JanWerder · November 3, 2025 13:19
diff --git a/Deactivate-MDM.ps1 b/Deactivate-MDM.ps1
 <#
 .SYNOPSIS
    Disable the "Allow my organization to manage my device" (AAD Workplace Join) prompt.

 .DESCRIPTION
    Creates/updates the registry value:
      HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin = 1 (DWORD)

    According to Microsoft documentation this prevents domain-joined devices
    from being Microsoft Entra (Azure AD) *registered* and suppresses the
    corresponding prompt.

    Run as Administrator (or as SYSTEM when deployed via Intune).
 #>

 # Require admin when run interactively
 $principal = New-Object Security.Principal.WindowsPrincipal `
    ([Security.Principal.WindowsIdentity]::GetCurrent())

 if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Error "This script must be run with administrative privileges."
    exit 1
 }

 $regPath  = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin'
 $regName  = 'BlockAADWorkplaceJoin'
 $regValue = 1

 try {
    Write-Host "Ensuring registry path exists: $regPath"
    if (-not (Test-Path -Path $regPath)) {
        New-Item -Path $regPath -Force | Out-Null
        Write-Host "Created registry key: $regPath"
    }

    $current = Get-ItemProperty -Path $regPath -Name $regName -ErrorAction SilentlyContinue

    if ($null -eq $current -or $current.$regName -ne $regValue) {
        Write-Host "Setting $regName to $regValue under $regPath"
        New-ItemProperty -Path $regPath `
                         -Name $regName `
                         -Value $regValue `
                         -PropertyType DWord `
                         -Force | Out-Null
        Write-Host "Successfully configured BlockAADWorkplaceJoin."
    } else
    {
        Write-Host "BlockAADWorkplaceJoin is already set to $regValue. No change needed."
    }

    exit 0
 }
 catch {
    Write-Error "Failed to configure BlockAADWorkplaceJoin: $($_.Exception.Message)"
    exit 1
 }
	<#
	.SYNOPSIS
	Disable the "Allow my organization to manage my device" (AAD Workplace Join) prompt.

	.DESCRIPTION
	Creates/updates the registry value:
	HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin = 1 (DWORD)

	According to Microsoft documentation this prevents domain-joined devices
	from being Microsoft Entra (Azure AD) registered and suppresses the
	corresponding prompt.

	Run as Administrator (or as SYSTEM when deployed via Intune).
	#>

	# Require admin when run interactively
	$principal = New-Object Security.Principal.WindowsPrincipal `
	([Security.Principal.WindowsIdentity]::GetCurrent())

	if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	Write-Error "This script must be run with administrative privileges."
	exit 1
	}

	$regPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin'
	$regName = 'BlockAADWorkplaceJoin'
	$regValue = 1

	try {
	Write-Host "Ensuring registry path exists: $regPath"
	if (-not (Test-Path -Path $regPath)) {
	New-Item -Path $regPath -Force \| Out-Null
	Write-Host "Created registry key: $regPath"
	}

	$current = Get-ItemProperty -Path $regPath -Name $regName -ErrorAction SilentlyContinue

	if ($null -eq $current -or $current.$regName -ne $regValue) {
	Write-Host "Setting $regName to $regValue under $regPath"
	New-ItemProperty -Path $regPath `
	-Name $regName `
	-Value $regValue `
	-PropertyType DWord `
	-Force \| Out-Null
	Write-Host "Successfully configured BlockAADWorkplaceJoin."
	} else
	{
	Write-Host "BlockAADWorkplaceJoin is already set to $regValue. No change needed."
	}

	exit 0
	}
	catch {
	Write-Error "Failed to configure BlockAADWorkplaceJoin: $($_.Exception.Message)"
	exit 1
	}
No results found