In my organization we have a whole lot of Windows 7 workstations. We also have a team of technicians who log into multiple workstations throughout their day for troubleshooting / setup / whatever. As you’re likely aware (since you’re reading this) when a user logs into a Windows 7 computer, the workstation will register the user as an owner of the device in Azure. This behavior is unique to Windows 7, as Windows 10 does not associate an owner if it registers automatically (if you manually join it to Azure, then it associates the user as the owner). This Windows 7 registration takes place via a scheduled task called Automatic-Device-Join and is located at:
Task Scheduler > Microsoft > Windows > Workplace Join
This scheduled task is created when the Microsoft Workplace Join client is installed (https://www.microsoft.com/en-us/download/details.aspx?id=53554)
There is a default value of 20 registered devices per user in Azure. Once you hit this number, you will not be able to register any more devices. Lets say your user wants to register their new cell phone. If they’ve hit that magic number of 20, they won’t be able to. Now, the option does exist to increase this number or set it to unlimited, or you can go into the Azure portal and manually delete things, however that’s not what this post is about.
Let’s dive in
Using powershell, we can easily see all the registered devices for the user and also easily clean them up. (You’ll obviously need the necessary rights in Azure). Open up powershell (I prefer using the ISE myself) and get connected with the following command
Connect-MsolService
This will pop-open a sign-in menu for Azure. Go ahead and sign-in. After this, we can run the following command to see a list of all the registered devices for the particular user. Odds are we don’t want to clear out all the registrations. Maybe we need to keep 2 or 3 of them.
$userprincipalname = "email.address@company.com"
Get-MsolDevice -registeredownerupn $userprincipalname | select displayname | sort-object displayname
Let’s say we want to delete everything but two computers which are named computername1 and computername2. We can accomplish this with the following:
$userprincipalname = "firstname.lastname@company.com"
$DevicesToKeep = "computername1","computername2"
Get-MsolDevice -registeredownerupn $userprincipalname | Where-Object {$_.displayname -notin $DevicesToKeep} | Remove-MsolDevice -Force
This will only remove device registrations associated with that user. That means if more than one user is registered as an owner of the device, those other users will still be in Azure as owners. This will only remove the one we specified, so don’t worry.
But wait there’s more…
There is one gotcha by doing this. If that user were to log into one of the computers that we just removed, the local workplace join client will still think this user is a registered owner and won’t try to re-register. For me, I don’t really care because odds are the workstation they are logging into isn’t their regular workstation and it won’t make a difference. However, if you need to correct this, we can manually un-join and re-join with the following commands in command prompt
%ProgramFiles%\Microsoft Workplace Join\AutoWorkplace.exe /leave
%ProgramFiles%\Microsoft Workplace Join\AutoWorkplace.exe /join
Hopefully this post has been helpful to someone!