A few weeks ago, one of my clients asks me to remove one device from Hybrid Azure AD join. I said, well that’s easy! Open command prompt and type dsregcmd.exe /leave and that should do everything for you. Guess what?? It did not!
So here’s what I did to completely remove a device from Hybrid Azure AD join.
- On the server, ensure that the machine is not part of the GPO that is setup for automatic registration.
- On the machine to be removed from Hybrid AAD join, remove the applied GPO locally for automatic registration.
Computer Configuration/Administrative Templates/Windows Components/Device Registration -> Not Configured
- Delete the registry key for autoWorkplaceJoin.
- Open powershell and connect to Azure AD, run Get-MSOLDevice and take note of the DeviceID. Install the module if needed.
Install-Module -Name MSOnline -Force
- In the same powershell command window, run Remove-MsolDevice command and enter the DeviceID taken from previous step of the machine to be removed.
- To verify the changes made, run Get-MsolDevice again and you should be able to get the “Device not found” error.
- Open mmc.exe –> certificates and delete the two certificates below.
- Manually disable the task scheduler on the affected servers. Ensure to disable the Task itself and the trigger. \Microsoft\Windows\Workplace Join
- Run dsregcmd /status from command prompt and it should show that the machine has been removed from AAD join.
- To completely verify, refresh policy and run gpupdate /force then run dsregcmd /status once again. It should show the same output as in above step.
- Logoff from the machine and log back in and run dsregcmd /status once again. It should again show the same output as in above step.
There you go! Hope this helps someone, somewhere out there! 🙂