Manually re-enrollment in Autopilot from License E3/E5 to P1/P2

Copper Contributor


Step 1: Delete stale scheduled tasks

Follow this procedure:

  • Run the Task Scheduler as an administrator.



  • Go to Task Scheduler Library > Microsoft Windows EnterpriseMgmt. Write down the enrollment ID somewhere, you will need it for the cleanup.



  • Delete all the existing tasks in the enrollment folder.



  • Delete the enrollment ID folder.






Step 2

  • Find and store the Object ID from Azure Portal.
  • Find and store a Serial number of the device from the Intune Portal.






  • Retire the device from Intune.


Step 3

Check the group tag on the computer's serial number and remove it if it exists.



Step 4

Delete object IDs from Entra ID. If you can’t delete it from the web interface, then run on your laptop PowerShell connect-azuread and Remove-AzureADDevice -objectid "XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"



Step 5

Run “dsregcmd /status”

Check if the device is not managed in The Entra ID and Intune portal.

In case AzureAdJoined remains YES, run the command “dsregcmd /leave” and delete the device from Intune.







Step 6

Add “dem_account” user at local admin group on the device (restart is needed)

Login as “dem_account”

Important: Check if the admin access exists until the end of the steps.


Step 7: delete stale registry keys

Use the previous enrollment ID to search the registry:

  • Open the Registry Editor as an administrator.



  • Search for the enrollment ID you wrote in the following locations, and if founddelete the key that contains the ID:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxxxxxxx



Step 8: delete the Intune enrollment certificate

Follow the procedure:

  • Search for the option “Manage computer certificates” or use the command certlm.msc as an administrator.



  • Go to Personal > Certificates and delete the certificate issued by either “Microsoft Intune MDM Device CA” or “SC_Online_Issuing” (depending on the date of the enrollment).



Step 9: Restart the enrollment process

In case the device is autopilot, we must delete the file c:\windows\servicestate\wmansvc\AutopilotDDSZTDFile.json before we continue.

The enrollment command must be entered in a SYSTEM context to be properly executed. We will use the PSExec tool for that purpose.

  • Use PSExec to launch a Command Prompt as SYSTEM ADMINISTRATOR:

psexec /i /s cmd

  • In the Command Prompt, enter one of the following commands depending on your enrollment type:

Windows 10 / Windows 11 Enterprise (using User Credential)

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM


  • In the computer certificate store, check that a new Intune certificate has been enrolled for the device:




  • Execute gpupdate/force.


  • Restart the Device.


mdm URL

Important: Check if the admin access on the user “dem_user” exists before enrolling.










Step 10


  • Download the company portal and log in with the “demmng_Cenergy” user.
  • Check in the Intune portal if the device is managed.









**Important info: Remove the old License E3/E5 from the user.



0 Replies