New unenrollment exploit that uses stateful files to unenroll.
We use stateful "backups" that basically allows us to change the encrypted contents of the stateful partition, to arbritary contents. This data is useful for enrollment status, so we changed it to make the device appear unenrolled. On the OOBE, it starts the AutoEnrollmentController, which chains into the ash ownership system, and then the ownership system checks for a file. If this file exists, it removes FWMP.
To use this, you need to look at the instructons here.
Please dm @unretained or join the support server on discord.