Category filter

Resolving workflow limitations with Windows device enrollment

1. Windows enrollment redirects to Intune device enrollment.


Users are asked to enter their email address while enrolling Windows devices in an MDM. The device maps this email address to the MDM server associated with the domain in the DNS. So, the users will not be prompted to enter the MDM server address before initiating enrollment. This is because the CNAME record for enterprise enrollment in the DNS is proactively configured.

By default, this will be set as – the Intune enrollment sever. It is not an issue with the Hexnode’s device enrollment procedure but the general workflow of Windows devices. So, if you are trying to enroll in Hexnode using your company mail address, the enrollment procedure fails.

Enterprise enrollment CNAME record in DNS


It is recommended to change the CNAME set for EnterpriseEnrollment in your DNS to your Hexnode MDM server address to prevent such discrepancies. To rectify this, in your DNS server, go to domains and change the EnterpriseEnrollment CNAME to <portalname>

If you don’t have enough privileges to do this or simply don’t know how to do this, use the following procedure.

Enter ms-device-enrollment:?mode=MDM&username=emailid&servername=<portalname> in your Windows device’s browser. This will automatically initiate the MDM enrollment.

2. “Authentication Error! The credential used for authentication belongs to a different user. Please check the assigned user and retry.” error message is displayed.


This issue occurs when a device with the same UDID has already been enrolled in the UEM portal. Such an instance can arise when a device cloned using the OS image file of a previously enrolled device is attempted to be enrolled in Hexnode.


Open Registry Editor and delete the following registry key from the device:


Deleting the ‘MDMDeviceID’ registry key will allow you to enroll the device in the Hexnode portal successfully.

3. Agent removed banner shown even when the device disenrollment is not initiated.


One of the possible reasons why the device shows the Agent removed banner even when disenrollment is not initiated are:

It can occur if the administrator user account logged in while enrolling the device is deleted. Since the device can have more than one administrator accounts, such cases occur rarely when a new administrator account is added, and the older administrator account (probably used during enrollment) is removed. It can lead to the device’s MDM communication being lost.

Precautionary measure:

Before deleting an administrator user account from a Windows device, ensure that it’s not the one used for enrollment.

  • Troubleshooting Guides