So recently I’ve been working on quite a few Hybrid-Registration projects, and unfortunately many of my clients still have down-level (Win7/8.1) devices!
Now when you’re running Windows 10, as long as AD Connect is syncing the Win10 Computers OU, then it will maintain the objects as they are removed/disabled.
However, this leaves a big gap for Down-Level devices, which just stick out there forever (and could represent a security risk). So we went ahead and wrote a quick little PowerShell script that can be run from the AD Connect server (assuming you have the AD RSAT tools and AzureAD PowerShell module) installed.
If you are going to run this in a Production environment PLEASE either don’t run with elevated AAD credentials OR run after removing the Remove-AzureADDevice cmdlets
This script is written to query all AD computer objects (that aren’t of Server OS or Windows 10), get all Azure AD Hybrid-Registered devices (that aren’t Server or Windows 10), compare the object Names and remove the objects that are no longer on-prem or that have been disabled (but were registered at one point).
Future revisions will have further PS check and error handling, and we plan on adapting this for Azure Automation at some point.
You can find the script on TechNet here