Mobile Device Managment (MDM)

is the first thought that pops into my head upon scanning through your post.

Thanks for the tip and suggestion!

I looked into MDM a bit and it seems to be more of an overall strategy than a particular piece of software or configuration setting.

Some more details:

CMOS has been reset several times, both via the BIOS interface and the button on the motherboard. There should no longer be any remaining configuration from the previous owner here.

Intel ME has been unconfigured and reset several times, both via the MEBx interface and via the BIOS interface. I also confirmed that it is no longer active or configured by checking with the Intel AMT software. Further, I also connected to it via the WebUI to confirm it is unconfigured. It is also now disabled via the BIOS interface. There should no longer be any remaining configuration from the previous owner here.

AMT has been unconfigured and reset several times via the BIOS interface. It is also now disabled via the BIOS interface. There should no longer be any remaining configuration from the previous owner here.

The orginal HDD that was installed in this computer was removed and replaced with an mSATA SSD. There should no longer be any remaining configuration from the previous owner on the storage device.

There was no WiFi device present in this system when I bought it, so I installed an Intel Centrino Advanced-N 6205 mini-PCIe card. The automatic reconfiguration happens if Internet access is available when OOBE runs, whether that access comes via ethernet or WiFi. This indicates that wherever this configuration setting is located, it's not within the onboard NIC or mini-PCIe WiFi adapter.

There shouldn't be anyplace left where any configuration settings from the previous owner still linger. Yet still, if an ethernet or WiFi connection to the Internet is established when OOBE runs during Win10 installation, this system will automatically reconfigure itself for the county health department where I obtained it.

How is this configuration still happening? At this point, I genuinely want to understand what's going on here and how this is working. How is Win10's installation seeking out this automatic configuration and applying it without any user interaction or confirmation?

Where can this configuration still be hiding? Where is it stored? The only place I can imagine is somewhere in the UEFI where the BIOS interface and a CMOS reset can't touch it. I'm aware that modern UEFI systems can store Win10 keys and other data in firmware, so I'm guessing that's where this configuration setting is also being stored. How can I access that data, view it, and then delete it?

Thanks again.

Sounds like the health department haven't removed it from their system.

I have a similar problem with a customer who's parent company uses this kind of setup but the actual customer I support is still using traditional Windows server AD.
But as PC's are ordered through the parent company I then have to "de-intune" them.

I think as long as you create a local admin before joining to the internet even when it pulls down the config your local admin account will remain in which case you can follow the below steps.
(one batch I had to use PowerShell, mostly simply removing from work/school account was enough.

https://www.anoopcnair.com/remove-windows-dev … ure%20AD%20Join.

I'm not sure how it "phone's home" but only as I have never tried, I suspect similar to how activation generates a key based on installed hardware. but as I've a work around that works and thats all I need to worry about for now.

Thanks for the tip! I'll try to "de-intune" it next and I'll report back with what happens.

Since my last post, I remembered that TPM and "embedded security devices" can also store data, keys, configuration, etc. So, I disabled that and tried again. Still no luck.

I'm unfamiliar with Intune and Azure AD. I'm beginning to wonder if there's any sort of configuration stored on this system at all. Is it possible that Win10's installation and setup routine is querying an Intune or Azure AD server out there, identifying this computer by serial number or asset tag, and then just pulling it down without prompting? That would explain why this problem persists despite my having cleared any possible configuration settings that might be stored on the computer itself.

I am convinced that the problem doesn't lie within my computer. This also isn't an Intel AMT or ME issue either. More reading, research, and troubleshooting has convinced me that both weedeewee and chinny22 are correct and this is an Azure AD problem. When given Internet access, Win10 22H2 install and OOBE is automatically joining my computer to the county health department's domain. I verified this by wiping my SSD again and reinstalling Win10 1803 which allows me to choose whether to join their domain or create a local admin account when OOBE begins. 22H2 has removed that option from OOBE and the only way around it now is to leave ethernet and WiFi disconnected until all installation and configuration has completed. This is exactly the same workaround and kludge required to finish installing Win10 22H2 without a Microsoft account.

My reading and research indicates that some Azure AD systems are configured to automatically unregister old systems after a specified period of inactivity. Who knows how the county health department may or may not have configured their environment, or whether my computer will drop out of their system eventually.

chinny22: The link you provided calls for an "authenticated account to use for Azure Active Directory cmdlet requests". I don't have one of those. I don't have any connection to the health department other than that I bought some of their old junk. Will it be possible for me to register an account to accomplish this task and remove my computer from their Azure AD system?

weedeewee and chinny22 : Thank you both for your insight and suggestions. Even if my only solution to this problem will be to leave the computer disconnected from the Internet during installation, setup, and OOBE, at least I can rest easy knowing that the computer itself isn't compromised or a problem in any way. I sincerely appreciate your help.

Assuming the I.T. department isn't run by hicks they should have a process to de-provision the device. If they haven't even done that I'd be worried the machine is still in their inventory.

Get a refund, and explain this to seller if seller can't contact the correct owner that manages these computers at health dept, usually these should had been de-milled properly before sold. In this condition, this is worthless to you at this point.

Gotten this from Ebay any chance?

PS: you are smart to be cheap on 800 G1 (this is a Haswell) before you upgrade to new hardware to support windows 11 in 2025.

Cheers,

DosFreak: Your suggestion is my next step. I'm going to send them an e-mail and let them know that this computer should be removed from their system. I'll be happy if they do it but I won't be disappointed if they don't. I'm just happy that you've all helped me to figure out what's going on.

pentiumspeed: I think I got a really good deal on it so I'm not looking for a refund. It wasn't eBay. It was a local auction run by a company where all sales are final and all risk is assumed by the buyer: https://obenaufauctionsonline.com/

This system isn't worthless. Together with VOGONS' help we've demonstrated that there's nothing wrong with the computer at all. The problem lies on Microsoft's and the health department's end. Even if they don't remove this computer from their system, it's still 100% functional without any issues. I've also learned alot from this experience and the knowledge I've gained is valuable.

This isn't going to be a gaming computer or anything of the sort. It's going to be used by my mom for e-mail, web browsing, music, and movies. An i5-4690S is more than sufficient for this. FWIW, my daily driver is an i5-2500K which also still works just fine. I have several acquaintences who are running CloudReady/ChromeOS on old C2D and C2Q systems that work just fine and their owners are very happy with them. If you're not gaming you can get away with using some seriously old hardware. Check out antiX and MX Linux sometime.

Windows 11 is not a concern for me. I was alarmed with the direction that Microsoft was headed when Win8 came out. Win10 is an improvement, but it's still not what I want anymore and it is prompting me to slowly get more familiar with Linux. Windows 11 is what will finally get me off the Microsoft platform permanently and I've got until mid-2025 to complete my transition. The way things are going, we'll be more likely to get Arnold Rimmer or Roy Batty than Commander Data or SHODAN in the future. I don't even need Windows 11 for gaming. I've been building my computer games library since 1995. I'll be lucky if I can complete even 20% of my collection before I die. I don't actually need any new games or systems. I've already got plenty.

If anybody is curious about my expenditure for this project:

HP EliteDesk 800 G1 USDT $15
Intel i5-4690S $10.85
DisplayPort to HDMI Adapter $7.07
Intel Centrino Advanced-N 6205 $3.90
Cable and Antenna for WiFi $3.78
8GB DDR3 SO-DIMM (total of 16GB RAM) $9.77
Power Supply $14.11
mSATA SSD 256GB $21.69

Total: $86.17

Thank you to everybody who responded to this thread. You solved my mystery problem and helped me to learn about something I was ignorant of. I'm just thrilled to have put this issue to rest.

https://www.youtube.com/watch?v=KWHby5BvnK4

I think in that video the bios gets edited, serial number changed or removed, thus negating the mdm check.

weedeewee: That is incredibly fascinating and informative. Thank you for sharing that video.

It's the same problem I'm experiencing. The difference is that TheCod3r is selling these computers to customers who aren't going have the skill or patience to deal with workarounds. Additionally, the organization he acquired the machines from no longer exists.

It's a permanent solution to the problem, but I don't own a chip reader/programmer, microscope, or the soldering tools necessary to do this myself.

I found SP21583 online. I haven't tried this yet, but it may be possible to change the UUID with this.

Thank you, i5 is more than enough for your mother needs and well configured. Really.

Like Microsoft had forced through the windows 10 on us when win 7 ended and is very compatible on old hardware even as old as core 2 duo, but the difference is Microsoft will not let us keep using old computers this time when 2025 rolls around.

The requirements is TPM 2.0 and Coffeelake CPU or later. Not met these two, (currently as of now) is watermark on your home screen and updates ability disabled. Who knows what Microsoft would make next moves in during of rest of 2024 and 2025 at launch.

BTW, recently, 2 months ago, I spent over 600 cdn on a HP 800 G5 mini with i5-9500 (not T) and one 16GB sodimm which, was added extra matched 16GB for 32GB, WD black 1TB NVME with EK heatsink to learn and keep my windows 11 skills up to date. Win 11 is very new that everything is new and lots of stuff to check out so I have much to learn on. This is needed as I work at repair shop where we fix cellphones, tablets including computer repairs. Purchasing HP business computers means I get COA included burnt into the motherboard's. You can use windows 7, 8 and 10 COA to activate windows 11.

Yes, I'll prepare myself to build up new computers for my work and home computers in 2024 to get ready for 2025. On top of this, we will also replace the 11 year old haswell home computer for my mother and dad. Dad play games like you are doing. Right he's now playing god of war.

Cheers,

KT7AGuy wrote on 2023-05-19, 18:14:

I am convinced that the problem doesn't lie within my computer. This also isn't an Intel AMT or ME issue either. More reading, research, and troubleshooting has convinced me that both weedeewee and chinny22 are correct and this is an Azure AD problem.

This is called Windows Autopilot. It's exactly what you discovered - MDM/cloud provisioning kicking in as soon as the computer reaches the Internet and registering it with that organization's Azure AD stuff.

It's more useful for laptops - you can have the laptops drop-shipped to an end user and when they power it on and plug it into their network, all the corporate domain/software/etc stuff will install itself.

KT7AGuy wrote on 2023-05-19, 18:14:

chinny22: The link you provided calls for an "authenticated account to use for Azure Active Directory cmdlet requests". I don't have one of those. I don't have any connection to the health department other than that I bought some of their old junk. Will it be possible for me to register an account to accomplish this task and remove my computer from their Azure AD system?

Oh does it? When I'm doing this I'm typically in autopilot mode myself (see what I just did) so don't really pay attention to what accounts I'm using but do have admin rights to Azure AD.
I guess you could get a registered account, just need to join the health departments IT team 😉 Seriously though, no it's not like you can create a Microsoft account and promote it or anything.

I'd probably try a simple email the health dept. Good chance they have no idea they have a bunch of PC's trying to get back on the network and do something about it. If not whatever you have your work around even if a bit messy so nothing to loose from your side.

Well, as DosFreak put it so eloquently: the health department seems to be run by hicks; I haven't heard back from them. At least I know that this computer isn't compromised by some weird modification to its firmware. I have a valid workaround so there's no need to name them publicly and shame them. After all, I only paid $15 for this computer in an auction where I agreed to assume all risk and liability. This wasn't an amazing deal, but it turned out OK. My mom will be happy with it compared to her current Bulldozer system, and that's what's important. Ugh... Bulldozer... Now there's something to be ashamed of.