How to enroll Windows PCs & Tablets?

Device management is essential for securing and restricting corporate endpoints. Hexnode UEM supports the management of PCs and tablets running Windows 10 or later.

Enrollment establishes a secure bridge between the device and the Hexnode portal. Once enrolled, the Hexnode UEM app is automatically installed on the device, enabling it to receive broadcast messages, policies, and remote actions from the admin.

Available Enrollment Methods

Hexnode offers multiple ways to enroll Windows devices depending on your deployment scale and infrastructure:

• Standard Enrollment (Windows PCs & Tablets): The primary method using the Hexnode Installer or Native Settings.
• PPKG enrollment: Bulk provisioning using a package file (.ppkg) for rapid deployment.
• Google Workspace Enrollment for Windows.: Allows users to enroll using their Google Workspace credentials.
• Windows Autopilot: Zero-touch deployment that provisions devices straight out of the box.
• Co-Management: Enroll devices already managed by another system to leverage Hexnode features simultaneously.
• Windows Virtual Machine Enrollment: Support for managing Windows Virtual Machines (VMs) for testing or virtual desktop infrastructure (VDI).

Prerequisites

Before initiating enrollment, ensure your devices meet the following requirements.

1. Administrator Access: You must be logged in to the Windows device as an Administrator to perform enrollment.
2. Supported Operating Systems:
   • Windows 11: Fully supported.
   • Windows 10 (Version 1803 and later): Fully supported via Hexnode Installer App.
   • Windows 10 (Version 1703 to 1709): Supported only if the following dependencies are installed:
     • Visual C++ Redistributable
     • .NET Framework version 4.7.1 or higher
3. Verifying .NET Framework Version: To check if your device meets the .NET requirement, run the following command in PowerShell:

   Get-ItemProperty –Path “HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full” | Format-List

   

   • Check the Version field in the output.
   • If the version is below 4.7.1, download and install the update from the official Microsoft website.
4. Installing Missing Dependencies: If you attempt to enroll using the Hexnode Installer app without these dependencies, you will receive an error prompt.
   1. Click OK on the error message. You will be redirected to the download page.

   

   2. Download the Visual C++ Redistributable.exe file.
      1. Note: Ensure you select the package that matches your system architecture (x64 for 64-bit, x86 for 32-bit).
   3. Open the file from your Downloads folder.
   4. Agree to the terms and click Install.

   

   Recommendation:

   • For Windows 10 v1803+ / Windows 11: Use the Hexnode Installer App (Method 1) for the smoothest experience.
   • For Windows 10 v1703 – 1709: If you cannot install the required dependency packages, use the Native Device Enrollment (Method 2) instead.

Standard Enrollment: Windows PCs & Tablets

This standard enrollment method uses Enrollment Profiles to streamline the setup process. These profiles allow IT admins to pre-configure settings (like authentication rules) which are automatically applied to the device the moment it enrolls.

Step 1: Configure Enrollment Settings in the Portal

Before touching the device, configure the enrollment logic in the Hexnode console:

1. Log in to your Hexnode UEM portal.
2. Navigate to Enroll > Platform-Specific > Windows > Windows PCs & Tablets.
3. Select or Create a Profile:
   1. If you haven’t created one yet, switch to the Enrollment Profiles sub-tab to configure a new profile.
   2. If you already have profiles, stay on the Information sub-tab and use the Enrollment Profile dropdown to select the desired configuration.
   3. Tip: Click View to inspect or edit the settings of the selected profile.
4. Send Enrollment Request:
   1. Click Send mail or Send SMS to share the enrollment details with your users.
   2. This message will contain the Enrollment URL and, if required, the user’s authentication credentials.

Step 2: Enroll the Device

Once the portal side is configured, you can enroll the physical device using one of two methods:

1. Method 1: Using the Hexnode Installer App (Recommended for most devices).
2. Method 2: Native Enrollment (Via Windows Settings).

(See the sections below for detailed steps on each method).

Here is the optimized content for Method 1: Using the Hexnode Installer App.

Method 1: Using the Hexnode Installer App

This is the recommended method for devices running Windows 10 (v1803+) and Windows 11. It automates the installation of the management agent.

1. Download the Installer:
   1. On the device, open a web browser and enter your Enrollment URL (Format: https://portalname.hexnodemdm.com/enroll/).
   2. Click the Download button to save the Hexnode Installer Setup file.
2. Run the Installer:
   1. Open the downloaded file to run the setup.
   2. Dependency Check: If your device is missing required components (like Visual C++), the installer will prompt you to install them. Follow the on-screen instructions to complete this.
   3. Once dependencies are met, the EULA will appear. Read it and click Agree and Enroll.
3. Authenticate (If Required): The installer will check your portal settings. If authentication is enabled:
   1. Local/AD Users: Enter your Email ID or sAMAccountName and click Authenticate.
   2. Microsoft/Google/Okta Users: Sign in using your organization’s directory credentials.
   3. If you see “Authentication failed! Try Again!“, check your credentials and click Enroll to retry.
4. Complete Enrollment: The device will now attempt to enroll automatically.
   1. Scenario A: Automatic Enrollment Succeeds
      • The Hexnode UEM app will install automatically.
      • Once finished, click Done and then Finish to exit the setup wizard. The device is now enrolled.
   2. Scenario B: Automatic Enrollment Fails (Fallback Method)

      If the automatic process encounters an issue, you must complete the setup manually:

      • Click Enroll on the error screen. This redirects you to Windows Settings.
      • In the Set up a work or school account window, the server address and admin username will be auto-filled. Verify them and click Next.
      • Review the device setup instructions and click Got it.
      • Wait for the connection to establish. Once connected, the Hexnode UEM app will install.

Pro Tips for Success

• Syncing Policies: If apps or settings do not appear immediately after enrollment, force a manual sync. Go to Settings > Accounts > Access work or school, click on the connected account, select Info, and tap the Sync button.
• Best Practice: Always prioritize this Installer App method for newer Windows versions (1803+) as it provides a smoother, more guided experience than the native settings menu.

Method 2: Native Enrollment (Windows Settings)

Use this method if you cannot install dependency packages or if you are running older versions of Windows 10 (v1703 to 1709). This process uses the built-in Windows MDM client.

1. Access Work or School Settings:
   • On your Windows device, navigate to Settings > Accounts > Access work or school.
   • Click on the link labeled Enroll only in device management.
     • Important: Do not click the big “Connect” button, as that may attempt a full Azure AD join.
2. Enter User Information:
   • Enter your work email address.
   • Click Next.
3. Bypass Microsoft Sign-In (Crucial Step):
   • A window may appear asking for a Microsoft password. Ignore this prompt.
   • Simply close that specific window/tab or look for an option to proceed without Microsoft authentication to reveal the hidden server URL field.
4. Enter Server Details:
   • In the MDM Server URL field, enter the address provided in your portal (Format: https://portalname.hexnodemdm.com).
   • Click Next.
5. Authenticate: If your enrollment profile requires authentication, choose the appropriate method:
   • Local or Active Directory Users: Select your domain from the dropdown, enter your Email or sAMAccountName and password, then click Authenticate.
   • Microsoft / Google / Okta Users: Click the corresponding Sign in with… button to authenticate using your directory credentials.
6. Finalize Enrollment:
   • Review the device setup instructions and click Got it.
   • The device is now successfully enrolled in the Hexnode portal.

Best Practices & Post-Enrollment

• When to use this method: This is the preferred fallback method for legacy devices (Windows 10 v1703 – 1709) where installing .NET Framework or Visual C++ dependencies is not possible.
• Syncing: Hexnode will automatically begin deploying configurations and apps. This may take a few minutes. If you do not see changes after a while, force a sync manually:
  • Go to Settings > Accounts > Access work or school.
  • Click on your Hexnode connection.
  • Click Info, then click the Sync button.

Impact of Removing Management Components

Once enrolled, a Windows device relies on two components: the MDM Profile (System Settings) and the Hexnode Agent App (Installed Software). Removing either component limits Hexnode’s control, but the specific consequences differ.

1. If the Agent App is Removed

If the Hexnode Agent software is uninstalled from the device:

• Lost Capabilities: You cannot execute remote actions that require the agent to run scripts or system commands. This includes:
  • Execute Custom Script
  • Join AD Domain
  • Power off Device
• Retained Capabilities: Policies and Restrictions will still work successfully, as they are managed by the MDM profile, not the app.

2. If the MDM Profile is Removed

If the user manually removes the management profile from Windows Settings:

• Lost Capabilities:
  • Policies: Most restrictions and configurations will stop working immediately.
  • CSP Actions: Remote actions that rely on Windows Configuration Service Providers (like Scan Device or Scan Device Location) will fail.
• Retained Capabilities:
  • Remote Actions: Surprisingly, most agent-based remote actions can still be executed if the Agent App remains installed.
  • Limited Restrictions: Only a small subset of restrictions will persist, including:
    • Restrictions: Camera, Cortana voice assistant, Use Cortana if device is locked, Location services, Change language, Sync Settings, Cellular data roaming, and Show toast notification on lock screen
    • Advanced Restrictions: USB connection, Allow Region, Search can use user location, and Internet Sharing

Frequently Asked Questions (FAQs)

Q1: How can I automatically install the Hexnode Agent on devices enrolled via Native Enrollment?

To automate the agent installation, you must configure the Enrollment Profile before enrollment.

1. Go to Enroll > Windows PCs & Tablets > Enrollment Profiles.
2. Edit your profile and navigate to General Settings.
3. Enable the option Install Hexnode Service app.

Q2: What if I forgot to enable the “Install Hexnode Service app” option?

You can trigger the installation manually after enrollment.

1. In the Hexnode console, navigate to the specific device’s page.
2. Go to Device Summary > Enrollment Details.
3. Click the Refresh button next to the Hexnode Service (Agent) App status field.

Q3: Are there features missing if I use Native Enrollment instead of the Hexnode Installer App?

Yes. Native enrollment relies on the Windows MDM protocol, which supports most policies. However, advanced features like Custom Scripts, Remote View, and MSI App Installation require the Hexnode Agent app to function. If you use Native Enrollment, ensure the agent app is installed (see previous question) to gain these features.

Q4: Which credentials should I use if a local user password is set in the portal?

If the IT admin has configured a specific password for a local user in the Hexnode portal, you must use the credentials provided in the enrollment request email/SMS sent to you.

Q5: What happens if the Hexnode UEM app is already installed on the device?

During a new enrollment, the existing Hexnode app will be reset. The previous app data and logs are automatically backed up and stored as ZIP files on the primary partition of the Windows drive for safety.

Q6: Can I use a single enrollment profile for multiple devices?

Yes. Enrollment profiles are designed to be reusable templates. You can use a single profile URL to enroll an unlimited number of Windows devices.

Q7: How do I automatically assign devices to Groups or Departments?

You can automate this using Enrollment Profiles:

1. Navigate to Enroll > Windows PCs & Tablets > Enrollment Profiles.
2. Create or Edit a profile.
3. Go to the Device Configurations section.
   1. For Groups: Click Add to device groups and select the target group.
   2. For Departments: Enter the department name in the Department field.
4. Save the profile. Any device enrolling via this profile will automatically inherit these assignments.

Q8: What happens if I disable an enrollment profile?

Disabling a profile invalidates its Enrollment URL. Users will no longer be able to download the profile or enroll new devices using that specific link. Existing enrolled devices are unaffected.

Troubleshooting

1. Issue: Enrollment Redirects to Intune

Problem: When users enter their corporate email address during enrollment, they are redirected to Microsoft Intune instead of the Hexnode MDM server.

Possible Cause: This occurs because the CNAME record for EnterpriseEnrollment in your organization’s DNS is currently pointing to Microsoft’s server (enterpriseenrollment.manage.microsoft.com). Windows devices automatically check this record to find the MDM server associated with a domain.

Solution:

• Preferred Fix: Change the CNAME record for EnterpriseEnrollment in your DNS settings to point to your Hexnode server address: <portalname>.hexnodemdm.com.
• Workaround: If you cannot access DNS settings, open the device browser and enter the following deep-link URL to bypass the auto-discovery:

  ms-device-enrollment:?mode=MDM&username=emailid&servername=<portalname>.hexnodemdm.com

2. Issue: “Authentication Error” on Cloned Devices

Problem: Enrollment fails with the message: “Authentication Error! The credential used for authentication belongs to a different user. Please check the assigned user and retry.”

Possible Cause: This typically happens when enrolling a device that was cloned using an OS image from a previously enrolled machine. The cloned device retains the same unique identifier (UDID) as the original, causing a conflict in the Hexnode portal.

Solution: You must reset the device identifier in the registry:

1. Open the Registry Editor on the device.
2. Navigate to: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\
3. Delete the MDMDeviceID registry key.
4. Retry enrollment.

Need more help?

Then you can check out Hexnode’s dedicated troubleshooting guide:

• Resolving workflow limitations with Windows device enrollment