# Re-enroll to Intune after a broken MDM state (do NOT run if you plan to leave Entra ID) # Run as admin # 0) Optional: confirm we are still Azure AD joined dsregcmd /status | findstr /I "AzureAdJoined DomainJoined WorkplaceJoined" # 1) Collect all EnterpriseMgmt GUIDs from Task Scheduler and Registry $taskRoot = "\Microsoft\Windows\EnterpriseMgmt" $taskGuids = Get-ScheduledTask -TaskPath $taskRoot -ErrorAction SilentlyContinue | ForEach-Object { $_.TaskPath.TrimEnd('\') } | Get-Unique | ForEach-Object { Split-Path $_ -Leaf } | Where-Object { $_ -match '^[0-9a-fA-F-]{36}$' } $regGuids = Get-ChildItem -ea SilentlyContinue 'HKLM:\SOFTWARE\Microsoft\Enrollments' | Where-Object { $_.PSChildName -match '^[0-9a-fA-F-]{36}$' } | Select-Object -ExpandProperty PSChildName $guids = @($taskGuids + $regGuids) | Sort-Object -Unique # 2) Stop and remove EnterpriseMgmt scheduled tasks and folders for each GUID foreach ($g in $guids) { Get-ScheduledTask -TaskPath "$taskRoot\$g\" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$false -ErrorAction SilentlyContinue # Remove the GUID folder itself (COM API handles empty-folder removal) try { $svc = New-Object -ComObject Schedule.Service $svc.Connect() $folder = $svc.GetFolder($taskRoot) $folder.DeleteFolder($g,$null) } catch {} } # 3) Remove MDM enrollment related registry data scoped to those GUIDs only $roots = @( 'HKLM:\SOFTWARE\Microsoft\Enrollments', 'HKLM:\SOFTWARE\Microsoft\Enrollments\Status', 'HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts', 'HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger', 'HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions', 'HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked' ) foreach ($root in $roots) { if (Test-Path $root) { Get-ChildItem $root -ErrorAction SilentlyContinue | Where-Object { $guids -contains $_.PSChildName } | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue } } # 4) Remove ONLY the MDM device cert (keep MS-Organization-Access unless you plan to dsregcmd /leave) Get-ChildItem Cert:\LocalMachine\My -ErrorAction SilentlyContinue | Where-Object { $_.Issuer -match 'Microsoft (Intune )?MDM Device CA' -or $_.Subject -match 'CN=MS-Organization-Access.*' -and $false # safeguard: never delete OrgAccess here } | Remove-Item -Force -ErrorAction SilentlyContinue # 5) Clear EnterpriseMgmt Policy Providers cached ADMX entries for those GUIDs (safe scoped removal) $pmRoots = @( 'HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers', 'HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled' ) foreach ($root in $pmRoots) { if (Test-Path $root) { Get-ChildItem $root -ErrorAction SilentlyContinue | Where-Object { $guids -contains $_.PSChildName } | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue } } # 6) Wait and kick the built-in MDM auto-enrollment Start-Sleep -Seconds 5 Start-Process -FilePath "$env:WINDIR\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoEnrollMDM" -Wait -NoNewWindow # 7) Show result dsregcmd /status | findstr /I "Ngc Prt DeviceAuthStatus"