Remove a device from Hybrid Azure AD join – permanently!

A few weeks ago, one of my clients asks me to remove one device from Hybrid Azure AD join. I said, well that’s easy! Open command prompt and type dsregcmd.exe /leave and that should do everything for you. Guess what?? It did not!

So here’s what I did to completely remove a device from Hybrid Azure AD join.

• On the server, ensure that the machine is not part of the GPO that is setup for automatic registration.
• On the machine to be removed from Hybrid AAD join, remove the applied GPO locally for automatic registration.

Computer Configuration/Administrative Templates/Windows Components/Device Registration -> Not Configured

• Delete the registry key for autoWorkplaceJoin.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\

• Open powershell and connect to Azure AD, run Get-MSOLDevice and take note of the DeviceID. Install the module if needed.

Install-Module -Name MSOnline -Force

• 

• In the same powershell command window, run Remove-MsolDevice command and enter the DeviceID taken from previous step of the machine to be removed.

• To verify the changes made, run Get-MsolDevice again and you should be able to get the “Device not found” error.
• Open mmc.exe –> certificates and delete the two certificates below.

• Manually disable the task scheduler on the affected servers. Ensure to disable the Task itself and the trigger. \Microsoft\Windows\Workplace Join

• Run dsregcmd /status from command prompt and it should show that the machine has been removed from AAD join.

• To completely verify, refresh policy and run gpupdate /force then run dsregcmd /status once again. It should show the same output as in above step.
• Logoff from the machine and log back in and run dsregcmd /status once again. It should again show the same output as in above step.

There you go! Hope this helps someone, somewhere out there! 🙂