We're currently participating in the new Defender SMB preview, but we're running into a snag. It appears that the company previously ran an ATP preview and a majority of the machines were never properly offboarded. 

When running a GPO or local script onboarding, it's running and showing as successful but not appearing in the devices list on the defender site. Looking at the HKLM:\Software\Microsoft\Windows Advanced Threat Protection, the OnboardedInfo is pointing to what I guess are older servers and not the same as the handful that have properly onboarded.

Attempting to edit this key as admin or via nt authority\system via GPO results in an access error. We've attempted to change the permissions from nt authority\system to an admin or user but it's failed. The test machine was only able to be changed after a safe boot and then changing the key. Is there a simpler solution that doesn't involve going machine to machine and booting into safe mode and then editing each machine?