For folks that have followed this article (especially those Teams admins doing MTR for Windows deployments) and get a provisioning package that joins the machine to AAD, but does NOT enroll in Intune, there's a critical step missing depending on how your tenant is configured. Once you've obtained the Bulk Token and the Package_xxx account is created...if your auto-enrollment for windows MDM scope is set to none, then Intune will not be enrolled. Additionally, if this scope is set to "some" then you need to ensure that the Package_xxx account is included in any of the security groups Windows auto-enrollment is targeting...otherwise all you'll ever get is AADJ with this package. I am doing this as part of a Microsoft Teams Room deployment so this was a key step that was throwing me off...I'd like to credit Tom F. from Intune team for helping me (from Teams side) to better understand this nuance. I hope this helps someone, and/or the owner updates the original article.