The laptop was stuck at AzureAdJoined: NO and WorkplaceJoined: YES, blocking full Intune management. After removing the Workplace Join (dsregcmd /leave as SYSTEM via PsExec), I joined Entra ID:

Intune Enrollment: Automatic via MDMUrl (https://enrollment.manage.microsoft.com/); device appeared as Compliant in Intune.

GUI Method: Settings > Accounts > Access work or school > Connect > “Join this device to Microsoft Entra ID” > Sign in with JohnHopkins@HopTechOne.onmicrosoft.com.

Verification: dsregcmd /status showed AzureAdJoined: YES.

Key Takeaway:

Entra ID join enables SSO and full policy enforcement—essential for healthcare endpoint security.