Manually re-enrollment in Autopilot from License E3/E5 to P1/P2
Step 1: Delete stale scheduled tasks
Follow this procedure:
Run the Task Scheduler as an administrator.
Go to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt. Write down the enrollment ID somewhere, you will need it for the cleanup.
Delete all the existing tasks in the enrollment folder.
Delete the enrollment ID folder.
Step 2
Find and store the Object ID from Azure Portal.Find and store a Serial number of the device from the Intune Portal.
Retire the device from Intune.
Step 3
Check the group tag on the computer’s serial number and remove it if it exists.
Step 4
Delete object IDs from Entra ID. If you can’t delete it from the web interface, then run on your laptop PowerShell connect-azuread and Remove-AzureADDevice -objectid “XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX”
Step 5
Run “dsregcmd /status”
Check if the device is not managed in The Entra ID and Intune portal.
In case AzureAdJoined remains YES, run the command “dsregcmd /leave” and delete the device from Intune.
Step 6
Add “dem_account” user at local admin group on the device (restart is needed)
Login as “dem_account”
Important: Check if the admin access exists until the end of the steps.
Step 7: delete stale registry keys
Use the previous enrollment ID to search the registry:
Open the Registry Editor as an administrator.
Search for the enrollment ID you wrote in the following locations, and if found, delete the key that contains the ID:HKEY_LOCAL_MACHINESOFTWAREMicrosoftEnrollmentsxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftEnrollmentsStatusxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftEnterpriseResourceManagerTrackedxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagerAdmxInstalledxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagerProvidersxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningOMADMAccountsxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningOMADMLoggerxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningOMADMSessionsxxxxxxxxxxxxx
Step 8: delete the Intune enrollment certificate
Follow the procedure:
Search for the option “Manage computer certificates” or use the command certlm.msc as an administrator.
Go to Personal > Certificates and delete the certificate issued by either “Microsoft Intune MDM Device CA” or “SC_Online_Issuing” (depending on the date of the enrollment).
Step 9: Restart the enrollment process
In case the device is autopilot, we must delete the file c:windowsservicestatewmansvcAutopilotDDSZTDFile.json before we continue.
The enrollment command must be entered in a SYSTEM context to be properly executed. We will use the PSExec tool for that purpose.
Download the PSExec tool from the Microsoft website
Use PSExec to launch a Command Prompt as SYSTEM ADMINISTRATOR:
psexec /i /s cmd
In the Command Prompt, enter one of the following commands depending on your enrollment type:
Windows 10 / Windows 11 Enterprise (using User Credential)
%windir%system32deviceenroller.exe /c /AutoEnrollMDM
In the computer certificate store, check that a new Intune certificate has been enrolled for the device:
Execute gpupdate/force.
Restart the Device.
connect to work or school account with account “email address removed for privacy reasons” and
mdm URL https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
Important: Check if the admin access on the user “dem_user” exists before enrolling.
Step 10
Download the company portal and log in with the “demmng_Cenergy” user.Check in the Intune portal if the device is managed.
**Important info: Remove the old License E3/E5 from the user.
Step 1: Delete stale scheduled tasksFollow this procedure:Run the Task Scheduler as an administrator. Go to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt. Write down the enrollment ID somewhere, you will need it for the cleanup. Delete all the existing tasks in the enrollment folder. Delete the enrollment ID folder. Step 2Find and store the Object ID from Azure Portal.Find and store a Serial number of the device from the Intune Portal. Retire the device from Intune. Step 3Check the group tag on the computer’s serial number and remove it if it exists. Step 4Delete object IDs from Entra ID. If you can’t delete it from the web interface, then run on your laptop PowerShell connect-azuread and Remove-AzureADDevice -objectid “XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX” Step 5Run “dsregcmd /status”Check if the device is not managed in The Entra ID and Intune portal.In case AzureAdJoined remains YES, run the command “dsregcmd /leave” and delete the device from Intune. Step 6Add “dem_account” user at local admin group on the device (restart is needed)Login as “dem_account”Important: Check if the admin access exists until the end of the steps. Step 7: delete stale registry keysUse the previous enrollment ID to search the registry:Open the Registry Editor as an administrator. Search for the enrollment ID you wrote in the following locations, and if found, delete the key that contains the ID:HKEY_LOCAL_MACHINESOFTWAREMicrosoftEnrollmentsxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftEnrollmentsStatusxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftEnterpriseResourceManagerTrackedxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagerAdmxInstalledxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagerProvidersxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningOMADMAccountsxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningOMADMLoggerxxxxxxxxxxxxxHKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningOMADMSessionsxxxxxxxxxxxxx Step 8: delete the Intune enrollment certificateFollow the procedure:Search for the option “Manage computer certificates” or use the command certlm.msc as an administrator. Go to Personal > Certificates and delete the certificate issued by either “Microsoft Intune MDM Device CA” or “SC_Online_Issuing” (depending on the date of the enrollment). Step 9: Restart the enrollment processIn case the device is autopilot, we must delete the file c:windowsservicestatewmansvcAutopilotDDSZTDFile.json before we continue.The enrollment command must be entered in a SYSTEM context to be properly executed. We will use the PSExec tool for that purpose.Download the PSExec tool from the Microsoft websiteUse PSExec to launch a Command Prompt as SYSTEM ADMINISTRATOR:psexec /i /s cmdIn the Command Prompt, enter one of the following commands depending on your enrollment type:Windows 10 / Windows 11 Enterprise (using User Credential)%windir%system32deviceenroller.exe /c /AutoEnrollMDM In the computer certificate store, check that a new Intune certificate has been enrolled for the device: Execute gpupdate/force. Restart the Device. connect to work or school account with account “email address removed for privacy reasons” andmdm URL https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svcImportant: Check if the admin access on the user “dem_user” exists before enrolling. Step 10 Download the company portal and log in with the “demmng_Cenergy” user.Check in the Intune portal if the device is managed. **Important info: Remove the old License E3/E5 from the user. Read More
