Manually (re-)enrollment of a Windows 10/11 PC in Intune

Re-enrollment process

Sometimes it can happen that a Windows 10/11 PC can no longer synchronize the device with Intune. The synchronization process is then in an error state. An error like “The sync could not be initiated” will be displayed. It is also possible that Intune uses an automatic cleanup rule. Here you can set, for example, that if a device has not made any activity with Intune for 60 days or longer, it will be removed from Intune. Of course you don’t feel like reinstalling the device. This is where the re-enrollment process comes in. To manually re-enroll the PC, we will need to clean up the environment and relaunch the same command as in the manually ennrolment process in the SYSTEM context to re-enroll the PC.
Below are the steps required to get it working:

Delete stale scheduled tasks
Delete stale registry keys
Delete the Intune enrollment certificate
Start the enrollment process

1. Delete stale scheduled tasks

Run the Task Scheduler as administrator

Got to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt.

Make a note of the enrollment ID somewhere, you will need the ID later in the process.

Delete all existing tasks in the EnterpriseMgmt folder and then delete the folder itself.

2. Delete stale registry keys

Run the Registry Editor as Administrator

Now, using the enrollment ID noted earlier, find and delete the keys below:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Do not delete any keys other than those specified above.

3. Delete the Intune enrollment certificate

Search for “Manage computer certificates” or use the command certlm.msc as an administrator

Go to Personal > Certificates and delete the certificate issued by “Microsoft Intune MDM Device CA“

4. Start the enrollment process

To do this correctly the process will have to be started in the SYSTEM context.When finish this process check the laptop on Intune and this fields: MDM, Owner, UPN and Compilant doesn't will have blank anymore:

Before:

After the process:

And then, will appear in Intune portal.

NOTE: If the device is not a Autopilot Joined, you must need quit from EntraID portal running the command dsregcmd /leave and then, change to some OU in AD where is not synchronized in the cloud environment and wait exit from portal (EntraID). After this, it's just make all steps above and after move the computer again to the correct OU in AD wait appear into portal and then run dsregcmd /join command.