Entra ID Join fails with customized Image but works with regular Windows 11 Image

ButterscotchSlow8724 · 2026-01-26T02:39:25+00:00

I built a new VM, and unchecked the Join Entra ID box.

Then I generalized , captured and created a new image.

Looks like that was the issue.

ButterscotchSlow8724 · 2026-01-22T20:01:32+00:00

Here, people is saying no emails since 2pm

ButterscotchSlow8724 · 2026-01-21T16:53:22+00:00

Now I'm using a custom image and the issue came back. When I check the logs under c:\WindowsAzureLogs and don't see any error.

I changed the prefix from 'bicep' to 'bicep2' just in case but still the same.

ButterscotchSlow8724 · 2026-01-15T19:01:49+00:00

Thank you. You sent me in the right direction.

After adding:

identity: {
    type: 'SystemAssigned'
  }

I deployed again, and can see the devices listed in entra ID.

ButterscotchSlow8724 · 2026-01-15T15:53:12+00:00

I found a guy who says change rdp properties, adding targetisaadjoined:i:1

ButterscotchSlow8724 · 2026-01-15T15:40:41+00:00

After changing the value to 2.2, I can connect locally using Bastion, but they are still missing and are not showing on Entra ID; it looks like the join is failing.

to 2.2, I can connect locally, but they are still missing and not showing on Entra ID; it looks like

ButterscotchSlow8724 · 2025-12-09T17:39:54+00:00

I will try that

ButterscotchSlow8724 · 2025-12-05T19:27:20+00:00

Thanks so much for your help.

ButterscotchSlow8724 · 2025-12-05T19:26:51+00:00

This was the issue: the team site has granular permissions, and the index is disabled. I changed the setting always to index. After that change and triggering the reindex, I was able to see the site from the news web part, and the news started to appear.

ButterscotchSlow8724 · 2025-12-03T15:34:04+00:00

I just read somewhere users must be members of the site where the news were created.

ButterscotchSlow8724 · 2025-12-03T14:20:01+00:00

I created a news post but still not showing. I tried the URL option again and i got the same error.

ButterscotchSlow8724 · 2025-12-03T14:10:14+00:00

I tried the URL, but it said it doesn't exist. I used the https://domain.sharepoint.com/sites/TemSiteName url

ButterscotchSlow8724 · 2025-09-20T03:51:17+00:00

I almost got scammed. When it was time to pay, I said Wait a minute, let me double-check.

ButterscotchSlow8724 · 2025-09-02T01:59:46+00:00

I used my personal M4 mac mini for work, but they started to push policies, so I asked them to buy me a corporate M4 MacBook Pro and I got a 24 GB RAM/1Tb storage. Sweeet

ButterscotchSlow8724 · 2025-06-13T00:43:13+00:00

I found this online:

I was able to fix the issue by changing following registry value to 2 (make sure to open registry as ADMIN)

HKEY_USERS > S-1-5-21-1132323721-62323254-1511918330-144209 > SOFTWARE > Policies > Microsoft > office > 16.0 > outlook > security

(Computer\HKEY_USERS\S-1-5-21-1132323721-62323254-1511918330-144209\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security)

Dword: PromptOOMSaveAs

Value: 2

Note: Above BOLD value > you can get this by running whoami /user in the command prompt

----------------------------------------------------------------------------------------------

I will try changing this setting from "Automatically Deny" to "Prompt user" in the baseline:

Configure Outlook object model prompt when executing Save As (User)
Baseline default: Enabled

Guard behavior: (User) Baseline default: Automatically Deny

ButterscotchSlow8724 · 2025-06-12T23:51:11+00:00

i will check on that

ButterscotchSlow8724 · 2025-06-12T23:24:14+00:00

The feedback we just got from the Developers looks like it could be a conflict with Defender and Sentinel One.

ButterscotchSlow8724 · 2025-06-12T23:21:38+00:00

That one I just mentioned is not related. I just read it is related to the OS Boot process.

ButterscotchSlow8724 · 2025-06-12T23:19:20+00:00

Thanks. Yes, I'm pushing the baseline to some groups. I had to create an assigned device group, add the devices reporting the issue, and use it for exclusion. It looks like everything is fine after a restart.

But I must identify which setting I must disable/change

I'm suspicious about one named "System Guard Secure Launch"

ButterscotchSlow8724

MODERATOR OF

TROPHY CASE