts, which is also pretty clear in the error message "Number of AAD tickets: 3." So activation will fail.

On my device, it looked like this under Access work or school accounts:

Access work or school accounts

Access work or school accounts

The problem is easy to solve: Remove both additional accounts and restart the computer. Activation is automatically triggered and successful. However, we need to block this, as when the end user starts Outlook, for example, after removing the Work account, they will be prompted once more to register the device.

Turning off Workplace join using the Settings catalog

There are many ways of configuring settings. In the Intune Device Configuration Profile Settings picker, the setting is called "Allow Workplace," as shown in the picture below. If we set it to block the dialog box from being shown by Microsoft apps, it is not shown to the end user.

Settings picker Allow workplace

Settings picker Allow workplace

We can also set the registry value, but it is more work, of course. The following registry values can also be set to block the dialog box:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001

Use proactive remediation to check the Windows SKU

Now that we know how to solve the issue, I put together a small detection script that can be used in Proactive Remediations, which is one of my absolute favorite features in Endpoint Analytics. We then get a nice report showing which devices are running Windows 10 Enterprise and which are not. This is, as I wrote before, a big deal, as we rely on security features in Windows 10 Enterprise to be enabled; if the devices are running Pro, we have a problem.

The report produced in Proactive Remediations looks like this:

Proactive Remediations report

Proactive Remediations report

The detection script is really simple; it checks whether the Windows SKU is "4," which is Enterprise edition. The full list of Windows SKU values can be found here:
OperatingSystemSKU Enum (Microsoft.PowerShell.Commands) | Microsoft Docs

The script:

$WindowsSKU = (Get-WmiObject Win32_OperatingSystem).OperatingSystemSKU
if ($WindowsSKU -eq 4) {
	Write-Output "Windows edition is Enterprise"
	Exit 0
} else {
	Write-Output "Windows edition is not Enterprise"
	Exit 1
}

Adding the script as a detection script in proactive remediation is done with the settings shown below.

Proactive Remediation

Proactive Remediation

There is no easy way of remediating the activation issue, as the user has added the account themselves, but by automating the result, we could email to the end user or create a Service Desk ticket. The possibilities with PowerShell, Graph, and proactive remediations are endless.

Subscribe to 4sysops newsletter!

I hope this will save time and help everyone make sure Enterprise SKU is used and Workplace Join is blocked.

2 Comments
  1. Hi Jorgen,
    I had a look on my device which is domain joined under task scheduler Windows -> Subscription -> LicenseAcquistion it shows (0x8007000D). Also, i don’t have other account added accepted domain joined.
    Any ideas what will be the reason behind this?

    Thanks,

  2. Esteban Parsons 4 weeks ago

    Hello Jorgen,
    I have been using your Proactive Remediation for many months. Microsoft has been trying to determine why over 40% of our corporate systems stop sync’ing with Intune and drop from ENT to PRO. We’ve bypassed certain M365 apps from MFA, but it comes down to users not clicking “Fix Work or School Account” when prompted to. I was hoping to create a dynamic group that when a computer drops from ENT to PRO, a PS script could run a process to resolve the issue…..but unfortunately, dynamic groups don’t have a filter expression for Pro, from what I see. Any thoughts on this? Thanks for all you do!

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account