Are the devices being enrolled via ADE or are you manually enrolling them via the URL?

Does your prestage look a bit like this?

You wrote that you used the Configurator 2... this allows any Device to remove itself for the next 30 Days. As Apple wrote:
"If the device is given to a user, they have a 30-day provisional period to release the device from Apple Business Manager, supervision and MDM. This 30-day provisional period begins after the device is successfully assigned to and enrolled in:

• A third-party MDM server linked to Apple Business Manager."

Source: https://support.apple.com/en-gb/guide/apple-business-manager/axm200a54d59/web
Should be identical for school manager instances.

beside that you have to make sure that the MDM Profile is maded Mandatory and that Allow MDM Profile Removal is unchecked

Basically, when you use Configurator, you needed to get the devices enrolled and then shelve them for 31 days before handing them to a student.

I know it's a pain, but it's there as a personal security protection step. Apple does that so someone can't sneakily take control of a device just by setting up a management profile on it. Although, how often do we go look at VPN & Device Management settings on our devices?

I know it is what it is, but students sneakily being able to remove the MDM makes no sense. If the device has to be physically connected to Apple Configurator, then someone can’t install an MDM. There shouldn’t be a grace period.