Computers joined Azure Active Directory w/o local user permission

[Win 10 KidRock User]

My Windows 10 (version 1607) computers are joined to an Azure Active Directory without my permission. I did not actively join an Azure AD on the settings/accounts/access work or school account page or on the System about page. When I go to any of these settings pages there is not an option to join or leave an Azure AD or Organization. I also found a provisioning package being applied to the computer at logon. Presumably coming from the Azure AD that the computers are linked to. How do I disconnect my computers from whatever active directory it is joined to?
Details: The computers are personal home use computers that should not be joined to any organization's active directory. Every time a new computer is setup in my house it gets joined to an unknown Azure Active Directory. During setup and subsequent updates the computers are automatically joined to some azure active directory without input from the local user. The computers are new and have not had any additional apps added. All security settings have been changed to not allow sharing of any type. Default user accounts have been disabled. The computers have not been used for anything aside from surfing the web for a solution. They are out of the box with setup and updates completed. I have not logged on to office 365, any microsoft account or azure Vm on these machines.
Event Log viewer shows remote power shell commands being executed event #4104. Device management-enterprise-diagnostics- reports System migration tasks completed event #1700. Windows Remote Management reports Activity Transfer Event #254. At logon I often get a message that there has been a change in the network status. These events seem to be related to the computers being linked to an active directory somewhere.
On the settings-account-join a work or school account there is an option to "Export your management log files" which exports an XML to Users\public\Documents\MDMDiagnostics\. The log file shows 100 pages of code being provisioned to the home use computers.
Tcpview shows the home computers trying to/or connecting to various computers around the world at various times when a browser is open on the Google search page with no other web pages open. I assume all this activity is related to the active directory the home computers have been linked to.
Whatever is happening with these new computers seems to be a serious security threat related to Windows 10 "join an azure active directory". These home computers should not be connecting to or trying to connect to: computers in the Ukraine, Croatia, Canada, England, Germany, etc when no web pages are open aside from a google search screen.
When the computers are idle and I am just watching Tcpview and task manager all kinds of activity is reported for hours on end.
I have been searching the web for months to figure out how to disable the join an azure active directory feature on new computers. I have contacted Microsoft support desk, visited a Microsoft store for technical help, and contacted MCafee support to no avail. All technical assistance ended at level 2 support telling me they do not know how to correct the issue and to take the computers back to the store or contact the computer manufactures to get the setup disks and rebuild the computer. After 5 new computers, I would prefer to have a different solution.
I have posted on various forums that post back a solution to go to settings/system/about and click the button "Leave an Organization". This button does not exist on my computers. (Maybe hidden by some sort of group policy being applied to the computers. )
If anybody has had a similar situation, please comment and/or provide information on how to disconnect the local computers from the azure active directory they are attached to and disable or block them from being joined to an Azure Active Directory again. Thank you!

 

[Tim Locke]

An interesting thing to try would be to download the current Windows home direct from Microsoft. ONTO A COMPLETELY DIFFERENT MACHINE. Ideally at someone else house that uses a different ISP Power down all the other computers in your house. Turn off the download sharing thing on the one you will reset. do a full reset keeping nothing on one of them and after that then do a full clean install from the download. See if that one stays clean with the others powered off. I think I'd run Malware Bytes including the Anti exploit add-on and then power up the others and see what happens.


You say these computers are out of the box? Do you trust the source of them?

 

[Win 10 KidRock User]

An interesting thing to try would be to download the current Windows home direct from Microsoft. ONTO A COMPLETELY DIFFERENT MACHINE. Ideally at someone else house that uses a different ISP Power down all the other computers in your house. Turn off the download sharing thing on the one you will reset. do a full reset keeping nothing on one of them and after that then do a full clean install from the download. See if that one stays clean with the others powered off. I think I'd run Malware Bytes including the Anti exploit add-on and then power up the others and see what happens.


You say these computers are out of the box? Do you trust the source of them?

The computers were bought from various stores: Best Buy, Office Max, Walmart, etc. Various manufactures Dell, Asus, HP.

I did try to do a clean install on one of the computers with everything else off in the house; but, as soon as I went online for updates the computer was joined to an Azure AD after the update or at least I think that it when it happened with the initial computer.

I bought a new computer turned everything off in the house including the modem. Opened the box and went through the initial setup. Disabled all sharing, app updating, default user accounts, bluetooth, etc. Installed Malwarebytes checked to make sure Macafee was running, plugged in the modem and went online for McAfee & Malwarebytes, updates. All looked good. The computer had not joined an AZURE AD yet and all virus and spyware was up to date. Next I completed a manual download of Windows version 1607 upgrade from the MS website. It took several hours to download which seemed odd. During the download, task manager was showing all kinds of activity; but only a small portion was from windows update service. As soon as the update was available on the computer, I installed it. It took a little over an hour. When the computer restarted after the update the computer was again attached to an Azure AD and there was no "Leave an Organization Button". I ran a malwarebytes full scan. It found one small file in system32 f.exe that it quarantined. The only things that had been on in the house during this computer setup and update were my cell phones, no computers were trurned on or online.

I bought another computer and tried it again with no cell phones on. Same thing after updates No "Join Azure AD" button and no "Leave an organization" button. I thought maybe it was something microsoft was doing for the upgrade but can not find anything on the web anywhere saying microsoft updates are doing this. Everything I find discusses the company, organization, and enterprise uses for "Join Azure AD". Since these were local computers not logged on with a microsoft account, not used to access office 365 or any other miscrosoft services such as the store, etc., I assumed they should not be attached to an Azure AD. I can not find an answer to this anywhere and microsoft level 2 support had no idea how to detach the computer from whatever it's attached to. They refunded my support fee and told me to take the computer back.

I have done this a few different times now, with a new computer, each time trying a different approach to track what was going on and how the computer was getting attached to the Azure AD. Since I am not a techie I'm kind of searching for a needle in a haystack. If MS windows update is doing this (attaching the computer to Azure AD) it would be nice if MS would tell me that so that I don't keep looking for something that doesn't exist. It just seems weird that these computers no longer have the option to Join an Azure AD. What if I actually wanted them to be attached to my company's Azure AD? How would I do that when it's already attached to some other Azure AD?

I appreciate your post and suggestions I will look for a different location to setup the next new computer and see if it turns out differently. Will be interesting...when I get it setup and upgraded at a different location, if it re-attaches itself when I bring it back into the house. Thank you again for your post!

 

[Tim Locke]

Last time I was near Active directory it was before it was called Azure. Back then the IT guys managed it AND also made a slipstreamed install for all the PCs in the organisation so that everyone was immediately joined ...also of course there was other stuff like connecting to Exchange and getting the corporate AV.

If your machines had all been loaded at the same computer store or from the same download I wondered if someone had picked up a pre-made install disk. But that is not so.

Did you update all these machines with 1607? But if the first machine got spoofed and if the others were defaulted to the sharing Windows updates thing I guess they could all p;ick up something.


MS website. It took several hours to download which seemed odd. During the download, task manager was showing all kinds of activity; but only a small portion was from windows update service. As soon as the update was available on the computer, I installed it. It took a little over an hour. When the computer restarted after the update the computer was again attached to an Azure AD and there was no "Leave an Organization Button". I ran a malwarebytes full scan. It found one small file in system32 f.exe that it quarantined.
I wonder if the MS website was being spoofed? I then wonder if Macafee website was being spoofed.

1607 is about 2.6GB. if you are on a normal ( hardwired to the ISP connection you know the speed and using the network and sharing centre get a good idea of the actual download speed.