Forum Discussion
Unlink a users workplace join account while device is also Entra ID joined
We have a number of users on Entra ID joined devices that were prompted to register their devices when signing into teams with another org account. My question has two parts - how can we programmatically remove the Workplace Join account and how do we avoid users from doing it again?
5 Replies
- Thanks, but unfortunately this doesn't help me. These devices were AAD joined using Autopilot and then registered to another org tenant. Basically, users signed into Teams with another org creds and were prompted to register the device (a design decision I still scratch my head over). Since these are in another orgs tenant, we do not have the capability to clean up the devices, and dsregcmd /leave just completely breaks everything.
To clean up: As per my research, there is no way to just remove workplace join remotely. Manual removal of the account is what we use.
To restrict users to do it again: you can create a custom policy to edit remotely the registry as group policy:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin,"autoWorkplaceJoin"=dword:0
https://learn.microsoft.com/en-us/entra/identity/devices/faq#how-can-i-block-users-from-adding-more-work-accounts--microsoft-entra-registered--on-my-corporate-windows-10-11-devices
