Skip to main content
T
tttech
Level 1.6: Donut
September 10, 2025
Solved

Re-enrollment after deprovision

  • September 10, 2025
  • 3 replies
  • 0 views

Hello,

 

I am wondering if there is any way to re-enroll a unit automatically after it's been deprovisioned from the Google Admin console.

 

I believe the answer is no, but I would like to confirm, as this would save time if possible. I would also like to know if the answer is the same for units that used zero-touch enrollment.

 

Thank you!

    Best answer by Lynda

    @tttech Thanks for your question.

     

    Correct, it is not possible to automate enterprise enrollment with a device that is deprovisioned as it is no longer managed. Someone would need to manually enroll it again.

     

    Hope this clarifies things.

     

    Please continue to input and share within the community - it's great to have you aboard.

    3 replies

    Lynda
    LyndaAnswer
    Community Manager
    September 12, 2025

    @tttech Thanks for your question.

     

    Correct, it is not possible to automate enterprise enrollment with a device that is deprovisioned as it is no longer managed. Someone would need to manually enroll it again.

     

    Hope this clarifies things.

     

    Please continue to input and share within the community - it's great to have you aboard.

    T
    tttechAuthor
    Level 1.6: Donut
    September 19, 2025

    Thanks, Lynda

     

    However, I've encountered an issue

     

    Chromebook is enrolled, with forced re-enrollment turned off

    After powerwash, the CB appears like a non-enrolled device as expected (can log in as regular user, no policy, dev mode unblocked)

    In Google admin console, the device still appears as provisioned and can still be locked

     

    Does this mean a device can be bought and appear like a normal device, then suddenly get locked by an old admin, and lock after resetting?

     

    Is there no way to check if a device is still provisioned with FER disabled?

     

    Attached are images of the same device

     

    Lynda
    Lynda
    Community Manager
    September 19, 2025

    Hi @tttech 

     

    It looks like you need  to deprovision the device from the admin console still.  

    After that it will no longer show up in the Admin Console.

     

    Here is a resource outlining this step: https://support.google.com/chrome/a/answer/3523633?hl=en

     

    This is expected behavior. And a further reason that you should force auto re-enrolment for security reasons and always deprovision devices that you no longer want to manage.

     

    We hope this helps,

     

    Lynda

    T
    tttechAuthor
    Level 1.6: Donut
    September 19, 2025

    Thanks @Lynda but I understand that this needs deprovisioned from the console - my concern here is the following:

     

    How does one know that a device or motherboard they purchase is not provisioned to another domain with FRE turned off? A non-enterprise user could be using a device for a long period, need to power wash or recover, then their device could be locked because the former admin still has that ability because they didn't deprovision before selling the device.

     

    Is there no way to determine if your device is still provisioned in someone's admin console?

    N
    nicolas
    Level 1.6: Donut
    September 22, 2025

    Hi @tttech 

     

    From my testing, a device that has forced re-enrolment disabled and has been powerwashed by a user is not enrolled anymore and cannot be manage by an admin (expected behavior as shared by @Lynda ). If the device is not deprovisioned from the Google admin console and the admin decides to disable the device, then the devices would only become disabled if it's re-enrolled in the same domain. So if an admin has disabled force re-enrolment, powerwashed the devices, sold them, but forget to deprovision them from the Google admin console, it should not have any impact on the devices. 

     

    If you don't see any policies on the device, it means it's not managed, hence the admin should not have any remote capabilities on this device, even if it still shows as 'provisioned' in the admin console. 

     

    I've been able to confirm this by testing it to make sure that's how it works. Please let me know if you experienced anything different during your tests. 

     

    I hope this helps. 

      Lynda
      Lynda
      Community Manager
      September 22, 2025

      Thanks @nicolas for the above insights. I also wanted to mention that you can validate whether a device is no longer managed by opening up chrome browser on the device in question and entering "chrome://policy" in the search bar and if you check the "Managed by:" line item under Device policies; it will be blank.

        Terms & ConditionsCookie settingsAccessibility statement