Disable Stay Signed in to all your apps Prompt using Intune while accessing Windows 365 AVD

Let’s check how to disable stay signed in to all your apps Prompt using Intune Settings catalog (Windows CSP) Vs. registry fix via Win32 App deployment. This is a tricky option when I accidentally click the OK button instead of the No, sign in to this app only option from a personal device.

There are a couple of scenarios that will be a bit tricky for AVD and Windows 365 Cloud PC testing using the RD client subscription option. The first scenario is when I use a personal device to access AVD or Windows 365 for testing. The second scenario is when I use the production device and test the staging environment AVD or Windows 365 Cloud PCs using RD client.

In both scenarios, if you click the OK button accidentally from the Stay Signed in to all your apps popup screen, your device will end up adding an additional account to the Access Work or School section of the settings app in Windows 11 or Windows 10.

In this post, you will see two methods deploy the same fix. Learn how to Disable Workplace Join using Windows CSP or Registry Fix. I couldn’t make Windows CSP using the settings catalog work! Well, the CSP is to Disallow Workplace Join using Window CSP. Let me know what your experience is after reading the post and testing!

Patch My PC

The registry fix explained in this post is to block Workplace join. I don’t know what the difference is between Disallow and Block! This is another question you can answer in the comments.

Manual Method to Avoid Registering Devices to Wrong Azure AD

Whenever you get the following screen and message, such as Stay Signed in to all your apps, you will need to ignore the OK button, as explained below.

Adaptiva

With these popup screen settings, Windows will remember your account and automatically sign you in to your apps and websites on this device. This will reduce the number of times you are asked to log in.

Allow my Organization to manage my device.

Selecting this option means your administrator can install apps, control settings, and reset your device remotely. Your Organization may require you to enable this option to access data and apps on this device.

Manual Method to Avoid Registering Devices to Wrong Azure AD
Manual Method to Avoid Registering Devices to Wrong Azure AD

Remove the checkmark near the option called – Allow my Organization to manage my device.

Once the checkmark is removed from Allow my Organization to manage my device option, click on the link No, sign in to this app only.

NOTE! Do not click on the OK button.

Manual Method to Avoid Registering Devices to Wrong Azure AD
Manual Method to Avoid Registering Devices to Wrong Azure AD

Disable Stay Signed in to all your apps Prompt using Windows CSP

Let’s try to disable Stay Signed in to all your apps Prompt using Intune settings catalog. However, I don’t think this is a very good approach, and this will work for the users who have admin access, etc. I have not tested this solution with non-admin users.

  • Login to Endpoint Manager Intune portal https://endpoint.microsoft.com/#home
  • Navigate to Devices -> Windows -> Configuration profiles.
  • Click on +Create Profile.
Disable Stay Signed in to all your apps Prompt using Windows CSP
Disable Stay Signed in to all your apps Prompt using Windows CSP

In Create Profile blade, You can select Platform: Select Windows 10 and later and Profile: Select Settings catalog (preview).

Click on Create button. For Example – You have to select the platform Windows 10 and later. You can enter the details of the policy and settings in the next screens.

Disable Stay Signed in to all your apps Prompt using Windows CSP
Disable Stay Signed in to all your apps Prompt using Windows CSP

Once you click on Create button from the above page, you will need to enter the Name and Description of the setting catalog policy.

Enter the name of the policy Name – Disable Stay Signed in to all your apps and click on the next button to continue.

Disable Stay Signed in to all your apps Prompt using Windows CSP
Disable Stay Signed in to all your apps Prompt using Windows CSP

You will need to click on the +Add Settings hyperlink from the next page of the policy configuration wizard. This hyperlink will help with a new blade called the Settings Picker with a search box.

Settings catalog – With the settings catalog, you can choose which settings you want to configure. Click on Add settings to browse or search the catalog for the settings you want to configure.

Disable Stay Signed in to all your apps Prompt using Windows CSP
Disable Stay Signed in to all your apps Prompt using Windows CSP

You also have many other options like filtering the policies based on OS edition etc. You can use the search box to find the relevant policies to Workplace Profiles.

I have clicked on the Settings category and selected one policy called Allow Workplace to disable Stay Signed in to all your apps Prompt using Intune popup screen.

Windows MDM CSP details for this setting – Allows users to change workplace settings, and this is a device-based policy. The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.
Disable Stay Signed in to all your apps Prompt using Windows CSP
Disable Stay Signed in to all your apps Prompt using Windows CSP

Now, you will need to block Allow Workplace to test whether this will help remove or disable the problematic popup screen whether you try to subscript to Windows 365 or Azure Virtual Desktop.

  • Allow Workplace – BLOCK
Disable Stay Signed in to all your apps Prompt using Intune while accessing Windows 365 AVD 1
Disable Stay Signed in to all your apps Prompt using Intune while accessing Windows 365 AVD 24

This section will help you to assign the “Disable Allow Workplace” Policy to the AAD User Group. You can refer to the following guide to Create Intune Settings Catalog Policy and deploy it only to a set of Intune Managed Windows 11 or Windows 10 devices using Intune Filters.

I used all users’ deployment as an example for this particular policy deployment. I want to disable Allow Workplace for all the users. You can click on the Next button and add the Scope Tags on the next page.

You will need to click on the next and create buttons to complete the policy creation process.

Disable Stay Signed in to all your apps Prompt using Windows CSP
Disable Stay Signed in to all your apps Prompt using Windows CSP

Intune Event ID 813

The Intune event ID 813 indicates a string policy is applied on the Windows 11 or Windows 10 devices. You can also see the exact value of the policy being applied on those devices.

You can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Set policy int, Policy: (AllowWorkplace), Area: (Settings), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Int: (0x0), Enrollment Type: (0x6), Scope: (0x0).

 Intune Event ID 813
Intune Event ID 813

Disallow Workplace Join using Window CSP

I could see that the correct registry value worked got applied as expected on the Cloud PC. This Windows CSP is to Disallow Workplace Join using Window CSP.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Settings

AllowWorkplace = 0 means the Workplace join scenario is disabled for the user.

 Disallow Workplace Join using Window CSP
Disallow Workplace Join using Window CSP

Now, you can see that the + Connect button is disabled from the Access work or school tab. So the policy got applied correctly as expected.

As per my testing, disabling Access Work or School didn’t make any difference to Stay Signed in to all your apps Prompt. I don’t think this is the correct policy for disabling the Stay signed in to all your apps popup.

 Disallow Workplace Join using Window CSP
Disallow Workplace Join using Window CSP

Registry Fix using Intune Win32 App to Disable Stay Signed in to all your apps Prompt

Now, let’s check whether the Registry Fix using Intune Win32 App to Disable Stay Signed in to all your apps Prompt will work as expected or not. This registry fix will block workplace join.

The registry fix is the supported way as per Microsoft docs. This registry fix helps to block users from adding more work accounts (Azure AD registered) on my corporate Windows 10/11 devices.

Prepare to Create IntuneWin file for Registry Fix to block workplace join

You need to create two files to deploy registry fix using Intune, as I explained in Deploy Registry Fix Using Intune Win32 App. Once those files are created, you will need to go through the steps mentioned in the above blog post to create the “.IntuneWin” package.

  • The first file is the registry file itself. You will need to paste the following registry information to a notepad and save it as DisableWorkplaceJoin.reg file.

The following is the registry value that you will need to deploy.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin]
@=""
"BlockAADWorkplaceJoin"=dword:00000001

Now, it’s time to create a batch file to execute this registry fix on the Windows 10 Azure AD joined devices or Hybrid Azure AD joined devices. It’s just a simple batch file to execute the DisableWorkplaceJoin.reg file.

  • You can paste the following batch file and save it as DisableWorkplaceJoin.cmd.
MD C:\Windows\Temp\DisableWorkplaceJoin
Copy "%~dp0*.reg" C:\Windows\Temp\DisableWorkplaceJoin /Y
PUSHD C:\Windows\Temp\DisableWorkplaceJoin
regedit.exe /s DisableWorkplaceJoin.reg
@echo 1.0>C:\Windows\Temp\DisableWorkplaceJoin\Ver1.0.txt
Del C:\Windows\Temp\ActiveXFix\*.reg
 Prepare to Create IntuneWin file for Registry Fix to block workplace join
Prepare to Create IntuneWin file for Registry Fix to block Workplace join

Now, you can create an IntuneWin file using the guide Deploy Registry Fix Using Intune Win32 App. Download the IntuneWinAppUtil.exe to covert the files created above into the IntuneWin package.

C:\Users\Anoop\Downloads>IntuneWinAppUtil.exe
Please specify the source folder: C:\Users\Anoop\Downloads\Source
Please specify the setup file: DisableWorkplaceJoin.cmd
Please specify the output folder: C:\Users\Anoop\Downloads\Package
Do you want to specify the catalog folder (Y/N)?n

Now, you have the package called DisableWorkplaceJoin.intunewin. The package is ready to deploy registry fix using Intune application deployment method.

 Prepare to Create IntuneWin file for Registry Fix to block workplace join
Prepare to Create IntuneWin file for Registry Fix to block Workplace join

Create Intune Win32 app to Block Workplace Join

You can now head to the MEM admin center portal to create Intune Win32 application to deploy the registry fix. It would help if you kept the DisableWorkplaceJoin.cmd file information handy while creating the application.

  • Login to endpoint.microsoft.com portal.
  • Navigate to All Apps > Windows -> Click on +Add button to create Win32 app.
Create Intune Win32 app to Block Workplace Join
Create Intune Win32 app to Block Workplace Join

You now need to select the app type that you want to deploy. Select the Intune app type called Windows app (Win32) and then click on the Select button to start the app creation process.

Create Intune Win32 app to Block Workplace Join
Create Intune Win32 app to Block Workplace Join

You can now upload the file you created in the above section IntuneWin package DisableWorkplaceJoin.intunewin” from the select app package file hyperlink.

You can click on the OK button to continue.

Create Intune Win32 app to Block Workplace Join
Create Intune Win32 app to Block Workplace Join

You can now enter the name of the application and other details from the Application information page. Proceed to the Program page to enter the install command and uninstall command details.

  • Install Command = DisableWorkplaceJoin.cmd
  • Uninstall Command = DisableWorkplaceJoin.cmd
  • Click on the NEXT button to continue.

NOTE! – The uninstall command is just a fake command just for my lab testing. But the recommendation is to go with the proper uninstall command. This is just an example of deploying a registry fix using Intune. Only for testing purposes.

 Create Intune Win32 app to Block Workplace Join using Intune
Create Intune Win32 app to Block Workplace Join using Intune

You can now select the requirement page OS architecture and minimum OS from this page and click on the next button to continue. This package is going to help to disable Stay Signed in to all your apps Prompt.

  • Operating System Architecture = 64-bit
  • Minimum Operating System – Windows 10 2004
  • Click on the Next button
 Create Intune Win32 app to Block Workplace Join using Intune
Create Intune Win32 app to Block Workplace Join using Intune

You can also go over the Detection Rules page and select Configure app-specific rules used to detect the app’s presence. Select the option Manually configure detection rules to continue building detection logic for this application deployment.

Click on the +Add button to add the following detection rule.

  • Rule Type -> File
  • Path -> C:\Windows\Temp\DisableWorkplaceJoin
  • File or folder – Ver1.0.txt
  • Detection Method -> File or Folder exists
  • Associated with a 32-bit app on 64-bit clients -> NO
  • Click OK and NEXT to continue.
 Create Intune Win32 app to Block Workplace Join using Intune
Create Intune Win32 app to Block Workplace Join using Intune

You can go over the dependencies and supersedence, scope tags pages to continue. Those pages are not mandatory for this Registry to fix Intune win32 application. On the assignment page, you need to assign this application to any Azure AD device group.

You can refer to the following guide to Create Intune Settings Catalog Policy and deploy it only to a set of Intune Managed Windows 11 or Windows 10 devices using Intune Filters.

I used all users’ deployment as an example for this particular policy deployment. I want to disable Workplace Join and stop getting Stay Signed in to all your apps prompt. You can click on the Next button and add the Scope Tags on the next page.

You will need to click on the next and create buttons to complete the policy creation process. Now, you are already deployed the registry fix to Disable Workplace Join.

 Create Intune Win32 app to Disable Workplace Join
Create Intune Win32 app to Disable Workplace Join

Restart Intune Management Extension Service to deploy the registry fix to disable Workplace Join and stop getting Stay Signed in to all your apps prompt using Win32 app to Cloud PCs.

Verification Block Workplace Join

You can look into Intune Management Extension Deep Dive – Win32 App Deployment Troubleshooting Help Guide to get more details on troubleshooting if the registry fix via Win32 App deployment is not working for you.

The registry check before the application deployment to add the registry value.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin

The registry key name BlockAADWorkplaceJoin is not present.

 Verification Block Workplace Join
Verification Block Workplace Join

After the successful deployment of the application BlockAADWorkplaceJoin, the Registry key called BlockAADWorkplaceJoin got created.

BlockAADWorkplaceJoin = 1

  Verification Block Workplace Join
Verification Block Workplace Join

Conclution Disable Workplace Join using Windows CSP Vs Registry Entry

Didn’t Work as expected – Windows CSP is to Disallow Workplace Join using Window CSP; it didn’t help to disable Stay Signed in to all your apps prompt.

WORKED Fine – The registry fix to Block Workplace Join using Intune helped to disable Stay Signed in to all your apps prompt.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

2 thoughts on “Disable Stay Signed in to all your apps Prompt using Intune while accessing Windows 365 AVD”

  1. I have a similar concern. I would like to have unmanaged devices blocked from getting this prompt as we have seen a number of accidental enrollments which turned into us fully managing personal devices, which is not in our management strategy.

    Can this prompt be blocked for unmanaged or unknown devices?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.