Forum Discussion

KonLianos's avatar
KonLianos
Copper Contributor
Jun 18, 2024

Manually re-enrollment in Autopilot from License E3/E5 to P1/P2

 

Step 1: Delete stale scheduled tasks

Follow this procedure:

  • Run the Task Scheduler as an administrator.

 



  • Go to Task Scheduler Library > Microsoft Windows EnterpriseMgmt. Write down the enrollment ID somewhere, you will need it for the cleanup.

 



  • Delete all the existing tasks in the enrollment folder.

 



  • Delete the enrollment ID folder.

 

 

 

 

Step 2

  • Find and store the Object ID from Azure Portal.
  • Find and store a Serial number of the device from the Intune Portal.

 

 

 

 

  • Retire the device from Intune.

 

Step 3

Check the group tag on the computer's serial number and remove it if it exists.

 

 

Step 4

Delete object IDs from Entra ID. If you can’t delete it from the web interface, then run on your laptop PowerShell connect-azuread and Remove-AzureADDevice -objectid "XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"

 

 

Step 5

Run “dsregcmd /status”

Check if the device is not managed in The Entra ID and Intune portal.

In case AzureAdJoined remains YES, run the command “dsregcmd /leave” and delete the device from Intune.

 

 

 

 

Step 6

Add “dem_account” user at local admin group on the device (restart is needed)

Login as “dem_account”

Important: Check if the admin access exists until the end of the steps.

 



Step 7: delete stale registry keys

Use the previous enrollment ID to search the registry:

  • Open the Registry Editor as an administrator.

 



  • Search for the enrollment ID you wrote in the following locations, and if founddelete the key that contains the ID:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxxxxxxx

 



Step 8: delete the Intune enrollment certificate

Follow the procedure:

  • Search for the option “Manage computer certificates” or use the command certlm.msc as an administrator.

 



  • Go to Personal > Certificates and delete the certificate issued by either “Microsoft Intune MDM Device CA” or “SC_Online_Issuing” (depending on the date of the enrollment).

 



Step 9: Restart the enrollment process

In case the device is autopilot, we must delete the file c:\windows\servicestate\wmansvc\AutopilotDDSZTDFile.json before we continue.

The enrollment command must be entered in a SYSTEM context to be properly executed. We will use the PSExec tool for that purpose.



  • Use PSExec to launch a Command Prompt as SYSTEM ADMINISTRATOR:

psexec /i /s cmd



  • In the Command Prompt, enter one of the following commands depending on your enrollment type:



Windows 10 / Windows 11 Enterprise (using User Credential)

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

 



  • In the computer certificate store, check that a new Intune certificate has been enrolled for the device:

 



 

  • Execute gpupdate/force.

 

  • Restart the Device.

 

mdm URL  https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc

Important: Check if the admin access on the user “dem_user” exists before enrolling.

 

 

 

 

 

 

 

 

Step 10

 

  • Download the company portal and log in with the “demmng_Cenergy” user.
  • Check in the Intune portal if the device is managed.

 

 

 

 

 

 

**Important info: Remove the old License E3/E5 from the user.

 

 

No RepliesBe the first to reply

Resources