Closed juergen-kc closed 1 year ago
Just a note on this, I'm going to close this issue tomorrow when I clean up documentation but we introduced a change in v2.2.0 to invoke the dsregccmd.exe step as system which does have permission to leave the domain.
This issue should be resolved in the current release 👍
Wiki updated, closing
Hi
The documentation states that a simple "dsregcmd.exe /leave" within a PowerShell-Command will disjoin the device from AAD, but in practice this isn't working as expected.
Instead this iteration of code did it for me:
if([System.Environment]::Is64BitProcess){ dsregcmd.exe /leave } else { $ps64 = Join-Path $env:SystemRoot "\sysnative\WindowsPowerShell\v1.0\powershell.exe" & $ps64 -Command {dsregcmd.exe /leave} }
Post reboot the AD-Joined account is not present anymore and device is not enrolled into AAD either:
`C:\Windows\System32>dsregcmd.exe /status
+----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+
+----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+
+----------------------------------------------------------------------+ | SSO State | +----------------------------------------------------------------------+
+----------------------------------------------------------------------+ | IE Proxy Config for Current User | +----------------------------------------------------------------------+
+----------------------------------------------------------------------+ | WinHttp Default Proxy Config | +----------------------------------------------------------------------+
+----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+