Hi @zayn_nj, I can see how that sequence of events would be alarming, but the good news is that the boot error and the Hexnode enrollment issue are actually completely unrelated. The OS boot error was a temporary hardware/boot sector glitch.
The real root cause of your issue is exactly what the console warned you about: the specific local admin account that was used to initially enroll the device was deleted from the PC. When that primary enrollment account is removed, the associated MDM profile gets removed with it. Because the profile was removed, the device correctly flagged itself as non-compliant. By default, any local admin user has the power to remove an MDM profile.
Here is how to fix the current device and prevent this from happening across your fleet.
To get this device back under management, it must be re-enrolled.
-
The user will need to download the Hexnode Windows installer.
-
They must run the installer using an account with local administrator rights (if they are the only account left on the PC, they likely have admin privileges by default).
How to Prevent MDM Removal in the Future
You can completely lock down the MDM profile so that even local administrators cannot remove it.
-
Navigate to your Policies tab and create/edit a Windows policy.
-
Go to Windows > Advanced Restrictions.
-
Locate the setting for Manual MDM Administration Removal and select Disable.
-
Save and assign this policy to your Windows fleet.
Pro-Tip: Remote Local Account Management
Since the original admin account was deleted, it’s worth noting that you don’t have to rely on users to manage these accounts. As long as a device is actively managed, you can remotely provision a new local admin account directly from the console. Just go to Manage > [Select Device] > Local Accounts, and you can create a secure, hidden admin account to ensure you never lose access to the machine.
12 Views
