How to enroll Windows PCs & Tablets?

Device management is integral in restricting, managing, and securing your Windows devices. Hexnode supports the management of PCs and tablets running Windows 10 or later. To manage a device using Hexnode, it must be enrolled in the UEM portal. Enrollment establishes a connection between the UEM and the device through which they communicate with each other.

On enrolling a Windows device, the Hexnode UEM app will get automatically installed on the device. The broadcast messages sent by the admin from the Hexnode portal are received through this app.

1. Windows PCs & Tablets enrollment
2. PPKG enrollment
3. Google Workspace Enrollment for Windows.
4. Windows Virtual Machine Enrollment
5. Co-Management
6. Windows Autopilot

Windows PCs & Tablets enrollment

This enrollment method leverages enrollment profiles that define how the enrollment process is carried out on Windows devices. These profiles contain settings that can be pre-configured by IT admins, which are then automatically applied on the device during its enrollment.

The following steps will guide you through the enrollment of Windows devices using enrollment profiles,

1. Log in to Hexnode UEM.
2. Go to Enroll → Platform-Specific → Windows → Windows PCs & Tablets.
3. If you have not configured an enrollment profile, click on Enrollment Profiles sub-tab to configure an enrollment profile. Or else, go to the Information sub-tab.
4. In the Information sub-tab, click on the Enrollment profile setting to select an enrollment profile that has already been configured. By clicking on the View option, you can view and make changes to the selected enrollment profile.
5. Click on Send mail or Send SMS to send users the enrollment information which includes the enrollment URL and credentials for authentication.

There are two enrollment methods you can follow to enroll your Windows devices using enrollment profiles,

Method 1: Using Hexnode Installer app

To enroll a device using the Hexnode Installer app, follow the procedure:

1. Enter the enrollment URL in a web browser on the device. It should be in the format: https://portalname.hexnodemdm.com/enroll/
2. Download the Hexnode Installer Setup by clicking on Download.
3. Run the setup and install the Hexnode Installer.
4. Hexnode Installer will prompt you to install any required dependency packages if they are missing on your device. Follow the on-screen instructions and complete the dependency installations.
5. After successful installation of the required dependency packages, Hexnode EULA will be displayed. Read the EULA and click on Agree and Enroll.
6. If authentication has been enabled in the enrollment profile, follow these steps. Else, skip to step 7.
   • The Hexnode Installer checks with the portal for the enrollment authentication settings.
   • If you are a local or AD user, enter your email ID/sAMAccount Name and click on Authenticate. If you are a Microsoft/Googe/Okta user, you can authenticate by signing in with the corresponding directory credentials.
   • If the authentication fails, an error message “Authentication failed! Try Again!” will be displayed. Click on Enroll to re-authenticate.
7. Now the device will process the enrollment request. If the process succeeds, go to step 11.
8. In case the process fails, to continue the enrollment:
   • Click on Enroll. This will redirect you to Settings > Accounts > Access work or School > Enroll only in device management on your device.
   • On the ‘Set up a work or school account’ pane, the admin’s username and the enrollment server address will be auto-filled. Click on Next.
   • Read the instructions regarding the device set up and click Got it. Hexnode will now connect to the Workplace or School. It may take a few minutes to set up the connection. All the configurations and apps that your organization has set up for the user will soon be deployed to the device.
9. The Hexnode UEM app will now be installed, and all the configurations will be applied to the device. Click Done to exit the Hexnode Installer.
10. Click Finish to exit the Setup.

Method 2: Native Enrollment

1. Go to Settings → Accounts →Access work or school.
2. Select Enroll only in device management.
3. Enter your work email and click Next.
4. Now you will be asked to enter your Microsoft password, simply neglect this by closing the tab.
5. Enter the server URL displayed under the Enrollment URL in the Information sub-tab. It will be in the format: https://.hexnodemdm.com and click Next.
6. If authentication has been enabled in the enrollment profile, and if you are enrolling the device via AD or local authentication, select the domain from the dropdown, enter the Email/SAM Account Name and password and click Authenticate. Or, click on Sign in with Microsoft/Google/Okta to authenticate with the directory credentials.
7. Read the instructions regarding the device set up and click Got it. You have now successfully enrolled your PC in the Hexnode portal.

PPKG Enrollment

PPKG Enrollment allows IT admins to quickly set up and enroll multiple Windows devices without manual intervention. It’s ideal for large-scale device rollouts, where a provisioning package (.ppkg) bundles all necessary configurations (like network settings, policies, and apps) into one file. To enroll devices, the users simply have to power them on, connect to the network, and install the PPKG file, which will automatically apply the enrollment settings configured in the enrollment profile and enroll the device into Hexnode UEM.

Google Workspace Enrollment for Windows

Google Workspace Enrollment in Hexnode enables IT administrators to seamlessly enroll and manage Windows devices by leveraging Google Workspace. With the integration of Google Workspace in the Hexnode portal, organizations can import Google Workspace users directly into Hexnode. Admins can then send enrollment requests to these users, allowing them to authenticate and enroll using their Google Workspace credentials.
This enrollment method is perfect for organizations already using Google Workspace, as it streamlines the device setup, ensuring devices are enrolled with minimal effort from both administrators and end-users.

Google Workspace enrollment can be configured in enrollment profiles which will be applied on the device during its enrollment.

Windows Virtual Machine Enrollment

Virtual Machine enrollment in Hexnode lets IT admins run a Windows environment inside a sandboxed VM and manage it as if it were a physical PC. By setting up a Windows VM in VM programs such as VirtualBox and enrolling it into Hexnode UEM, admins can apply configurations, deploy apps, and enforce policies remotely. This approach is ideal for creating test environments or managing BYOD setups, since the VM operates independently while still being fully manageable through Hexnode.

Co-Management

Co-management enables IT admins to enroll Windows devices that were already enrolled in other UEM solutions into Hexnode UEM. This unleashes the power to use the features in Hexnode UEM in addition to the ones available in the other UEM. If additional functionality is required, co-managed devices can also be fully enrolled into Hexnode by removing the existing UEM vendor and re-enrolling the device. Co-management can be enabled for Windows devices through enrollment profiles, during its enrollment into Hexnode UEM.

Windows Autopilot

Windows Autopilot enables IT admins to pre-configure new Windows devices before they reach the end user. When the users unbox and power on the devices for the first time, they are automatically enrolled into Hexnode UEM with the pre-defined configurations. This enrollment method is especially useful for organizations as it enables large-scale rollouts of Windows devices with minimal effort.

What happens when the MDM profile/Agent app is removed?

A Windows device is marked as Enrolled in the device summary page of the UEM portal once it gets enrolled in Hexnode UEM. Enrollment proceeds with MDM profile installation and/or agent app installation, which, when complete, result in the device being managed by Hexnode. But removing the MDM profile or agent app from the device results in Hexnode UEM having limited control over the device. In that case, most policies associated, and actions executed on the device will not take effect.

Removing the MDM profile doesn’t affect the admin’s ability to execute most remote actions, except for the ones executed via CSPs like Scan Device and Scan Device Location. But the policies that can be applied get limited to the following Restrictions:

1. Camera
2. Cortana voice assistant
3. Use Cortana if device is locked
4. Location services
5. Change language
6. Sync Settings
7. Cellular data roaming
8. Show toast notification on lock screen

And certain Advanced Restrictions, like:

1. USB connection
2. Allow Region
3. Search can use user location
4. Internet Sharing

If the agent app is removed, remote actions like Execute Custom Script, Join AD Domain, Power off Device, etc., that require an agent app can no longer be executed. However, policies, including all the restrictions, can be successfully deployed.

Frequently asked questions (FAQs)

1. How can IT admins automatically install the Hexnode agent app on devices enrolled through Native enrollment?

   To automatically install the Hexnode agent app on devices enrolled by Native Enrollment, enable the option “Install Hexnode Service app” under General Settings in the configurations of an enrollment profile.

2. What if IT admins forget to enable the Install Hexnode Service app option while configuring an enrollment profile?

   The Hexnode agent can still be installed manually. From the Hexnode UEM console, go to the device’s Enrollment Details section under Device Summary and click the refresh button next to the Hexnode Service (Agent) App status.

3. Which credentials should be used to enroll if the IT admin has set a password for the local user in the portal?

   If a local user password was configured in the portal, use the credentials included in the enrollment request to authenticate the device during enrollment.

4. What happens if Hexnode UEM is already installed on the device?

   During enrollment, the existing Hexnode UEM app on the device will be cleared. However, all its data and logs will be automatically backed up and stored as zip files on the primary partition of the Windows machine.

5. Are there any features that are supported only when enrolling with the Hexnode Installer app instead of the Native enrollment method?

   Yes. Custom Script, Remote View, and MSI app installation require the latest Hexnode UEM app, which is installed only when you use the Hexnode Installer. These features are not available through Native enrollment.

6. Can IT admins use a single enrollment profile for multiple Windows devices?

   Yes, a single enrollment profile can be used to enroll multiple Windows devices.

7. What happens if an enrollment profile is disabled by the IT admin?

   On disabling an enrollment profile, the user will no longer be able to download the enrollment profile and enroll their device. This is because the enrollment URL linked to the profile becomes inactive, preventing any new device enrollments through it.

8. How can IT admins automatically assign devices to groups or departments during enrollment?

   IT admins can automatically assign devices to specific device groups or departments using enrollment profiles. Here’s how,

   1. Navigate to Enroll > Windows PCs & Tablets > Enrollment Profiles.
   2. Click on Create Profile to create a new enrollment profile or select an already existing one.
   3. In the Device Configurations section,
      • To assign devices to a group: click on Add to device groups and select the desired device group to which the device will be added to upon enrollment.
      • To assign devices to a department: enter the department name in the Department field.
   4. Finally, click Save to apply the changes.

Troubleshooting Tips

• Hexnode native Windows enrollment redirects to Intune device enrollment.