How to Hybrid Join + Intune Cleanup

A step-by-step guide to reset a stuck Hybrid Azure AD Join and Intune enrollment on a Windows device.

โœ… When to Use This

Use this process if:

๐Ÿ”ฅ Step-by-Step Reset Process

1. ๐Ÿšช Remove Device from Local Domain

  1. Log in as local admin or domain admin.
  2. Open:
    System Properties > Computer Name > Change
  3. Click Workgroup, enter any name (e.g. WORKGROUP), and apply.
  4. Reboot when prompted.

2. ๐Ÿ—‘ Remove from Azure and Intune

Microsoft Entra:

  1. Go to https://entra.microsoft.com
  2. Navigate to:
    Devices > All Devices > BCM-D003
  3. Click Delete.

Intune:

  1. Go to https://intune.microsoft.com
  2. Navigate to:
    Devices > Windows > All Devices > BCM-D003
  3. Click Delete.

3. ๐Ÿงผ Local Cleanup (Post-Reboot)

  1. After reboot, log in as local admin.
  2. Open Registry Editor (regedit).
  3. Delete these keys if they exist:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager
  1. Delete the folder:
C:\ProgramData\Microsoft\DMClient

You may need to take ownership or run as SYSTEM to remove some of these.

4. ๐Ÿ” Rejoin to Domain (Fresh)

  1. Join back to the BCMAD domain.
  2. Before first login, move the device into:
    OU: BCM Computers
  3. Confirm the following GPOs are linked to the OU:
  4. โœ… Hybrid Join - Automatic Registration
  5. โœ… Intune - Auto MDM Enrollment
  6. Reboot and log in with a cloud-synced user (with Intune license).

5. ๐Ÿงช Post-Join Checks

After reboot and login, run:

dsregcmd /status

You should see:

Key Value
AzureAdJoined YES
AzureAdPrt YES
WamDefaultSet YES
IsUserAzureAD YES
MdmUrl Present โœ…

If AzureAdPrt = YES, device is ready for Intune and Company Portal installs.

โœ… You're Clean and Ready

At this point, the device is:

Last updated: 2025-03-30

#Work/clients/bcm/IT/02-how-to-guides