I have recently encountered an issue when a Citrix VDA version 1912 CU2 was joined as an Entra hybrid joined device. This was preventing users from launching applications published on Citrix. As soon as users will launch an application, VDA state on the Citrix management console would change to Unregistered state.
We had to spend a lot of time investigating on this issue, finally we decided to remove the affected Citrix server from Entra ID to fix it. Although this article is not based on Citrix, it focuses on removing a device from Entra hybrid joined status. I wanted to provide some background information on why I had to take this step to remove a device from Entra ID.
Contents
Turn Off Automatic Registration
First, turn off automatic registration on the device by modifying a scheduled task that triggers the registration process with Entra ID.
Go to Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join and perform below changes:
- Disable the Scheduled Task by right-clicking on the task and click on Disable.
- Open the Scheduled task and go to the Triggers Tab. Click on the Trigger(s) > Click Edit > Uncheck Enable checkbox to disable this trigger.
You can also delete this scheduled task completely instead of just disabling it.
Run dsregcmd.exe /debug /leave
Now open the command prompt as an administrator and execute dsregcmd.exe /debug /leave command. This will remove the device from entra hybrid join.
Check Device Join Status using dsregcmd.exe /status command.
Registry Keys to disable Entra ID Join
Above steps should remove the device from Hybrid Entra join status. However, you could also create registry keys on the device to ensure that the device will not join with Entra again.
- Press the Windows key + R to open the Run dialog box.
- Navigate to HKLM:\SOFTWARE\Policies\Microsoft\Windows\
- Create a new registry key called WorkplaceJoin (If it does not exist).
- Create below two registry entries:
- autoWorkplaceJoin REG_DWORD Value 0
- BlockAADWorkplacejoin REG_DWORD Value 1
Finally: Unsync the Device using Entra Connect
You can also move the server or device to an OU which is not in sync with Entra ID using Entra connect application and run a delta sync. This will ensure that device objects will not be synced or created in the cloud.
More Information:
- Microsoft Entra device management FAQ.
- Plan your Microsoft Entra hybrid join implementation.
- Troubleshoot devices by using the dsregcmd command.
