Local Computers Joined Azure AD w/o Local User Permission

My Windows 10 (version 1607) computers are joined to an Azure Active Directory without my permission. I did not actively join an Azure AD on the settings/accounts/access work or school account page or on the System about page. When I go to any of these settings pages there is not option to join or leave an Azure AD or Organization. I also found a provisioning package being applied to the computer at logon. Presumably coming from the Azure AD that the computers are linked to. How do I disconnect my computers from whatever active directory it is joined to?
Details: The computers are personal home use computers that should not be joined to any organization's active directory. Every time a new computer is setup in my house it gets joined to an unknown Azure Active Directory. During setup and subsequent updates the computers are automatically joined to some azure active directory without input from the local user. The computers are new and have not had any additional apps added. All security settings have been changed to not allow sharing of any type. Default user accounts have been disabled. The computers have not been used for anything aside from surfing the web for a solution. They are out of the box with setup and updates completed.
Event Log viewer shows remote power shell commands being executed event #4104. Device management-enterprise-diagnostics- reports System migration tasks completed event #1700. Windows Remote Management reports Activity Transfer Event #254. At logon I often get a message that there has been a change in the network status. These events seem to be related to the computers being linked to an active directory somewhere.
On the settings-account-join a work or school account there is an option to "Export your management log files" which exports an XML to Users\public\Documents\MDMDiagnostics\. The log file shows 100 pages of code being provisioned to the home use computers.
Tcpview shows the home computers trying to/or connecting to various computers around the world at various times when a browser is open on the Google search page with no other web pages open. I assume all this activity is related to the active directory the home computers have been linked to.
Whatever is happening with these new computers seems to be a serious security threat related to Windows 10 "join an azure active directory". These home computers should not be connecting to or trying to connect to: computers in the Ukraine, Croatia, Canada, England, Germany, etc when no web pages are open aside from a google search screen.
I have been searching the web for months to figure out how to disable the join an azure active directory feature on new computers. I have contacted Microsoft support desk, visited a Microsoft store for technical help, and contacted MCafee support to no avail. All technical assistance ended at level 2 support telling me they do not know how to correct the issue and to take the computers back to the store or contact the computer manufactures to get the setup disks and rebuild the computer. After 5 new computers, I would prefer to have a different solution.
I have posted on various forums that post back a solution to go to settings/system/about and click the button "Leave an Organization". This button does not exist on the computers. (Maybe hidden by some sort of group policy being applied to the computers. )
If anybody has had a similar situation, please comment and/or provide information on how to disconnect the local computers from the azure active directory they are attached to and disable or block them from ever being joined to an Azure Active Directory again. Thank you!

Discussion is locked
Reply to: Local Computers Joined Azure AD w/o Local User Permission
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Local Computers Joined Azure AD w/o Local User Permission
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
I don't see that here. BUT and this matters.

I am not using the Email login system.

If I do use the Email login system, then by design this does sync things and to do that requires Azure or Microsoft's choice.

To me this is not a bug. This is your IT or support not diving into talking about how things work. I could be wrong but I know the email login much connect to services today.

- Collapse -
Additional Info Request

Thank you for the response. I am a local home user and do not have IT support. These computers are not used for any type of business related activity. The only e-mail used on the computer is AOL mail, accessed via the web browser. I do not think the computers should be attached to an Azure Active Directory since our home is not affiliated with any organization. There is no option to "Leave the Organization" on the settings/system/about page. Are you saying Microsoft has attached the computers to an Azure Active Directory that they control? Any additional information would be greatly appreciated!

- Collapse -
This is the request.

Q1. How do you login?

If you use the default login, I don't see all you wrote as a bug but how it is supposed to work. Now if you want to avoid all that, use a local login. Here's a link on that.

I don't wait to hold a seminar on how the email login works but in this next graphic, how else is Microsoft supposed to do the app and sync? Microsoft uses Azure so that's how it is supposed to work. (not a bug!)

- Collapse -
Local user login machines - not Microsoft account logins

Thank you again for the additional information. I misunderstood your original post regarding the e-mail login. These computers were setup with local logins only. When the initial setup screen asking you to login with a Microsoft account came up I clicked skip this for now. These computers are set up as local machines without any connection to Microsoft accounts. Automatic updates on all apps and Microsoft products have been turned off, the computers have never logged into a Microsoft account, an office 365 account, or any Azure VM. There is a mobile device management provisioning package running at logon that came from somewhere. Does Windows 10 version 1607 automatically connect computers to Azure AD's and provision the computers with settings to AllowAzureRMSForEDP and set AllowManualMDMUnenrollment to no? These are just two of the settings provisioned in the 100 pages of code that run at user login. Seems odd that a local user does not have the ability to unenroll a device in Mobile Device Management. Who is managing the device if not the local user? Thank you again for your expertise and information.

- Collapse -
You are not managing Windows 10.

That ended with this version. I'm not there to give long dissertations so I have to be short and may upset folk.

OK, back to Azure. I think MSFT uses that to distribute updates. Did you turn off WU sharing? More at

Frankly I'm getting the idea you may not like all the W10 changes. While at the office we're all in, we are a bunch of programmers. Many have taken MSFT classes and seminars.

I'm still not seeing this as a bug but as something a few have asked me. This is not a silent OS that doesn't connect to Microsoft. It's very connected. To break the connection you would firewall the machines and deal with the fallout.

- Collapse -
Yes turned off WU sharing just after setup

I appreciate your responses. It's not that I do not like Win10. It's that I do not understand why the computer is doing things I am unaware of such as applying MDM provisioning packages, visiting or trying to visit websites or computer IP's in various countries throughout the world when I do not have any webpages open in a browser other than a google search page, connecting to other devices in the home when all sharing is turned off in network settings, redirecting entered website addresses to a blank page or a bing search page, etc. It seems as if the computers are being used and controlled by someone other than me. When I am not actively using the computer just watching Tcpview and task manager there is all kinds of activity for hours and hours. Maybe it is just Microsoft doing their thing; but, it is quite unnerving not to know what your computer is doing and why. Hoping I don't get arrested for my computer hacking into a proprietary server somewhere when I'm not looking. Thank you for your advice and time!

- Collapse -
Re: doing things

It looks like you have malware on your system. shows the first column of tcpview listing the process on your PC that's involved. Are you sure it's a Microsoft program or service connecting to Ukrain or Croatia? That seems quite unlikely to me.

- Collapse -

Thankyou for the information

- Collapse -
Let's watch this other post.

I am taking this as if you are not using your own W10 install. That is, if you had a Dell/Asus/Crto or other OEM install, they could have already activated 365 or some other MSFT feature. shows how tied to Azure MSFT's new services are. AND!!! This is not limited to just the email login and 365. All those tiles have to get their feed from _________________. (place your bets here.)
- Collapse -
Thank you very much!

I appreciate your sense of humor and your willingness to follow this. I did purchase the various computers from big box stores so understand there could have been some other MSFT features pre-installed. Computers were: Dell, HP, Asus, & Lenovo. I checked control panel/programs for anything that I was not going to use and uninstalled them prior to downloading Win10 version 1607. It seems the MDM Provisioning package and the connection to the Azure Active Directory happened as I installed the version 1607 updates. Prior to the update install, the settings/ system/ about page looked normal with the button showing "Join Azure AD". After the update, the button was gone and there was not a new button to allow me to "disconnect from organization". All the websites I found say there should be a disconnect button: )
I will watch the other post and see what comes from it. Thank you again for your assistance.

NOTE: Moderator edited link to fix the page not found. The trailing right parentheses needed a leading space.

Post was last edited on September 19, 2016 2:47 PM PDT

- Collapse -
I don't see such buttons BUT

I never joined Azure or installed a thing. This example is a very stock Asus.

- Collapse -
very odd

I see you are still on version 1511 and that you have the latest build that came out on 9/13/16. My computers had the buttons before the upgrade to version 1607; but, I did not do any 1511 updates prior to version 1607 download and install. Maybe updates on the computers join them to Azure ADs and take the buttons away? Seems weird, though, what if I did want to join my computer to my companies Azure AD. I wouldn't have the button to do so after an update?

- Collapse -
Re: Azure

How do you see they are joined to some Azure AD? I can't detect anything on my own Windows 10 PC, but I don't know what | should look for.

You write "everytime a computer is setup in my house", which leads to some questions:
- What exactly do you mean with "setup"? You install Windows 10 from an iso you made, type the license code, and when that is validated, you can disconnect from Internet and be fully setup. It seems impossible you're linked to anything then. But maybe you mean something else.
- When you do the same in some other location, the same happens?

- Collapse -
And ...

reading your above answer I get the impression that with "setup" you mean "upgrade to 1607", since all was normal before that. That's quite something else.

I also upgraded to 1607, and - without your help - I don't know how to check if I'm joined to an Azure AD also. But I must say it makes sense that if you didn't connect to work or school or any other organisation, there's no disconnect shown.

- Collapse -
So to check and see if you are joined to Azure AD

1. Verify if you have a button on the settings/system/about page - "Join Azure AD" as shown in the website posted above. If not, I would assume you are joined.
2. Go to Settings/Accounts/Access work or school.... Look for a link "Export your management log files" If it is there you can click on it and go to the path listed to see your MDM (Mobile Device Management) Enterprise Diagnostic Report. It will list enrollment ID's and settings provisioned to the computer. The InTune website above somewhat defines the code listed on the XML.

I would be very interested to know if the status of your computer as related to these two items. If your's is the same as my computers, then, maybe it is Microsoft and not some other third party organization. Seems odd it would not be public information somewhere.

I went through all this with Microsoft paid support level 2 & the techs at the store they said they knew nothing about it. They refunded my support fee and told me to return the computer (after we had reset the computer to factory settings and did a clean install of windows among other things). The same situation returned.

The computers appears to be Joined to an Azure AD with a MDM provisioning package being pushed down. I checked computers at the stores and saw that some of them were joined to Azure AD and some were not. The techs at the stores such as best buy's geek squad had no idea why or what it even meant to be joined to an Azure AD. They allowed me to return a computer that was 2 months old because they did not have an answer. I got a new one and tried again. The same thing happened to the new one. Whatever it is, it is not very consistent because the post above shows the "Join Azure AD" button missing on a version 1511 install. I did not see the "Join Azure AD" button disappear until after the 1607 update install. The computers at the stores around here vary too. Some appear to be joined and being provisioned and some do not. Doesn't seem to matter what version of windows 10 is installed.

- Collapse -
My PC.

I've got a Windows 10 Pro, a clean install of 1607 on a new disk. My old 1511 is offline for some cleanup later, so I can't check at the moment how that was. It has no Microsoft account at all, just local accounts.

In Settings>System>Info (that's translated from Dutch, it's the bottom, and it's the same as your 'about') has no 'Join Azure AD' link, but it does have a link "Connect to work or school' and I used none of the 2; we have (older) Cisco solutions for that.
In the MDMDiagReport.xml indeed I have a lot of enrollments, whatever they are. And they all seem to be in the registry in HKLM>SOFTWARE>Microsoft>Enrollments.
Surely somebody at Microsoft knows what these are and what purpose they have.
Maybe that's a good question for their tech support: "Please connect me with somebody who knows what that registry key is for or provide a link explaining it."

There are many more subkeys in HKLM>SOFTWARE>Microsoft. Probably most of them aren't very well documented for use outside the company.

Just above Enrollments is Enrollment, which has the subkey Settings and the contents of that show it isn't enabled (EnableSettings = 0).

Anyway, that Windows has some undocumented internals for me is not a reason to return it. I'm not connected to work or school, I've got my privacy settings rather private, it works good enough and there's nothing in the settings app that makes me wonder.

Post was last edited on September 22, 2016 1:16 PM PDT

- Collapse -
And ...
- Collapse -
Setup Meaning...

By stating setup i am referring to taking the computer out of the box and turning it on. Going through the few setup screens such as language preference, limited privacy questions, wi-fi configuration, and user information (local or Microsoft account login). I did not configure wi-fi as I took the computer out of the box. I used the "skip" button, to skip that step initially; so, I could define privacy settings before going on line. The computer ran through it initialization "Windows is getting a few things ready for you", "We are glad you are here", Let's get started". While I was offline, I went into settings and control panel to disabled everything I could find, Bluetooth, automatic updates, update sharing, app information sharing, geo-location, file sharing in advanced network settings, and disabled default users, guest, administrator, etc. I verified that the pre-installed McAfee was running. I Installed Malwarebytes from cd as a secondary protection to McAfee. Then, I checked to make sure that I was not connected to an Azure AD by viewing the Settings/system/about page and saw that there was a button "Join Azure AD". Next, I configured Wi-Fi and went online line to get the latest McAfee and Malwarebytes updates. Then proceeded to download the Windows 10 Anniversary update (version 1607) from the Microsoft website. It took hours to download. After download, ran install, and restarted the computer. It took about an hour for the computer to finish the version 1607 install. When computer restarted after version 1607 update, I went back to settings and confirmed that the install was completed correctly. (Settings/Update & security/windows update/ update history.) Everything looked fine. Next, went back to Settings/system/about page and the "Join Azure AD" button was gone. This lead me to believe the computer was joined to an Azure AD since I did not have the option to do so any longer. After the update there was also a new option on the settings/accounts/access work or school/ page that says "Export your management log files" When I clicked on this an .xml report was saved to the public documents folder. The .xml is an MDM Enterprise Diagnostics Report showing the system information, device enrollments, and all the settings related to the computer including Allow Enterprise Data Protection, Allow Azure RMS ( ) for Data Protection, Enterprise Protected Domain Names, Enterprise Proxy Servers, etc. The XML report is about 100 printed pages. At the end of the report it says Provisioning Succeeded. From web searches I did, it appears MDM Provisioning and Report is created by something called InTune . The InTune website states the following: Customers with Enterprise Management + Security (EMS) can also use Azure Active Directory (AAD) to register Windows 10 devices. After the update to Windows 10 Version 1607, it appears the computer has been joined to an Azure AD as an Enterprise computer. This does not seem right to me since this is a local stand alone home use computer. But, as previous posts point out; maybe, Microsoft is doing this to all computers with Windows 10. I just can not find anything on the web anywhere that states Microsoft is doing this. Everything I locate refers to companies, organizations, and enterprise IT department using these apps to control and secure information on company owned or employee devices.

Answer to second question...I have not tried to set up a computer at any other location to see if the same thing happens with the 1607 upgrade. However, the post above shows the same thing I am seeing on the about system setting page. There is no "Join Azure AD" button. I did have the button on my computers when they came out of the box with version 1511 before I did the upgrade. The following website shows what the page should look like before the computer is joined to an Azure AD

- Collapse -
That's a long story indeed.

I assume the "Join Azure AD" button disappeared in 1607. But that doesn't mean you're joined now. It would just mean it disappeared in this new version of Windows, because of all the changes done to the provisioning.

If that xml-report for the management doesn't say to WHICH active directory you're connected (after all, every organisation has its own) I think it can be concluded you're not connected. Windows Home installations likely can be configured by the enterprise system administrator to connect to one, that's why a report can be made for the manager to check that.

My suggestion: download an .iso of 1607 and do a clean install of that offline or as offline as possible (disconnect from Internet after it's verified the PC is entitled to run Windows 10, or use Belarc now to find the license key used and enter that). Then you're sure that everything that happens is local. How does that report look?
Then connect to Internet, wait till Windows does its thing and run that report again. What is different?

Post was last edited on September 20, 2016 5:36 AM PDT

- Collapse -
Differences in XML reports & update

I have copies of several MDM diagnostics reports from the various computers that were setup and then taken offline. At the beginning of the xml reports the report lists enrollment IDs such as: 2FEAE64D-455E-4676-9D0C-DE8ABDA9C9A3. Each xml report from each different computer has various enrollment IDs listed with a few that may appear on multiple reports. Such as the enrollment ID above. It is listed on the first computers report as well as the last computers report. However, I think in most cases the enrollment id's vary from roc outer to computer but I have not had time to compared all the reports. Just looked at a couple of them. I assume the enrollment ID's are devices that are enrolled in the specific provisioning package being pushed down to each of the computers. I have no way of verifying this since I do not have a key to the enrollment ID's or any access to whatever is "enrolling" these devices. If in fact, this is a list of devices enrolled. The first computer that started acting odd had 48 enrollment ID's listed when I took it back to Best Buy. The last computer I setup lists 20 enrollment ID's. I orginally thought these were the devices on my networks. Which is a long story in itself. I have two homes with two separate networks in two separate states. All computers and devices at both locations have had odd activity going on. I was in both locations during this time and had with me what I now believe was the initial laptop that started whatever is going on at both locations during the past few months. This has been a process of discovery that has lasted a few months. I believe if I can figure out what is going on with one computer I can apply the solution to the other devices/network. I am trying to keep this short, so, please keep in mind this has been going on for three months, all of us in the households have iPhone, iPads, laptops, there are smart tv's, and other "mobile" devices. I also acquired several new computers, routers, modems, etc along the journey. I noticed the enrollment state code can change on the enrollment ID's depending on when the report was ran. It looks like enrollment state 1 means the enrollment is inactive or off line (maybe). Something other than 1 means something else. Usually there are 3 - 7 enrollment ID's listed with an enrollment state of something other than 1. I have not had time to go through each report and compare them in great detail. I was hoping to figure out what was going on with one computer get it disconnected from whatever it was connected to and then apply the solution to other devices. But maybe this is all mute and this is just Microsoft doing something with Windows 10 and the enrollment ID's have nothing to do with my devices. If that's the case I would love to hear that from Microsoft so I can get on with my life. But I can't seem to get an answer from any of their technical support people. Not sure where else to go. So, I appreciate your suggestions and any other help or ideas you can provide.

As an update, the computer I have been working on the last two weeks was returned yesterday. I will be getting a new one to work on now. My plan is to set it up at a different location outside my home on a secure network and see if I get the same results. If not, and it looks clean with an appropriate join azure AD button, I'll bring it into my home and see what happens.

If you have additional advice or interpretation of the "Enrollment ID's" I would appreciate your sharing.

- Collapse -
There's a lot to read, remember and digest so far.

My main workhorse laptop is set to autoupdate so if it doesn't I usually find it does later.

When you wrote "These home computers should not be connecting to or trying to connect to: computers in the Ukraine, Croatia, Canada, England, Germany, etc when no web pages are open aside from a google search screen." I am starting to think malware.

Can you share a SPECCY online web report and scan with what Grif notes at

Here's how to publish a SPECCY.

- Collapse -
I know this is complicated & seems crazy to me

I've been working with computers since the Apple IIe in the early 80's. I have never had a problem with any of them along the way. No malware or malicious activity that wasn't relatively easy to extinguish. No problems on any networks or devices until I bought a laptop with Windows 10 pre-installed in July. I never upgrade any of the other computers to Windows 10 when it was being give out for free. I keep wavering between this maybe just Windows 10 doing it's stuff or this is some sort of Malicious activity. But other mobile devices have had strange activity as well since I bought the new Windows 10 computer. One IPad had 17GB of cellular data activity on it in a one month period when our usual activity on all IPads, iPhones and droid phones is 2-4 GB per month for the last 3 years. Some of the mobile devices got locked out and had to be reset. Not even sure any of this is related. It's just been so strange. No problems for years - then all kinds of problems. Maybe I've just been lucky and my luck has ran out. Or maybe this is just Windows 10 and I need to get use to it.

Anyway, I can't send reports as requested because I returned the computer yesterday before I saw your post. Since I feel like this is malware too, and I was able to return the computer, I thought I would try again with a new computer. I have 100's of reports, screen shots, event logs, hijack this reports, etc documenting the activity on the computers. If you have the time and/or interest to look at any of them, I can upload them to a cloud storage account for you to access. If not I will let you know how the new computer setup goes. (See post above). I appreciate all of these posts and any help you can give.......
Now just happened...I have relatively new assistant that just got here this morning. Yesterday her iphone got locked out when she was at my house. At the time she did not have a password on her phone, so no reason for a lockout. When she went home last night she reset her phone with iTunes. It took several attempts with iTunes saying cannot connect to server try again. After 5 tries eventually connected and pop up message showed on her iTunes screen ... Leader (S.H.P.I.H.). Evil eye

EVIL EYE Offline: Never tell your password to anyone. Leader (S.H.I.P) Evil eye is now offline.

The strangest thing is that yesterday I was talking with my assistant saying that is exactly what happened to our iPhones. All got locked out on the same day at the same time just when they were turned on. We did not even try to enter passwords they were just locked at out turn on. She proceeded to tell me she hasn't had her password set up for a couple of months but always uses the same password on everything so even if the password got re-enabled. She would have know what it was. She then told me what it was and why. We are freaked out. It is as if the message sender was listening to our conversation yesterday from the "infected" computer that I returned yesterday????

She is a new assistant and has only been in the house briefly a couple of times until yesterday. She was here for several hours when her phone got locked out.

Do you think we are over reacting by being freaked out?

- Collapse -
Not overreacting.

I don't see any SPECCY or scan results.

There was an IOS update and HERE IT CHANGED MY LOGON ON MY iPHONE 5S. Maybe nothing going on there? I'm not there to see the phone so I can't tell what's up.

- Collapse -
On last post related to evileye

The pop up message was from Leader Evileye posted on a black screen with a picture of a red and black "evil eye". I misspelled S.P.I.H. Above. I searched the web for anything that looks like it this message, this eye, this pop-up and can not find anything even similar. Would post a picture of the pop-up but can not figure out how. Assistant took a picture with her friends phone when it popped-up on the I-tunes screen. Sent picture to all friends with iPhones no one has ever seen it before when resetting iPhones with iTunes.

This is so weird it seems like a hoax. So does my computers trying to contact all the weird IPs they have tried to contact or did connect to in the last month. Any chance someone is going to walk into my house and say "You just got punked"?

If not I'm not sure where to turn now. Maybe take picture to Apple Store and see what they say since we can see iPhone screen behind the pop-up. Anybody have any other suggestions?

- Collapse -
Kid rock, did you find a solution? Was it malware?

Hello kid rock, I would love to hear an update since your last post. My computer is behaving like yours were, so I'm interested to see what happened when you got your new computer, and if you found a solution.

Or was it malware? Hoax? Your last few posts were eerie. I've read claims of people discussing something with their phone nearby, then see targeted ads on the topic they were discussing.

- Collapse -
No solution found yet

I got a new computer last week set it up and it was infected with the same thing within a day. Took it back to the store. Do not have a computer right now. All devices on my network are affected. Just spreading the virus? From one device to another. Any device the gets connected to the wifi gets infected. I've reset my devices and put a new router on the modem but can't seem to get all devices clean at the same time so everything just gets reinfected. Just saw the news from yesterday about ddos attacks on major websites. Sounds like whatever is doing this is on my network. Looked like whatever this is is on about 50% of the display computers in stores such as Best Buy, Walmart, office max, etc. whatever it is is widespread and highly contagious. Seems to jump from device to device using Bluetooth, miracast, and or bonjour. Maybe in router memory but I can not find it. I was able to locate a file it was placing on thumb drives when I copied files to the thumb drive so I am relatively certain it can transfer itself via usb connected devices.
I guess I am going to sit tight and wait for homeland security to figure out what is going on with these personal networks. Hopefully they will find a solution and make it public. I have been trying to get rid of it for months but no one is helping me. I've contacted Microsoft, Mcafee, Norton, the Apple Store, the Microsoft store, and even a cyber security company. They all gave up and refunded my "technical support" money.

- Collapse -
It's from Microsoft with windows 10

CNET Forums

Forum Info