Alright, so the previous suggestions are unrelated. The key piece of information you provided was seeing a popup related to signing into O365 on the Windows 10 devices. Not knowing your deployment details, I would assume the configuration which is causing this automatic enrollment is within Azure AD. When Azure AD is integrated into Workspace ONE UEM (you probably have this set up for O365 DLP or revoking tokens) under Directory Services (you will see Enable Azure AD Services). If this is the case, and you still want this integration for the previous reasons stated, you can make some configuration changes in Azure AD. 1) limiting the scope of who is assigned to the AW by VMware enterprise (MDM) app in the Azure portal. Currently, its likely set to ALL meaning all users who sign into Azure services (O365, Windows Sign-in, or OOBE) will automatically be enrolled in Workspace ONE. 2) Not sure where the settings are since the UI has recently changed but you can prevent devices from joining Azure AD, so they do not enroll in Workspace ONE or Azure AD when signing into O365.
Overall, these changes should not be made lightly and without consideration especially in a production environment. I suggest reaching out to support or your VMware rep to ensure there will not be any impact to your environment.
If you are interested in learning more about Windows 10 management (especially if you have user-based licensing) (and because it's awesome what you can do :smileygrin:) I highly suggest taking a look at the Understanding Windows 10 Management path on the Digital Workspace Tech Zone site! You can also check out Enrolling your Windows devices into Azure AD tutorial for more on this configuration, such as using Autopilot.
