3

A computer that was previously company-owned and joined to an AD domain. The company then gave the computer to its previous user when above said user was dismissed from the company.

I want to do a clean Windows 10 reinstall from a USB stick created by Media Creation Tool, the installer displays the previous company name on the install screen and asks to log in with the corporate username.

  1. Where is this information stored? I reset the HDD, cleared the TPM and anything I could find in the UEFI setup screen but still, the official installer attempts to force that computer to a domain. With a workaround, I can create a local user, but in case that workaround is removed in the future, I'd like to understand what's what.

  2. How does this affect the computer in use? Can the company IT admin access it remotely etc?

Sathyajith Bhat
  • 61,800
Manjabes
  • 148
  • Was it Azure AD or traditional on-premises AD? – u1686_grawity Jan 21 '22 at 09:13
  • AFAIK it was Azure. – Manjabes Jan 21 '22 at 12:48
  • Provided IEMI/IPMI isn't configured, or a company customized BIOS/UEFI firmware setting isn't configured, the following should work - to verify before doing so, disconnect the laptop's HDD (all of them) and boot the Windows Install USB; if presented with no login prompt, shut it down, reinstall the OS HDD, boot back to the Windows Install USB, and when the GUI loads: Shift+F10 to open a terminal → DiskPartlis dis → Select the OS HDD: sel dis #Clean → If UEFI: convert gptexitwpeutil reboot → Boot back to the Install USB – JW0914 Jan 27 '22 at 17:08

3 Answers3

2

During setup or the OOBE wizard, Windows will connect to Microsoft services and check whether a PC is AAD joined or Windows Autopilot is set up or the like. If this is true, it will automatically reconfigure.

The PC is identified using a "hardware hash". What's in it is not documented by Microsoft.

The company that owned the device must release it from their management. Yes, the company can access it otherwise.

Daniel B
  • 62,883
  • Short of having IMEI or IPMI configured on the laptop, it's not possible for WinPE to connect to a network unless manually configured to do so. Windows Setup only connects to the internet automatically if executed while booted to the OS or an answer file is configured to do so in WinPE and/or the appropriate WinPE script within %WinDir%\System32 has been modified in WinPE's boot.wim (even then, network drivers must be injected into WinPE's boot.wim , and once booted to WinPE, programs within a terminal, or a 3rd party GUI program, must be used to configure the connection). – JW0914 Jan 27 '22 at 16:57
  • @JW0914 Your point being? That Windows Setup cannot connect to the internet? Maybe. Though it has multiple phases. OOBE runs in Windows proper. That Windows Autopilot does not work the way it does? Clearly not the case. – Daniel B Jan 27 '22 at 22:02
  • If booted to the Windows Install USB [WinPE] made by the Media Creation Tool, it's not possible for WinPE to connect to the internet automatically, if at all (even if the generic ethernet driver worked, connecting to a network in WinPE is a multi-step process that can only be done natively via a terminal) e.g. there's no way to login to an AD domain unless IMEI/IPMI/custom firmware setting has been configured. (Windows has seven install phases and the OS isn't booted to until phases five through seven [auditSystem, auditUser, and oobeSystem]) – JW0914 Jan 27 '22 at 22:31
  • @JW0914 Yes. And? Again: Are you disputing that Windows Autopilot works? Or are you dissatisfied with the information in my answer? – Daniel B Jan 28 '22 at 08:53
  • I may have misunderstood the OP's use of "installer", as I interpret that to mean the installer in WinPE, not OOBE – JW0914 Jan 28 '22 at 12:05
  • What's peculiar is that company IT claims that the computer is not present anymore in the corporate management system. Why does it then still attempt to force the user into the domain? – Manjabes Jan 31 '22 at 07:29
  • They're probably not looking in the right place. The device must be removed from Windows Autopilot and maybe also from Intune. This can be done in the Microsoft Endpoint Manager admin center. The OOBE wizard does not lie. Continue to pester them. – Daniel B Jan 31 '22 at 08:15
  • I was provided with a screenshot from Endpoint Manager displaying no results and they claimed that they searched by serial number too, also with no results. – Manjabes Jan 31 '22 at 09:35
0

Although you have reset the disk, the Windows version on the disk could have been customized by the previous owning company.

Get a generic Windows 10 media, found on the Microsoft site Download Windows 10, where you can get the ISO to burn to the boot media.

This new boot shouldn't ask for the company login. But if it does:

  • Download the latest BIOS version from the manufacturer and update the BIOS. Even if this will update it to the same version as installed, this will forcefully clean up any stored BIOS information.

  • The Windows installation media should now be able to format the disk before installing. If not, use a third-party boot media to format the disk as NTFS.

  • Finally install Windows from the downloaded Windows boot media.

harrymc
  • 480,290
  • I DID use the Media Creation Tool on a blank USB stick to create a "pristine" Win10 installer, not the reset feature built into Windows. That's why I'm amazed that the previous domain still "leaked" into the installer. – Manjabes Jan 28 '22 at 09:22
  • Have you tried the rest of my points? – harrymc Jan 28 '22 at 21:18
  • I deleted all the partitions and had the installer create new ones. Did not update the BIOS. – Manjabes Jan 31 '22 at 07:24
  • And nothing helped? – harrymc Jan 31 '22 at 08:20
  • No. The BIOS update would've been something worth a try, but sadly it didn't occur to me at that moment. And by now the new user has already started to use the computer (after logging in with the defunct corporate user name, the installer provided the option to create a local user) so I'm probably not allowed to do yet another Windows reinstall without a guarantee for success. – Manjabes Jan 31 '22 at 08:33
-3

Reinstall the OS

but but but

make sure to completely clean the drive (if you do not clean the drive you will be 'recovering', not 'reinstalling') or better yet use a different system drive to load clean OS on

reinstall and initialize (local account setup) OS W/O internet connection

Guest
  • 1