We were testing out Windows Autopilot + MDM with Intune using VM Windows 10 Enterprise clients. While the greenfield scenario was pretty straightforward and problem-free, testing brownfield scenarios (pre-existing pre-AAD-registered computers used by existing staff) have proven to be problematic. However I want to focus one specific case here.
I reset one VM to start all afresh, unrecognised by Azure AD or Intune. Since Windows 10 Enterprise does not support personal Microsoft accounts from initial setup, I had to create a local admin account. It was only after the setup could I later add my personal Microsoft account as a proper user for sign-in. (I don't know why Enterprise setup has to be so special and cannot be like Pro, but that's irrelevant to this case.)
Beyond that I connected my work account with the local admin account, thereby registering to our AAD and enrolled to Intune. Through multiple test cases, we learnt disappointingly that the same account used to register to AAD cannot be used to perform a join (it will result in "This device is already enrolled" error); a separate AAD account has to be used.
So we succeeded with AAD join using another user account. BUT NOW, the computer only allows my personal Microsoft account or AAD accounts to sign in. There's no way to sign in with the original local admin anymore.
It'll refuse with "the user name or password is incorrect. Try again."
How can I restore signing in with local admin users? Or is that a prohibited scenario now that Windows 10 Enterprise is AAD-joined?