Forum Discussion
Manually re-enrollment in Autopilot from License E3/E5 to P1/P2
Step 1: Delete stale scheduled tasks
Follow this procedure:
- Run the Task Scheduler as an administrator.
- Go to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt. Write down the enrollment ID somewhere, you will need it for the cleanup.
- Delete all the existing tasks in the enrollment folder.
- Delete the enrollment ID folder.
Step 2
- Find and store the Object ID from Azure Portal.
- Find and store a Serial number of the device from the Intune Portal.
- Retire the device from Intune.
Step 3
Check the group tag on the computer's serial number and remove it if it exists.
Step 4
Delete object IDs from Entra ID. If you can’t delete it from the web interface, then run on your laptop PowerShell connect-azuread and Remove-AzureADDevice -objectid "XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
Step 5
Run “dsregcmd /status”
Check if the device is not managed in The Entra ID and Intune portal.
In case AzureAdJoined remains YES, run the command “dsregcmd /leave” and delete the device from Intune.
Step 6
Add “dem_account” user at local admin group on the device (restart is needed)
Login as “dem_account”
Important: Check if the admin access exists until the end of the steps.
Step 7: delete stale registry keys
Use the previous enrollment ID to search the registry:
- Open the Registry Editor as an administrator.
- Search for the enrollment ID you wrote in the following locations, and if found, delete the key that contains the ID:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxxxxxxx
Step 8: delete the Intune enrollment certificate
Follow the procedure:
- Search for the option “Manage computer certificates” or use the command certlm.msc as an administrator.
- Go to Personal > Certificates and delete the certificate issued by either “Microsoft Intune MDM Device CA” or “SC_Online_Issuing” (depending on the date of the enrollment).
Step 9: Restart the enrollment process
In case the device is autopilot, we must delete the file c:\windows\servicestate\wmansvc\AutopilotDDSZTDFile.json before we continue.
The enrollment command must be entered in a SYSTEM context to be properly executed. We will use the PSExec tool for that purpose.
- Download the PSExec tool from the Microsoft website
- Use PSExec to launch a Command Prompt as SYSTEM ADMINISTRATOR:
psexec /i /s cmd
- In the Command Prompt, enter one of the following commands depending on your enrollment type:
Windows 10 / Windows 11 Enterprise (using User Credential)
%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM
- In the computer certificate store, check that a new Intune certificate has been enrolled for the device:
- Execute gpupdate/force.
- Restart the Device.
- connect to work or school account with account “email address removed for privacy reasons” and
mdm URL https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
Important: Check if the admin access on the user “dem_user” exists before enrolling.
Step 10
- Download the company portal and log in with the “demmng_Cenergy” user.
- Check in the Intune portal if the device is managed.
**Important info: Remove the old License E3/E5 from the user.