Endpoint not disconnected from AD after unenrollment

Read this page to remove an ODJ-enrolled endpoint from Active Directory (AD) on unenrollment to prevent it from accessing network resources.

Problem

On unenrolling an endpoint from WebUI, if the endpoint was enrolled with ODJ policy, it is disconnected from MDM, but is not removed from AD.

MCM v3.0 does not support any setting or action that can be invoked to disconnect an unenrolled device from AD.

Post unenrollment, the AD Admin must manually remove the unenrolled endpoint from AD.

To remove an endpoint from AD, follow these steps:

Open Active Directory Users and Computers on a domain controller or a computer with the Active Directory Administration Tools installed.
Expand the domain tree and navigate to the container where the computer account is located.
Note: By default, computer accounts are created in the Computers container, but they can also be located in a different OU or container depending on your Active Directory design.
Locate the computer account that you want to remove and right-click on it.
Select the Delete option from the context menu.
Important: Deleting a computer account in AD does not actually remove the computer from the network or prevent it from accessing network resources. It simply removes the association between the computer and its account in Active Directory, which can cause issues with group policy, security permissions, and other Active Directory-related functions.
To prevent the deleted endpoint from accessing network resources, remove its DNS record and DHCP lease (if applicable), and disable or remove its network connection.