Background: Recently I came across an issue where a Citrix VDA’s version 1912 CU2 was joined to Azure as Hybrid Azure AD Join Device which was not allowing users to launch applications. As soon as someone would launch an application, VDA state was getting changed to Unregistered state. We have used Azure AD Connect Wizard to configure all domain joined devices to join to Azure AD which will make them Hybrid Azure AD joined device on Azure.
After spending hours to investigate on this issue and also rebuilding the Citrix VDA’s. This issue was persistent. We have decided to remove Citrix servers from azure active directory to fix this issue. This article is not about Citrix though but unjoining a system from Hybrid Azure AD Join. However, i wanted to provide a background on why i had to do this and how you can also unjoin a system from Hybrid Azure AD Join easily.
Below steps can be followed on Windows 10 and later systems including Windows Server 2016 to unjoin the device from Azure Active Directory (AAD).
Turn Off Automatic Registration
To Turn off automatic registration. Modify / Update the Scheduled Task which triggers AAD registration. Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join. Perform below action on this scheduled Task:
- Disable the Scheduled Task by right clicking on the Task and click on Disable.
- Open the Scheduled task and go to Triggers Tab. Click on the Trigger(s) -> Click Edit -> Uncheck Enable checkbox to disable this trigger.
You can also delete this schedule task if you want to instead of disabling it.
Run dsregcmd.exe /debug /leave
Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave
Run dsregcmd.exe /status
Registry Keys to disable Azure AD join
Above two steps should be enough for unjoining and blocking the system from joining Azure Active Directory. However, I have also created two reg entries for disabling Azure AD join.
HKML\SOFTWARE\Policies\Microsoft\Windows\Workplacejoin
Under this key (create WorkplaceJoin reg key if it does not exist) create two registry entries. You can create below reg entries manually or by using a Group Policy and target to the systems which you do not want to Hybrid Azure AD Join. (How to create and push below Reg key / Entries using GPO is not covered in this article).
- autoWorkplaceJoin REG_DWORD Value 0
- BlockAADWorkplacejoin REG_DWORD Value 1
Unsync the Device / Server to Azure Active Directory
As you do not want these machines to get registered / join to Azure AD. You can also unsync them. You can modify the Azure AD Connect Synchronization settings to remove the OU where the servers or workstation are existing OR create a new OU where you can move the systems which you do not want to sync to Azure AD and uncheck the OU from Azure AD Connect so that the systems do not sync to Azure.
More Information:
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd
