How to Unjoin an Entra Hybrid Joined Device

Recently, I faced an issue where a Citrix VDA with version 1912 CU2, joined to Entra as an Entra Hybrid Join device, was preventing users from launching applications. Upon launching an application, the VDA state would transition to an “Unregistered” state.

After dedicating hours to investigating and even rebuilding the Citrix VDAs without resolving the issue, we opted to remove the Citrix servers from Entra ID to address the problem.

Although this article is not centered on Citrix, it focuses on removing a device from Entra Hybrid Joined status. I wanted to provide background information on why I had to take this step and offer insights into how you can easily unjoin a system from Entra ID. Let’s check the steps.

Option 1 – Turn Off Automatic Registration

To turn off automatic registration, modify/update the Scheduled Task that triggers Entra ID registration. Navigate to Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join. Perform the following action on this scheduled task:

  1. Disable the Scheduled Task by right-clicking on the Task and click on Disable.
  2. Open the Scheduled task and go to the Triggers Tab. Click on the Trigger(s) -> Click Edit -> Uncheck Enable checkbox to disable this trigger.

Alternatively, you can also delete this Scheduled task if you want to instead of disabling it.

Option 2 – Run dsregcmd.exe /debug /leave

Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave.

dsregcmd.exe /debug /leave
Run dsregcmd.exe /debug /leave

Run dsregcmd.exe /status

dsregcmd.exe /status
dsregcmd.exe /status

Option 3 – Registry Keys to disable Entra ID Join

The two steps above should be sufficient for unjoining and blocking the system from joining Entra ID. However, I have also created two registry entries to further ensure it.

  • Press the Windows key + R to open the Run dialog box.
  • Navigate to HKML\SOFTWARE\Policies\Microsoft\Windows\Workplacejoin
  • Create a New Registry Key called WorkplaceJoin (If it does not exist).
  • Create below two registry entries:
    • autoWorkplaceJoin REG_DWORD Value 0
    • BlockAADWorkplacejoin REG_DWORD Value 1
Registry Keys to disable Entra ID Join
Registry Keys to disable Entra ID Join

Finally – Unsync the Device using Entra Connect

As you do not want these machines to get registered/join to Entra ID again, you can also unsync them. Modify the Entra Connect Synchronization settings to remove an OU from sync to Entra ID and move those devices that you don’t want to sync, into that OU.

More Information:

Leave a Comment

Discover more from TechPress

Subscribe now to keep reading and get access to the full archive.

Continue reading