Unenrollment exploit that uses stateful files to unenroll for kernver <= 2. Use badrecovery if you have kernver 3.
We use stateful "backups" that basically allows us to change the encrypted contents of the stateful partition, to arbritary contents. This data is useful for enrollment status, so we changed it to make the device appear unenrolled. On the OOBE, it starts the AutoEnrollmentController, which chains into the ash ownership system, and then the ownership system checks for a file. If this file exists, it removes FWMP.
To use this, you need to look at the instructons here.
Please ask questions in the support server. @unretained is back. please ask @unretained on discord for any support.