Category filter

Resolving workflow limitations with Windows device enrollment

1. Windows enrollment redirects to Intune device enrollment.


Users are asked to enter their email address while enrolling Windows devices in an MDM. The device maps this email address to the MDM server associated with the domain in the DNS. So, the users will not be prompted to enter the MDM server address before initiating enrollment. This is because the CNAME record for enterprise enrollment in the DNS is proactively configured.

By default, this will be set as – the Intune enrollment sever. It is not an issue with the Hexnode’s device enrollment procedure but the general workflow of Windows devices. So, if you are trying to enroll in Hexnode using your company mail address, the enrollment procedure fails.

Enterprise enrollment CNAME record in DNS


It is recommended to change the CNAME set for EnterpriseEnrollment in your DNS to your Hexnode MDM server address to prevent such discrepancies. To rectify this, in your DNS server, go to domains and change the EnterpriseEnrollment CNAME to <portalname>

If you don’t have enough privileges to do this or simply don’t know how to do this, use the following procedure.

Enter ms-device-enrollment:?mode=MDM&username=emailid&servername=<portalname> in your Windows device’s browser. This will automatically initiate the MDM enrollment.

2. “Authentication Error! The credential used for authentication belongs to a different user. Please check the assigned user and retry.” error message is displayed.


This issue occurs when a device with the same UDID has already been enrolled in the UEM portal. Such an instance can arise when a device cloned using the OS image file of a previously enrolled device is attempted to be enrolled in Hexnode.


Open Registry Editor and delete the following registry key from the device:


Deleting the ‘MDMDeviceID’ registry key will allow you to enroll the device in the Hexnode portal successfully.

3. Agent removed banner shown even when the device disenrollment is not initiated.


One of the possible reasons why the device shows the Agent removed banner even when disenrollment is not initiated are:

It can occur if the administrator user account logged in while enrolling the device is deleted. Since the device can have more than one administrator accounts, such cases occur rarely when a new administrator account is added, and the older administrator account (probably used during enrollment) is removed. It can lead to the device’s MDM communication being lost.

Precautionary measure:

Before deleting an administrator user account from a Windows device, ensure that it’s not the one used for enrollment.

4. “The local account used for enrollment was removed. Most associated policies and actions will not affect the device.” error message is displayed.


This error message is received when the device user deletes the local administrator account that was used to enroll the endpoint in Hexnode. The MDM profile present on the device gets removed in the process. Most remote actions will continue to work except for actions executed via CSPs like Scan Device and Scan Device Location. The absence of MDM profile also means that most associated policies will no longer take effect on the device, except for the following Restrictions:

  1. Camera
  2. Cortana voice assistant
  3. Use Cortana if device is locked
  4. Location services
  5. Change language
  6. Sync Settings
  7. Cellular data roaming
  8. Show toast notification on lock screen

And certain Advanced Restrictions, like:

  1. USB connection
  2. Allow Region
  3. Search can use user location
  4. Internet Sharing

While it certainly limits the admin’s usage of policies and actions, removing the local account used for enrollment doesn’t mean that the device is disenrolled. Rather, it means that the device gets into a state of partial enrollment.


You can opt for either of the two ways to resolve this issue and retrieve the MDM profile:

  1. On the Windows device, navigate to Settings > Accounts > Access work or school. Add the work/school account again by entering the email address of the Hexnode user managing the device and the MDM server URL. Based on the authentication mode selected in the Enrollment Settings page of the Hexnode portal, the device is authenticated, and the MDM profile is retrieved.
  2. The device user can redo the enrollment (via Open or Authenticated enrollment methods) by downloading the Hexnode installer from the enrollment URL and then re-enroll the device.

Once the MDM profile is retrieved, the configurations that were present before the local account removal will be reinstated.

  • Troubleshooting Guides