No, Microsoft support said a hybrid join via GPO might work (not an option in our environment, since not every workstation is on-prem domain joined), and that otherwise, the workstation would have to have a fresh install of Win 10, which is the route we went.

I am not attempting a hybrid join, but this might uncover some additional info that might help. I will get a hold of a user and run dsregcmd /status and review the User Device Registration even logs. Thanks!

The users in question are licensed with either an M365 E3 or an EMS E3, both of which include Intune. I even tried swapping licenses to see if that changed anything. And I agree with Jason, the end users do not need to have any elevated Azure or Intune level permissions to enroll their devices. All other users have been able to enroll. I expect this to be a workstation or user specific issue