Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part IV: Windows 10, Windows 10 Mobile

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange Active Sync

Setting Windows 10 Windows 10 Mobile Description
Exchange ActiveSync Settings Enabled or Disabled Enabled or Disabled Enables Profile
Label e.g. Imagoverum Exchange or  e.g. {firstname} e.g. Imagoverum Exchange The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  e.g. outlook.office365.com  External Exchange Active Sync address 
Domain e.g. Imagoverum e.g. Imagoverum Internal Domain Suffix for the Exchange Server
Sync Interval
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
E-Mail synchronization interval
Past Days of Mail to Sync
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
  • Unlimited
  • Three days
  • One Week
  • Two Weeks
  • One Month
Period of mail to synchronize to the device
Use SSL Enabled or Disabled Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.

Email

Setting Windows 10 Windows 10 Mobile Description
Email Settings not available Enabled or Disabled Enables Email Settings
Email Address not available e.g. {UserEmail} or support@imagoverum.com Defines Email Address of the Account
User Display Name not available e.g. {UserName} or Tim Tober Defines  Display Name of the User for this Email Account
Account Description not available e.g. Imagoverum Mail Defines Friendly Name of this Email Account
Account Type not available
  • IMAP
  • POP
Toggles between IMAP and POP Account Types
Domain not available e.g. Imagoverum The Internal Domain Suffix for the Mail Server
Auth Name not available e.g. Username Username used when performing authenticating
Auth Password not available Enable Embed User Password or e.g. Pa$$w0rd Password used when authenticating
Mail Sync Days not available
  • Unlimited
  • One Week
  • Two Weeks
  • One Month
How far from the past mails will be synchronized
Sync Interval not available
  • Manual
  • 15 Minutes
  • 30 Minutes
  • 1 hour
  • 2 hours

 

How often the device check for new mail items.
Incoming Mail
Incoming Mail Server not available e.g. imap-mail.outlook.com or pop-mail.outlook.com Server settings for the Incoming Mail Server
Use SSL not available Enabled or Disabled Enabled the usage of SSL
Outgoing Mail
Outgoing Mail Server not available e.g. imap-mail.outlook.com or pop-mail.outlook.com Server settings for the Outgoing Mail Server
Requires Authentication not available Enabled or Disabled Can be enabled when the outgoing server requires authentication
Use SSL not available Enabled or Disabled Enabled the usage of SSL
Alternative SMTP Settings
Enable Alternative SMTP not available Enabled or Disabled Enables alternative SMPT settings
Domain not available e.g. Imagoverum The Internal Domain Suffix for the Mail Server
Auth Name not available e.g. Username Username used when performing authenticating.
Password not available Enable Embed User Password or e.g. Pa$$w0rd Password used when authenticating

Passcode

Setting Windows 10 Mobile Windows 10 Description
Passcode Settings Enabled or Disabled Enabled or Disabled Enables Passcode Settings
Allow Simple Enabled or Disabled Not available Permit the use of repeating, ascending or descending characters
Allow Convenience Login Not available Enabled or Disabled Allows the usage of picture password as Login method
Complexity
  • Any Complexity
  • Numeric
  • Alpha Numeric
not available Character groups that required to be used in the User’s passcode
Minimum Length 4-18 6-23 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 3 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty Not available How often passcode must be changed
Auto-lock (minutes) e.g. 15 1-1200 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty not available Number of unique passcodes required before reuse
Maximum Failed Attempts e.g. 10 4-16 Number of passcode entry attempts allowed before the device is reset to factory settings

Restrictions

Windows 10 Restrictions

The restrictions are part of the Policy Configuration Service Provider from Microsoft.  

Setting Options
Above Lock Screen
Allow Cortana Above Lock Screen Enabled or Disabled
Allow Toasts Enabled or Disabled
Accounts
Allow User to Add Non-Microsoft Accounts Manually Enabled or Disabled
Allow Microsoft Account for Non Email Related Services Enabled or Disabled
Allow Microsoft Account Sign In Assistant Enabled or Disabled
Application Management
Allow App Store Auto Update Enabled or Disabled
Allow Windows Game Recording and Broadcasting Enabled or Disabled
Allow Shared User AppData Enabled or Disabled
Disable All Apps From Microsoft Store Enabled or Disabled
Allow User Control Over Installs Enabled or Disabled
Allow MSI Always Install With Elevated Privileges Enabled or Disabled
Only Display the Private Store Within the Microsoft Store Enabled or Disabled
Prevent Users` App Data From Being Stored on Non-System Volumes Enabled or Disabled
Disable Installing Windows Apps on Non-System Volumes Enabled or Disabled
Allow All Trusted Apps to Install
  • Not configured (default
  • Explicit deny
  • Explicit allow unlock
Allow Developer Unlock
  • Not configured (default
  • Explicit deny
  • Explicit allow unlock
Audit
Audit Account Lockout
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Group Membership
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Extended Mode
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Main Mode
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Quick Mode
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Logoff
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Logon
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Network Policy Server
  • Success+Failure (Default)
  • Off/None
  • Success
  • Failure
Audit Other Logon Logoff Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Special Logon
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit User Device Claims
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Credential Validation
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Kerberos Authentication Service
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Kerberos Service Ticket Operations
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Account Logon Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Application Group Management
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Computer Account Management
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Distribution Group Management
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Account Management Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Security Group Management
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit User Account Management
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Detailed Directory Service Replication
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Directory Service Access
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Directory Service Changes
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Directory Service Replication
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit DPAPI Activity
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit PNP Activity
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Process Creation
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Process Termination
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit RPC Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Token Right Adjusted
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Application Generated
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Central Access Policy Staging
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Certification Services
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Detailed File Share
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit File Share
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit File System
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Filtering Platform Connection
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Filtering Platform Packet Drop
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Handle Manipulation
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Kernel Object
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Object Access Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Registry
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit SAM
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Authentication Policy Change
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Authorization Policy Change
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Filtering Platform Policy Change
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit MPSSVC Rule Level Policy Change
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Policy Change Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Policy Change
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Non Sensitive Privilege Use
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Privilege Use Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Sensitive Privilege Use
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Driver
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other System Events
  • Success+Failure (Default)
  • Off/None
  • Success
  • Failure
Audit Security State Change
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Security System Extension
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit System Integrity
  • Success+Failure (Default)
  • Off/None
  • Success
  • Failure
Authentication
Allow Azure AD Password Reset Enabled or Disabled
Allow EAP Cert SSO Enabled or Disabled
Allow Fast Reconnect Enabled or Disabled
Allow Companion Device for Secondary Authentication Enabled or Disabled
Allow Enable Fast First Sign In
  • None (Default)
  • Enabled
  • Disabled
Allow Enable Web Sign In
  • None (Default)
  • Enabled
  • Disabled
BITS
Set Default Download Behavior for Background Jobs on Costed Networks
  • Always transfer (Default)
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
Set Default Download Behavior for Foreground Jobs on Costed Networks
  • Always transfer (Default)
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
Bluetooth
Allow Advertising Enabled or Disabled
Allow Discoverable Mode Enabled or Disabled
Allow Prepairing Enabled or Disabled
Allow Prompted Proximal Connections Enabled or Disabled
Browser
Allow Address bar drop-down list suggestions Enabled or Disabled
Allow Browser Enabled or Disabled
Allow Configuration Updates for the Books Library Enabled or Disabled
Allow Developer Tools Enabled or Disabled
Allow Extensions Enabled or Disabled
Allow Adobe Flash Enabled or Disabled
Configure the Adobe Flash Click-to-Run Setting Enabled or Disabled
Allow FullScreen Mode Enabled or Disabled
Allow InPrivate Browsing Enabled or Disabled
Allow Microsoft Compatibility List Enabled or Disabled
Allow Microsoft Edge to Pre-Launch at Windows Startup Enabled or Disabled
Allow Printing Enabled or Disabled
Allow Saving History Enabled or Disabled
Allow Search Engine Customization Enabled or Disabled
Allow Sideloading of Extensions Enabled or Disabled
Allow Microsoft Edge to Start and Load the Start and New Tab Pages Enabled or Disabled
Allow Always Show the Books Library in Microsoft Edge Enabled or Disabled
Allow Clearing Browsing Data on Exit Enabled or Disabled
Configure Additional Search Engines Enabled or Disabled
Configure Kiosk Mode Enabled or Disabled
Disable Lockdown of Start Pages Enabled or Disabled
Allow Extended Telemetry for the Books Tab Enabled or Disabled
Configure the Enterprise Mode Site List Enabled or Disabled
Prevent Changes to Favorites on Microsoft Edge Enabled or Disabled
Prevent Access to the about:flags Page in Microsoft Edge Enabled or Disabled
Prevent Certificate Error Overrides Enabled or Disabled
Prevent the First Run Webpage From opening on Microsoft Edge Enabled or Disabled
Prevent Microsoft Edge From Gathering Live Tile Information Enabled or Disabled
Prevent Bypassing Windows Defender SmartScreen Prompts for Sites Enabled or Disabled
Prevent Bypassing Windows Defender SmartScreen Prompts for Files Enabled or Disabled
Prevent Using Localhost IP Address for WebRTC Enabled or Disabled
Send All Intranet Sites to IE 11 Enabled or Disabled
Allow Keep Favorites in Sync Between IE and Microsoft Edge Enabled or Disabled
Allow Unlock Home Button Enabled or Disabled
Allow a Shared Books Folder Enabled or Disabled
Configure Autofill
  • Allowed (Default)
  • Not allowed
Configure Favorites Bar
  • Hide bar (Default)
  • Show bar
Configure Home Button
  • Show home button and load the Start page (Default)
  • Show home button and load the New Tab page
  • Show home button and load the URL page
  • Hide home button
Configure Open Microsoft Edge With
  • Load specific page (Default)
  • Load start page
  • Load new page
  • Load previous pages
Configure Collection of Browsing Data for Microsoft 365 Analytics
  • No data (Default)
  • Send intranet
  • Send internet
  • Send both
Configure Do Not Track
  • Never send (Default)
  • Send
Configure Password Manager
  • Allowed (Default)
  • Not allowed
Configure Search Suggestions in Address Bar
  • Allowed (Default)
  • Not allowed
Set Default Search Engine
  • Specified for the Market (Default)
  • Specified for OpenSearchXML file
Show message when opening sites in IE
  • No additional message displayed (Default)
  • Show an additional message stating that a site has opened in IE11
  • Show an additional message with a "Keep going in Microsoft Edge" link
Configure Windows Defender SmartScreen
  • Turned on (Default)
  • Turned off
Allow Web Content on New Tab Page
  • Load new page (Default)
  • Load blank page
Configure Cookies
  • Allow all (Default)
  • Block all 
  • Block only
Configure Pop-up Blocker
  • Turn off blocker (Default)
  • Turn on blocker
Camera
Allow Camera Enabled or Disabled
Cellular
Let Apps Access Cellular Data
  • User is in control (Default)
  • Force allow
  • Force deny
Connectivity
Allow Bluetooth Enabled or Disabled
Allow Connected Devices Enabled or Disabled
Allow Phone PC Linking Enabled or Disabled
Allow VPN Over Cellular Enabled or Disabled
Allow VPN Roaming Over Cellular Enabled or Disabled
Allow Cellular Data
  • Allow (Default)
  • Not allow
  • Allow but user cannot turn it off
Allow Cellular Data Roaming
  • Allow (Default)
  • Not allow
  • Allow but user cannot turn it off
Control Policy Conflict
MDM Policy Is Used and the GP Policy Is Blocked Enabled or Disabled
Credential Providers
Disable the Visibility of the Credentials for Autopilot Reset Enabled or Disabled
Cryptography
Allow Fips Algorithm Policy Enabled or Disabled
Data Protection
Allow Direct Memory Access Enabled or Disabled
Delivery Optimization
Enable Peer Caching While the Device Connects Via VPN Enabled or Disabled
Absolute Max Cache Size (in GB) e.g. 10
Delay Background Download From Http (in secs) e.g. 0
Delay Background Download Cache Server Fallback (in secs) e.g. 0
Delay Foreground download Cache Server Fallback (in secs) e.g. 0
Delay Foreground Download From Http (in secs) e.g. 0
Download Mode
  • HTTP blended with peering behind the same NAT (Default)
  • HTTP only
  • The HTTP blended with peering across a private group 
  • HTTP blended  with Internet peering
  • Simple download mode with no peering
  • Bypass mode
Select the Source of Group IDs
  • None (Default)
  • AD Site
  • Authenticated domain SID
  • DHCP user option
  • DNS suffix
Max Cache Age (in secs) e.g. 2592000
Max Cache Size (percentage) e.g. 20
Max Download Bandwidth (in KB/s) e.g. 0
Max Upload Bandwidth (in KB/s) e.g. 0
Min Background QoS (in KB/s) e.g. 500
Allow Uploads While the Device Is on Battery (percentage) e.g. 0
Min Disk Size Allowed to Use Peer Caching (in GB) e.g. 32
Min Peer Caching Content File Size (in MB) e.g. 100
Min RAM Capacity Required to Enable Use of Peer Caching (in GB) e.g. 4
Monthly Upload Data Cap (in GB) e.g. 20
Max Background Download Bandwidth (percentage) e.g. 0
Max Foreground Download Bandwidth (percentage) e.g. 0
Select a Method to Restrict Peer Selection
  • None (Default)
  • Subnet Mask
Device Guard
Configure the Launch of System Guard
  • Unmanaged (Default) 
  • Enables Secure Launch 
  • Disables Secure Launch
Turn On Virtualization Based Security
  • Disable (Default) 
  • Enable 
Turn On Credential Guard With Virtualization-Based Security
  • Disabled (Default) 
  • Enabled with lock
  • Enabled without lock
Configure Platform Security Features
  • Turn on VBS with Secure Boot (Default)
  • Turn on VBS with Secure Boot and DMA 
Device Health Monitoring
Allow Device Health Monitoring Enabled or Disabled
Device Lock
Enabled Device Password Enabled or Disabled
Allow Simple Device Password Enabled or Disabled
Alphanumeric Device Password Required
  • Password/Numeric/Alphanumeric PIN required (Default)
  • Password/Alphanumeric PIN required
  • Password/Numeric PIN required
Device Password Expiration (in days) e.g. 0
Device Password History e.g. 0
Max Device Password Failed Attempts e.g. 0
Max Inactivity Time Device Lock e.g. 0
Min Device Password Complex Characters
  • Digits only (Default)
  • Digits/lowercase letters
  • Digits/lowercase/uppercase letters
Min Device Password Length e.g. 4
Min Password Age (in days) e.g. 1
Display
Configure Per-Process System DPI Settings Enabled or Disabled
DMI Guard
Enumeration Policy for External Devices Incompatible With Kernel DMA Protection
  • Only after log in/screen unlock (Default)
  • Block All
  • Show All
Experience
Allow Cortana Enabled or Disabled
Allow Manual MDM Unenrollment Enabled or Disabled
Allow Sync My Settings Enabled or Disabled
Security
Allow Add Provisioning Package Enabled or Disabled
Allow Remove Provisioning Package Enabled or Disabled
Prevent Automatic Device Encryption For Azure AD Joined Devices Enabled or Disabled
Require Device Encryption Enabled or Disabled
Require Provisioning Package Signature Enabled or Disabled
Require Retrieve Health Certificate On Boot Enabled or Disabled
Configure The System To Clear The TPM If It Is Not In a Ready State
  • Will not force recovery from TPM (default)
  • Will prompt to clear TPM
Configure Windows Passwords
  • Default (Default)
  • Disallow Passwords
  • Allow Passwords
Recovery Environment Authentication
  • Default (Default)
  • Require Authentication
  • No Required Authentication
Allow Remove Provisioning Package
Settings
Allow Auto Play Enabled or Disabled
Allow Data Sense Enabled or Disabled
Allow Date Time Enabled or Disabled
Allow Language Enabled or Disabled
Allow Online Tips Enabled or Disabled
Allow Power Sleep Enabled or Disabled
Allow Region Enabled or Disabled
Allow Sign In Options Enabled or Disabled
Allow VPN Enabled or Disabled
Allow Workplace Enabled or Disabled
Allow Your Account Enabled or Disabled
Show additional Calendar
  • Allowed (Default)
  • Don't show additional calendars
  • Simplified Chinese (Lunar)
  • Traditional Chinese (Lunar)
WiFi
Allow Auto Connect to WiFi Sense Hotspots Enabled or Disabled
Allow Manual WiFi Configuration Enabled or Disabled
Allow WiFi Enabled or Disabled
Allow WiFi Direct Enabled or Disabled
WLAN Scan Mode From 0 to 500

Windows 10 Mobile Restrictions 

Setting Windows 10 Mobile
Allow App Store Enabled or Disabled
Allow Camera Enabled or Disabled
Allow WiFi Enabled or Disabled
Allow Bluetooth Enabled or Disabled
Allow Storage Card Enabled or Disabled
Force Storage Encryption Enabled or Disabled
Allow Browser Enabled or Disabled
Allow NFC Enabled or Disabled
Allow Internet Sharing Enabled or Disabled
Allow Auto Connect to WiFi Sense Hotspots Enabled or Disabled
Allow WiFi HotSpot Reporting Enabled or Disabled
Allow Manual WiFi Configuration Enabled or Disabled
Allow VPN Over Cellular Connection Enabled or Disabled
Allow VPN Roaming Over Cellular Connection Enabled or Disabled
Allow the Device to Send Telemetry Information Enabled or Disabled
Allow Microsoft Account for Non Email Related Services Enabled or Disabled
Allow User to Add Non-Microsoft Accounts manually Enabled or Disabled
Allow Manual Root and CA Certificate Installation Enabled or Disabled
Allow Developer Unlock Enabled or Disabled
Allow Location Service Enabled or Disabled
Allow USB Connection Enabled or Disabled
Allow Cellular Data Roaming Enabled or Disabled
Allow Search to Use Location Enabled or Disabled
Force Strict Safe Search Results Enabled or Disabled
Allow Storing Images From Vision Search Enabled or Disabled
Allow Save As Of Office Files Enabled or Disabled
Allow Action Center Notifications Enabled or Disabled
Allow Sync My Settings Enabled or Disabled
Allow User to Reset Phone Enabled or Disabled
Allow Manual MDM Unenrollment Enabled or Disabled
Allow Screen Capture Enabled or Disabled
Allow Cortana Enabled or Disabled
Allow Sharing Of Office Files Enabled or Disabled
Allow Copy Paste Enabled or Disabled
Allow Voice Recording Enabled or Disabled

Virtual Private Network

The VPN section is for convenience divided into Windows 10 and Windows 10 Mobile. 

Windows 10  

Setting Values
VPN Provider Windows (built-in)
Connection Name

e.g. Imagoverum VPN

Server name or address e.g vpn.imagoverum.com
VPN Type
  • Automatic
  • Point to Point Tunneling Protocol (PPTP)
  • L2TP/IPsec with certificate
  • L2TP/Ipsec with pre-shared key
  • Secure Socket Tunneling Protocol (SSTP)
  • IKEv2
Pre-Shared Key: e.g. Pa$$w0rd

Windows 10 Mobile

General VPN settings for Windows 10 Mobile

Setting Values Description
VPN Settings Enabled or Disabled Enables and Disables VPN for the Tag
VPN Type
  • Juniper Junos Pulse
  • F5 Big-IP Edge Client
  • Checkpoint Mobile VPN
  • IKE v2
Determines which VPN client will be used.
Profile Name e.g. Imagoverum VPN Name of the VPN Profile visible to the user on the device
Server Address e.g. vpn.imagoverum.com Network Address of the VPN Service
Primary DNS Suffix e.g.  imagoverum.com Primary DNS Suffix for connection
Juniper Junos Pulse
Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted
F5 Big-IP Edge Client
Setting Values Description
Prompt for credentials Enabled or Disabled Enables the prompt for credentials
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Application Select Select applications from the drop down list
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Checkpoint Mobile VPN
Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted
IKE v2
Setting Values Description
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted

Private APN

If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.

Setting Windows 10 Windows 10 Mobile Description
Private APN Settings not available Enabled or Disabled Enables the Private APN Feature on Selected Devices.
Name not available e.g. VFD2 Web The name of the carrier access point
Username not available e.g. User The username to connect to the access point
Password not available e.g. Pa$$w0rd The password to connect to the access point
Server not available e.g web.vodafone.com The fully qualified address of the proxy server
Type not available
  • IPv4v6
  • IPv4v6xlat
  • IPv6
  • IPv4
APN Type
Auth Type not available
  • None
  • PAP
  • CHAP
  • MSCHAPv2
  • Auto
APN Auth Type

Wi-Fi 

Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi profile
Setting Windows 10 Windows 10 Mobile Description
Wi-Fi Settings Enabled or Disabled Enabled or Disabled Enables the sending of Wi-Fi settings
SSID e.g. Corporate Wi-Fi e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type
  • None
  • WEP
  • WPA 2
  • WPA 2 Enterprise
  • WPA 2
  • WPA 2 Enterprise
Defines the used Wireless network security
Encryption Type
  • AES
  • TKIP
  • AES
  • TKIP
Defines the used Wireless network encryption
Hidden Network Enabled or Disabled Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join Enabled or Disabled Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd e.g. Pa$$w0rd Password for authenticating to the wireless network
Specify Trust (WPA 2 Enterprise only)
Use issuing CA Thumbprint Enabled or Disabled Enabled or Disabled  
Specify intermediate Trust
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
 
Proxy (Windows 10 Mobile only)
Proxy PAC Url not available e.g. http://proxy.imagoverum.de/proxy.pac Defines the URL where the PAC file is located
Enabled Proxy not available Enabled or Disabled Defines the usage of proxy
Server not available e.g. 192.168.0.254 Defines the proxy server
Port not available e.g. 8080 Defines the used proxy port

Wallpaper

Wallpaper for Lock Screen and Home Screen are available for Windows 10 Enterprise Devices. After applied settings the devices needs a reboot before Wallpaper setting will take effect. Supported file types are *.jpg, *.jpeg and *.png

Setting Windows 10 Windows 10 Mobile Description
Lock Screen URL enabled Enabled or Disabled not available Enables the wallpaper for Lock Screen
Lock Screen URL e.g. https://imagoverum.com/Lockscreen.png not available Defines the URL where the wallpaper file is located
Home Screen URL enabled Enabled or Disabled not available Enables the wallpaper for Home Screen
Home Screen URL e.g. https://imagoverum.com/Wallpaper.png not available Defines the URL where the wallpaper file is located

BitLocker

BitLocker Drive Encryption is an built-in solution on Windows 10 for data protection that addresses the threats of data thefts. BitLocker provides it's best protection when using it in combination with a Trusted Platform Module (TPM) version 1.2. or later. The Trusted Platform Mobile is a hardware component included in many of newer computers. In combination with BitLocker it helps to protect user data and ensures that a customer has not been manipulated while the system was offline.  In a nutshell BitLocker will encrypt the Windows operating system drive.  Available for Windows 10 Pro (from version 1809), Enterprise and Education (from version 1703) 

Setting Windows 10  Windows 10 Mobile Description
BitLocker Settings Enabled or Disabled not available Enables the BitLocker Settings.
BitLocker base settings  

Enabled or Disabled not available Allows to require encryption to be turned on by using BitLocker.

Enabled or Disabled not available Allows to disable the warning prompt for other disk encryption on the user machines. Starting in Windows 10, version 1803, the setting can only be disabled for Azure Active Directory joined devices. 

When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.

The endpoint for a fixed data drive's backup is chosen in the following order:

  1. The user's Windows Server Active Directory Domain Services account.
  2. The user's Azure Active Directory account.
  3. The user's personal OneDrive (MDM/MAM only).

Encryption will wait until one of these three locations backs up successfully.

Enabled or Disabled not available Allows users without Administrative rights to enable BitLocker encryption on the device. This setting applies to Azure Active Directory Joined devices. 

  • Not configured
  • On
  • Off
not available Allows to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
not available This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
not available This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

  • AES-CBC 128 (recommended)
  • AES-CBC 256 (recommended)
  • XTS-AES 128
  • XTS-AES 256
not available This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
BitLocker OS drive settings  

  • Not configured
  • On
  • Off
not available This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.

Enabled or Disabled not available Block the use of BitLocker on computers without a compatible Trusted Platform Module. Requires a password for a startup key on a USB flash drive. 

  • Allow
  • Do not allow
  • Required
not available Configure if TPM is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
not available Configure if a TPM startup key is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
not available Configure if a TPM startup PIN is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
not available Configure if a TPM Startup key and PIN is allowed, required or not allowed for startup.

  • Not configured
  • On
  • Off
not available This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker.

e.g. 20 not available The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

  • Not configured
  • On
  • Off
not available This setting allows to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when turning on BitLocker.

Enabled or Disabled not available Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
not available Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
not available Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Enabled or Disabled not available Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

Enabled or Disabled not available Enable BitLocker recovery information to be stored in AD DS

  • Backup recovery password and key package
  • Backup recovery password only
not available Choose which BitLocker recovery information to store in AD DS for fixed data drives. If Backup recovery password and key package selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only selected only the recovery password is stored in AD DS.

Enabled or Disabled not available Prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. In this case a recovery password is automatically generated.

  • Not configured
  • On
  • Off
not available This setting allows to configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.

  • Use empty recovery key message and URL
  • Use default recovery key message and URL
  • Use custom recovery message
  • Use custom recovery URL

 

not available

Use default recovery message and URL:  The default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "to Use default recovery message and URL.

Use custom recovery message. The message you set will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

Use custom recovery URL: The URL you type in will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

BitLocker fixed data-drive settings 

  • Not configured
  • On
  • Off
not available

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

If this setting is enabled, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

  • Not configured
  • On
  • Off
not available This setting allows to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when turning on BitLocker.

Enabled or Disabled not available Specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
not available Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
not available Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Enabled or Disabled not available Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

  • Backup recovery password and key package
  • Backup recovery password only
not available Choose which BitLocker recovery information to store in AD DS for fixed data drives. If the Backup recovery password and key package are selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only is selected, only the recovery password is stored in AD DS.

Enabled or Disabled not available Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker recovery information to Azure Active Directory. Selecting Enanled will ensure the recovery keys are successfully stored in Azure Active Directory before enabling encryption. By selecting disabled, a device may become encrypted without recovery information stored in Azure Active Directory
BitLocker removable data-drive settings  

  • Not configured
  • On
  • Off
not available Determine whether BitLocker protection is required for removable data-drives to be writable on a computer

Enabled or Disabled not available Determine if removable data-drives configured by an external organization can be written to

Windows Hello

Windows Hello is a biometric framework built into Windows 10 that uses facial recognition, fingerprint identification, or iris scans as login methods.  Windows Hello is closely related to Microsoft Passport, which is responsible for the underlying encryption and authentication mechanism and helps to secure the communications and identities. 

Setting Windows 10 Windows 10 Mobile Description
Windows Hello Settings Enabled or Disabled not available Activates Windows Hello Settings
Require Security Device Enabled or Disabled not available Defines if a Trusted Platform Module (TPM) is required. If it is set to Disabled it will use the preferred mode. Devices attempt to use a TPM, but if not available will provision using software 
Minimum PIN Length 4-127 not available Defines the Minimum PIN length 
Maximum PIN Length 8-127 not available Defines the Maximum PIN length
Upper Case Letters Allow, Require or Not allow  not available Define if Upper Case Letters are allowed, mandatory or prohibited
Lower Case Letters Allow, Require or Not allow  not available Define if Lower Case Letters are allowed, mandatory or prohibited
Special Characters Allow, Require or Not allow  not available Define if Special Characters are allowed, mandatory or prohibited
Digits Allow, Require or Not allow  not available Define if Digits are allowed, mandatory or prohibited
History 0-50 not available Defines, how many previous PINs can't be used. Default Value is 0, which means History is not activated 
Expiration 0-730  not available Defines the timeframe, when users will be forced to change the PIN. If set to 0, the PIN will never expire
Use Remote Passport Enabled or Disabled not available Windows Hello provides the ability for portable, registered device to be usable as a companion device for desktop authentication
Use Biometrics Enabled or Disabled not available Enable or disable the use of biometric gestures, such as facial recognition, fingerprint identification, or iris scan

Certificate Trusts

For Windows 10 and Windows 10 Mobile devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.

Setting Windows 10 Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Certificate

In this section you can distribute certificates to Windows 10 and Windows 10 Mobile devices. Depending on your configured Certificate Deployment Method you will see different views and settings. 

Enterprise Certificate

Setting Windows 10 Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
New Certificate Choose File Choose File Use the Button to Upload your Enterprise Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Enter here the certificate password

Individual Client

Setting Windows 10 Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Template Name e.g. Silverback User e.g. Silverback User Defines the Template created on the Certification Authority. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom Subject Name Variable e.g. u_{firstname}.{lastname} e.g. u_{firstname}.{lastname} Defines a custom subject name (Issued to) for requested certificates .  Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom UPN SAN Variable e.g. {UserName} e.g. {UserName} Defines a custom UPN SAN Variable (Principal Name) for requested certificates. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom RFC 822 SAN Variable e.g. {SerialNumber}  e.g. {SerialNumber}  Defines a custom RFC822 Subject Alternative name. Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication

Windows Update

With the configuration of Windows 10 you will gain control over how and when updates will be installed and which servicing channel will be used.

Setting Windows 10 Windows 10 Mobile Description
Windows Update Policy Settings Enabled or Disabled not available Enables the Windows Update Settings.

 

  • Notify the user before downloading the update
  • Auto install the update and then notify the user to schedule a device restart
  • Auto install and restart (default)
  • Auto install and restart at a specified time
  • Auto install and restart without end-user control
  • Turn off automatic updates
not available

Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.

Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.

Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.

Auto install and restart at a specified time. Specify  the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.

Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.

Turn off automatic updates.

 

  • Windows Insider build - Fast
  • Windows Insider build - Slow
  • Release Windows Insider Build
  • Semi-annual Channel (default)
  • Semi-annual Channel (only applicable to releases prior to 1903)

 

not available Allows to set which branch a device receives their updates from. Requires Windows 10 Version 1607.

 

e.g. 15 not available Defers Quality Updates for the specified number of days. Supported Values are 0-365. Requires Windows 10 Version 1607.

 

e.g. 90 not available Defers Feature Updates for the specified number of days. Supported Values are 0-365. Requires Windows 10 Version 1703.

 

2-60 days not available Enables to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. Requires Windows 10 Version 1803.

 

  • Every day (default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
not available Option to schedule the day of the update installation.

 

e.g. 08 AM not available

Allows, when used with Active Hours End to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. Requires Windows 10 Version 1607.

The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. Please refer to Active Hours Max Range 

 

e.g. 05 PM not available Added in Windows 10, version 1607. Allows, when used with Active Hours Start to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. Requires Windows 10 Version 1607.

 

e.g.  12 not available

Allows to specify the period for auto-restart warning reminder notifications. Supported values are 2, 4, 8, 12, or 24 (hours). The default value is 4 (hours). Requires Windows 10 Version 1703.

 

e.g. 60 not available

Allows  to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). Supported values are 15, 30, or 60 (minutes). Requires Windows 10 Version 1703.

 

  • Use the default Windows Update notifications (default)
  • Turn off all notifications, excluding restart warnings
  • Turn off all notifications, including restart warnings
not available Display options for update notifications. This policy allows to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.

 

e.g. 90 not available

Allows to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supported Values are 2 - 30 (Default = 7), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. 

Requires Windows 10 Version 1903.

 

e.g. 5 not available

Allows to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supports values  from 2 - 30 (Default =7), which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. 

Requires Windows 10 Version 1903.

 

e.g. 1 not available

Allows, when used with Deadline for feature updates or Deadline for quality updates to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.

Supports a numeric value from 0 - 7 (Default =2), which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once the deadline has been reached.

Requires Windows 10 Version 1903.

 

Enabled or Disabled not available

Option to download updates automatically over metered connections (off by default). 

A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.

This policy is accessible through the Update setting in the user interface or Group Policy. 

Requires Windows 10 Version 1709.

 

Enabled or Disabled not available

Allows to exclude Windows Update (WU) drivers during updates. 

Requires Windows 10 Version 1607.

Enabled or Disabled not available

If enabled and when used with Deadline for feature or quality updates, devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.

When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. 

Requires Windows 10 Version 1903.

Target release version e.g. 1903 not available

Allows to specify which version devices should be migrated to and/or which version they should keep until they reach the end of service or the policy is reconfigured. 

Requires Windows 10 Version 1803

Update service url e.g. http://wsus.imagoverum.com:8530 not available Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Update service url alternate e.g. http://alternate.imagoverum.com:8530 not available

Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.

Requires Windows 10 Version 1607

Allow non-Microsoft signed updates Enabled or Disabled not available This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location
Disable dual scan Enabled or Disabled not available Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
Allow MU update service Enabled or Disabled not available Allows to manage whether to scan for app updates from Microsoft Update.
Update Power Policy for Cart Restarts Enabled or Disabled not available

For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at Scheduled Install Time When you set this policy along with Active hours start, Active hours end and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after Active hours end, the device will wake up several times to complete the processes. All processes are blocked before Active hours start.

Requires Windows 10 Version 1703

Defender Firewall

The Firewall configuration allows to control the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. You can manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. The Firewall configuration is supported beginning with Windows 10, version 1709.

Settings Windows 10 Windows 10 Mobile Description
Defender Firewall Settings Enabled or Disabled not available Enables the Defender Firewall Profile
Global Settings
Security Association Idle Time Before Deletion (in secs) 

e.g. 400

not available Security associations are deleted after network traffic is not seen for this number of seconds. Supported Values from 300 to 3600
Pre-shared Key Encoding 
  • None
  • UTF-8 (default)
not available Specifies the preshared key encoding that is used
IPsec Exemptions 
  • No IPsec exemptions (default)
  • Exempt neighbor discover IPv6 type-codes from IP-Sec
  • Exempt ICMP from IPsec
  • Exempt router discover IPv6 ICMP type-codes from IPsec
  • Exempt both IPv4 and IPv6 DHCP traffic from IPsec
not available Configure specific traffic to be exempt from performing IPsec.
Certificate Revocation List Verification 
  • Disables CRL checking (default)
  • CRL checking is attempted
  • CRL checking is required
not available

Defines how certificate revocation list verification is enforced. The following options are available:

  • Disables CRL checking
  • CRL Checking is attempted specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
  • CRL checking is required means that checking is required and that certificate validation fails if any error is encountered during CRL processing
Packet Queuing 
  • All queuing is to be disabled (default)
  • Inbound encrypted packets are to be queued
  • Packets are to be queued after decryption
not available

Specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved.

Disable FTP Enabled or Disabled not available Blocks stateful File Transfer Protocol (FTP)
Opportunistically Match Authentication Set Per Keying Module Enabled or Disabled not available If enabled, keying modules will ignore unsupported authentication suites.
Network Settings (applies to Domain, Private, or Public Network)
General  
Microsoft Defender Firewall Enabled or Disabled not available If this setting is not enabled, no network traffic will be blocked regardless of other policy settings
Disable Stealth Mode Enabled or Disabled not available When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific
IPsec Secured Packet Exemption With Stealth Mode Enabled or Disabled not available If stealth mode is enabled, this option will be ignored. Otherwise the stealth mode rules must not prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec
Shielded Enabled or Disabled not available If this value is true and Defender Firewall is on, the server must block all incoming traffic regardless of other policy settings
Disable Unicast Responses to Multicast Broadcasts Enabled or Disabled not available If true, unicast responses to multicast broadcast traffic is blocked.
Disable Inbound Notifications Enabled or Disabled not available If false, the Firewall may display a notification to the user when an application is blocked from listening on a port. If this setting is enabled, the Firewall must not display such notifications. 
Default Action For Outbound Connections
  • Allow (default)
  • Block
not available This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections.
Default Action for Inbound Connections
  • Allow
  • Block (default)
not available This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections.
Rule Merging  
Auth App Firewall Rules From the Local Store Enabled or Disabled not available If this value is false, authorized application firewall rules in the local store are ignored and not enforced
Global Port Firewall Rules From the Local Store Enabled or Disabled not available If this value is false, global port firewall rules in the local store are ignored and not enforced
Firewall Rules From the Local Store Enabled or Disabled not available If this value is false, firewall rules from the local store are ignored and not enforced
IPsec Rules From the Local Store Enabled or Disabled not available If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and security rule version
Firewall Rules Settings
Rule Settings Enabled or Disabled not available

 

Name e.g. Block Paint not available

Name of the rule.

The rule name must not include a forward flash

Description e.g. Firewall Rule for blocking outbound traffic for MS Paint not available Specifies the description of the rule
Direction
  • Not configured
  • Inbound
  • Outbound
not available The rule is enabled based on the traffic direction 
Action
  • Not configured
  • Off
  • On
not available Specifies the action the rule enforces.
Network Type
  • All (default)
  • Domain
  • Private
  • Public
not available Specifies the profiles to which the rule belongs: Domain, Private or Public
Application Settings  
Application
  • All
  • Package Family Name
  • File Path
  • Windows Service
not available Rules that control connections for an app, program, or service
Package Family Name e.g. Microsoft.MSPaint_6.2009.30067.0_x64__8wekyb3d8bbwe not available The Package Family Name is the unique name of a Microsoft Store application. Package family names can be retrieved by running the Get-AppxPackage command from PowerShell
File Path e.g. C:\Apps\Setup.exe not available Enter the full path of the application
Windows Service Name e.g. eventlog not available This is a service named used in cases when a service is sending or receiving traffics
IP Address Settings  
Local Addresses e.g. 10.0.0.50 not available Comma separated list of local addresses covered by the rule. 
Remote Addresses e.g. 88.130.55.97 not available Comma separated list of remote addresses covered by the rule. 
Port and Protocol Settings  
Protocol
  • Any (default)
  • TCP
  • UDP
  • Custom
not available Select the protocol for this port rule. Transport layer protocols, TCP and UDP, allows to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing te IP protocol. 
Local Ports (TCP/UDP) e.g. 100-120,200,300-32 not available Comma separated list of ranges.
Remote Ports (TCP/UDP) e.g. 100-120,200,300-32 not available Comma separated list of ranges.
Protocol (Custom) 0-255 not available Enter a number between 0 and 255 representing te IP protocol. 
Advanced Settings  
Interface Types
  • Remote Access
  • Wireless
  • Local Area Network
not available Specifies the interface type to which the rule belongs. 
Authorized Local Users Settings  
Authorized Local Users e.g. "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0) S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)" not available Specifies the list of authorized local users for this rule. Enter the string in Security Descriptor Definition Language (SDDL) format. 

Defender Antivirus

Microsoft Defender is an anti-malware component of Microsoft Windows. Defender Antivirus monitor threats to your device, run scans, and get updates to help detect the latest threats. 

Setting Windows 10 Windows 10 Mobile  
Allow Scan Archive Files Enabled or Disabled not available Allows or disallows scanning of archives.
Allow Turn On Behavior Monitoring Enabled or Disabled not available Allows or disallows Windows Defender Behavior Monitoring functionality
Allow Join Microsoft MAPS Enabled or Disabled not available Turns on/off the Microsoft Active Protection Service
Select Cloud Protection Level
  • Not configured
  • Default
  • High
  • High+
  • Zero
not available This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. 
Allow Turn On E-mail Scanning Enabled or Disabled not available Allows or disallows scanning of emails.
Allow Run Full Scan on Mapped Network Drives Enabled or Disabled not available Allows or disallows a full scan of mapped network drives.
Allow Scan Removable Drives Enabled or Disabled not available Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned.
Allow Scan All Downloaded Files and Attachments Enabled or Disabled not available Allows or disallows Windows Defender IOAVP Protection functionality
Allow Intrusion Prevention System Enabled or Disabled not available Allows or disallows Windows Defender Intrusion Prevention functionality.
Allow Monitor File and Program Activity on Your Computer Enabled or Disabled not available Allows or disallows Windows Defender On Access Protection functionality.
Allow Real-Time Protection Enabled or Disabled not available Allows or disallows Windows Defender Real-Time Monitoring functionality.
Allow Scan Network Files Enabled or Disabled not available Allows or disallows a scanning of network files.
Allow Script Scanning Enabled or Disabled not available Allows or disallows Windows Defender Script Scanning functionality. 
Allow Enable Headless UI Mode Enabled or Disabled not available Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
Allow Check For Signatures Before Running Scan Enabled or Disabled not available Allows to manage whether a check for new virus and spyware definitions will occur before running a scan.
Disable Catch-up Full Scan Enabled or Disabled not available This policy settings allows to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.  
Disable Catch-up Quick Scan Enabled or Disabled not available Allows to configure catch-up scans for schedule quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. 
Allow Configure Low CPU Priority for Scheduled Scans Enabled or Disabled not available This policy setting allows to enable or disable low CPU priority for scheduled scans. 
Configure Controlled Folder Access
  • Not configured
  • Disabled 
  • Enabled
  • Audit Mode
not available This policy enables setting the state for the controlled folder access feature. The controlled folder access features removes modify and delete permissions from untrusted applications to certain folders such as My Documents
Prevent Users and Apps From Accessing Dangerous Websites
  • Not configured
  • Disabled
  • Enabled (block mode)
  • Enabled (audit mode)
not available Allows to turn network protection (block/audit) or off. Network protections protects employees using any app from accessing phishing scams exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. 
Configure PUA Protection
  • Not configured
  • Off
  • On
  • Audit Mode
not available Specifies the level of detection for potentially unwanted applications. Windows Defender alerts when potentially unwanted software is being downloaded or attempts to install itself on the device. 
Configure Monitoring for Incoming/Outgoing File and Program Activity
  • Not configured
  • All Files
  • Incoming Files
  • Outgoing Files
not available Controls which sets of files should be monitored.
Specify the Time for a Daily Quick Scan
  • Not configured
  • From 12:00 AM to 11:00 PM
not available Selects the time of day that the Windows Defender quick scan should run. The scan type will depend on what scan type is selected in the Scan Type Setting.
Specify the Scan Type to Use for a Scheduled Scan
  • Not configured
  • Quick Scan 
  • Full Scan
not available Selects whether to perform a quick scan or full scan.
Specify the Day of the Week to Run a Scheduled Scan
  • Every Day (Default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
not available Selects the day that the Windows Defender scan should run.
Specify the Time of Day to Run a Scheduled Scan From 12:00 AM to 11:00 PM not available Selects the time of day that the Windows Defender scan should run.
Specify the Interval to Check for Definition Updates
  • Not configured
  • No check
  • Check every 1 to 24 hours
not available Specifies the interval in hours that will be used to check for signatures, so instead of using the configuration of day and time the check for new signatures will be set according to the interval.
Send File Samples When Further Analysis Is Required
  • Send safe samples automatically (Default)
  • Always prompt
  • Never send
  • Send all samples automatically
not available Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, and if the user has specified never to ask, the UI is launched to ask for user consent before sending data.
Specify the Maximum Percentage of CPU Utilization During a Scan 0-100 % not available Represents the average CPU load factor for the Windows Defender scan in percent.
Configure Extended Cloud Check 0-60 seconds not available Allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan in the cloud to make sure it's safe.
Configure Removal of Items From Quarantine Folder 0-90 days  not available Time period in days that quarantine items will be stored on the system.

Custom Profiles 

Custom Profiles are very helpful if you are dependent to a new feature that Microsoft will release between any of our Silverback releases. Custom Profiles will ensure that you as an Administrator will be able to address any missing feature by generating a profile by yourself. 

App Portal

The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.

Setting Windows 10  Windows 10 Mobile Description
App Portal     Not available   Enabled or Disabled Enables and pushes the App Portal Icon to enrolled devices.

To customize the App Portal navigate to Admin > App Portal  

Web Clips 

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Windows 10 Windows 10 Mobile Description
Web Clip Name   not available e.g. Matrix42 Web Clip Display Name 
Link not available e.g. https://www.matrix42.com Target URL for the Web Clip
Icon File not available Choose File Web Clip Display Icon.  Support File Type: *.png

Policy 

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Application Blacklist

Application Blacklist is available for Windows 10 Mobile. Because a very specific identifier needs to be provided to the device, the applications must be first added to the App Portal and then added to the blacklist. 

Setting Windows 10 Windows 10 Mobile Description
Enforce Application Blacklist   not available Enabled or Disabled Enables and disables the Application Blacklist for this Tag
Save not available Save the changes Saves the changes you’ve made.
Assign More Apps not available Add applications Allows to choose Apps to add to the list. This list of apps is based on the apps assigned in the App
Portal tab.

Lockdown 

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Wipe The device is hard reset to factory default settings.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 
Exclude Home Network Allows the Administrator to disable roaming alerts for devices roaming on Home Networks

Lockdown Policies

Policy  General Windows 10 Windows 10 Mobile Description
Enforce Application Whitelist

Enabled or Disabled

not available
  • Block All
  • Block Non Microsoft
  • Block Non Microsoft and Facebook

Application Whitelist will ensure that each device has only applications approved by a system administrator installed

Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Cost Control Settings
Send Roaming Alerts Enabled or Disabled not available No actions available

Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data).

Enforce Home Networks Policy Enabled or Disabled not available
  • No action 
  • Block
  • Wipe
Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’.
Home Networks

Add

Enforce Home Networks  Policy will activate this grid

not available e.g. Imagoverum Wi-Fi This grid is where Silverback Administrators can specify their ‘Home Networks’

Apps

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for Windows 10 devices:

Type Description
Enterprise

Applications owned by an Organization

Windows 10 Mobile with *appx file

Windows 10 with *.msi file 

Market Applications from public Windows 10 Mobile Store


Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise or Market
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remove Removes the App from the Tag

Content 

Content Management functionalities are not supported on Windows 10 Mobile and Windows 10. 

  • Was this article helpful?