Skip to main content
Matrix42 Self-Service Help Center

Windows 10/11 Create custom profiles

  1. Last updated
  2. Save as PDF

Custom Profiles for Windows devices

This guide is intended to create custom profiles for Windows 10/11 devices. Custom Profiles are very powerful in case some features are currently missing in Silverback or a special configuration is required for certain use cases. Basically, in this guide we will review for each target profile first the Configuration Service Provider documentation from Microsoft to catch the required configuration and options for creating our desired payloads for Silverback. After the profile creation, we will deploy the new custom profile(s) to our managed devices and review the configuration on a specific target device. Within this guide, we will create four different Custom Profiles: 

We recommend to start from the beginning, as not all intermediate steps will be highlighted in every profile again. We will use as an example only one Tag for the configuration of all three profiles. In general, the Configuration service provider reference provides a documentation of all available configurations (except Microsoft Edge) that can be applied with the Mobile Device Management Protocol for Windows 10 and 11 devices. After following the steps from this guide, you should be able to manually configure additional profiles yourself with the Configuration service provider reference and Silverback. 

Create Local Account

With our first custom profile, we want to demonstrate how to add a local user account to a Windows 10/11 device. Basically, you can add this account (and we will do this) with administrative rights to your target device, but please be aware of security concerns about adding an administrative account with the same credentials to all of your devices. Additionally, please note that the account will be set with an expiring password. As this guide is mainly intend to provide an overview about the handling of custom profiles with the configuration service provider and to understand the principles, this guide might not meet your security and compliance rules at your company. 

Review Configuration Service Provider

As we want to start this guide with the creation of a new user on a Windows 10 or 11 device, we will take the Accounts Configuration Service Provider to review our needed configuration. On the Accounts CSP page, the first section provides you the configuration service provider in tree format. For the Account CSP it is  ./Device/Vendor/MSFT followed by Accounts, followed by Users and Username etc.

./Device/Vendor/MSFT
Accounts
----Domain
--------ComputerName
----Users
--------UserName
------------Password
------------LocalUserGroup

Additionally, below the tree format, you will find the Root node ./Device/Vendor/MSFT/Accounts, followed by each available configuration item:

  • Users/UserName
  • Users/UserName/Password
  • Users/UserName/LocalUserGroup

For each available configuration item, the description shows which operation is available, e.g Add or Get. In this case, we only have Add as an option, so the configuration can't be removed after assigning the profile. With all this information, we have now everything what we need to create the OMA-URI strings in our Custom Profile.

Create a new Tag

  • Open your Silverback Management Console
  • Navigate to Tags
  • Press New Tag
  • Enter a name, e.g. Custom Profiles for Windows devices
  • Enter a description, e.g. Custom Payload for adding accounts and configurations to Windows devices (optional)
  • Enable Profile at Enabled Features
  • Enable Windows as device type 
  • Press Save 

Create a new Profile 

  • Navigate to Profile
  • Select Custom Profiles
  • Press New Custom Profile
  • Enter a Name, e.g. Add Account for Windows devices
  • Keep the Type as Sequence
  • Press Save and confirm with OK
  • Click New Item
    • Enter as Name Add UserName
    • Select as Type Add
    • As OMA-URI paste the following: ./Device/Vendor/MSFT/Accounts/Users/UserName
    • Select String as Data type 
    • Under Data, provide the user account name, e.g. User1
    • Press Save
  • Press now again New Item as we want to add now the specific password for the user
    • Enter as Name Add Password
    • Select as Type Add
    • As OMA-URI paste the following: ./Device/Vendor/MSFT/Accounts/Users/User1/Password
    • Select String as Data type
    • Under Data, provide the User password, e.g. Pa$$w0rd
    • Press Save
  • Press now again New Item as we want to add the user account as Account Type Administrator 
    • Enter as Name Add Local User Group
    • Select as Type Add
    • As OMA-URI paste the following: ./Device/Vendor/MSFT/Accounts/Users/User1/LocalUserGroup
    • Select Integer as Type
    • Under Data, enter 2 to add the user as Administrator
    • Press Save

If we don't add this node into our custom profile, the new local user account is joined to the Standard Users group. 

  • Now we have created a sequence of three custom profile items
    • Add UserName
    • Add Password
    • Add Local User Group
  • Press Save and confirm with OK
  • Press Cancel or press again Custom Profiles
  • Currently the Custom Profile is not enabled, so we need to press the checkbox to enable the profile
  • Confirm with Yes to activate the Profile

Assign Tag

  • Navigate to Devices
  • Locate one of your target device
  • Press the Assign Tag button
  • Select the previously created Custom Profiles for Windows devices Tag
  • Press Save

Ensure the device is connected to the internet 

  • Open the Device Overview
  • Press Refresh and select Pending Commands
  • Locate the CustomProfile command and ensure that there is no Error in the Status column

Review Profile Installation 

  • Head over to the Windows 10/11 device
  • Open Settings Application
  • Navigate to Accounts > Family & other users
  • Under other Users you should see now your added account 
  • Click Change Account Type and review that this account is added as Account Type Administrator
  • Now open lusrmgr.msc
  • Navigate to Users
  • Your created User should be listed here as well
  • Perform a double-click on your user
  • Select Member Of and review that the user is added to the Local Administrator Group 

Login with your new account 

  • On your Windows device, press Start 
  • Right-click your current account name icon
  • Select now your previously created account
  • Login with your previously created password

Add Account to Group

Now we want to add the created and added account to a specific Local Group. For this we will use the LocalUsersAndGroups Configuration Service Provider. When opening the page, review first for which Windows 10 or Windows 11 edition this Configuration Service Provider is supported. Additionally, review the available operations and all Notes added to the documentation. In this guide, we will add the account to the Remote Desktop Users group.

Create a new Profile

  • Navigate back to your previously created Custom Profiles for Windows devices Tag
  • Under Profile and Custom Profiles you should see your previously created Add Account for Windows devices sequence
  • Click New Custom Profile
  • Enter as Name e.g. Add Local Account to Local Group
  • Press Save
  • Confirm with OK
  • Click New Item
  • Add as Name e.g. Local Users And Groups
  • Select as Type Add
  • As OMA-URI add ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
  • As Data Type select Xml File
  • Enter as Data the following XML 
<GroupConfiguration>
    <accessgroup desc = "Remote Desktop Users">
        <group action = "U" />
        <add member = "User1/>
    </accessgroup>
</GroupConfiguration>
  • Press Save (2x)
  • Press Cancel or press again Custom Profiles
  • Currently the new Custom Profile is not enabled, so we need to press the checkbox to enable the profile
  • Confirm with Yes to activate the Profile

Refresh your Device

  • Navigate to Devices
  • Locate one of your target device
  • Open the Device Overview
  • Press Refresh and select Pending Commands
  • Locate the CustomProfile command and ensure that there is no Error in the Status column

Review Profile Installation

  • Head over to the Windows 10/11 device
  • Open lusrmgr.msc
  • Navigate to Groups
  • Perform a double click on Remote Desktop Users
  • Your previously created account should now be a member of this group

This configuration is also shown under the Silverback MDM Profile in the Settings application un der Accounts > Access work or school > Info

Disable Microsoft Edge First Run Experience

With this third part of this guide, we will create a custom configuration for the built-in Microsoft Edge. As Microsoft Browsers offer typically a huge amount of configuration options, not all of these settings will be available in Silverback. To cover this, we will ensure to disable as an example the First Run Experience of Microsoft Edge in this section. For this we will review first the specific configuration keys given by Microsoft . After opening the page, search and locate the hidefirstrunexperience option and review the description and the available Data Type, as we need this later.

Create a new Profile

  • Navigate back to your previously created Custom Profiles for Windows devices Tag
  • Under Profile and Custom Profiles you should see your previously created Add Account for Windows devices and Add Local Account to Local Group sequence
  • Click New Custom Profile
  • Enter as Name e.g. Disable First Run Experience for Edge
  • Press Save
  • Confirm with OK
  • Click New Item
  • Add as Name e.g. First Run Experience
  • Select as Type Add or Replace
  • As OMA-URI add ./Device/Vendor/MSFT/Policy/Config/Edge~Policy~microsoft_edge/HideFirstRunExperience
  • As Data Type select String
  • Enter as Data <enabled/>
  • Press Save (2x)
  • Press Cancel or press again Custom Profiles
  • Currently the new Custom Profile is not enabled, so we need to press the checkbox to enable the profile
  • Confirm with Yes to activate the Profile

Refresh your Device

  • Navigate to Devices
  • Locate one of your target device
  • Open the Device Overview
  • Press Refresh and select Pending Commands
  • Locate the CustomProfile command and ensure that there is no Error in the Status column

Review Profile Installation  

  • Head over to the Windows 10/11 device
  • Open Microsoft Edge
  • Enter in the address bar the following: edge://policy/
  • You should see now a policy item HideFirstRunExperience with an enabled policy value

Review User Experience

  • Open Task Manager and End the process for Microsoft Edge
  • Now open Windows Explorer and navigate to  C:\Users\%username%\AppData\Local\Microsoft\Edge\
  • Delete now the folder User Data
  • In case you can't delete the folder perform the following:
    • Open the Control Panel and open Programs and Features
    • Select Microsoft Edge and click change
    • If the UAC prompts, confirm with Yes and press repair
    • Wait until the process is finished
    • When Microsoft Edge is opening again, end the process again and try to the delete the User Data folder
  • After the User Data deletion, open Microsoft Edge again and the First Run Experience will not appear.

To check the difference, navigate back to your Custom Profile and change the  String to <disabled/> and delete again the User Data and the First Run Experience will appear again. 

Disable first sign-in animation

With the last part of this guide, we will disable the first sign-in animation. This allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. This setting is also a part of the Policy Configuration Service Provider, which shows us the root note for all device scoped policies: 

./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName

When we scroll down you will find the WindowsLogon policies group with the explicit setting WindowsLogon/EnableFirstLogonAnimation and the supported values: 0 - disabled and 1 - enabled. 

Create a new Profile

  • Navigate back to your previously created Custom Profiles for Windows devices Tag
  • Under Profile and Custom Profiles you should see all your previously created sequences.
  • Click New Custom Profile
  • Enter as Name e.g. Disable First Logon Animation
  • Press Save
  • Confirm with OK
  • Click New Item
  • Add as Name e.g. First Logon Animation
  • Select as Type Add
  • As OMA-URI ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
  • As Data Type select Integer
  • Enter as Data 0
  • Press Save (2x)
  • Press Cancel or press again Custom Profiles
  • Currently the new Custom Profile is not enabled, so we need to press the checkbox to enable the profile
  • Confirm with Yes to activate the Profile

Refresh your Device

  • Navigate to Devices
  • Locate one of your target device
  • Open the Device Overview
  • Press Refresh and select Pending Commands
  • Locate the CustomProfile command and ensure that there is no Error in the Status column

Review Profile Installation

  • Head over to the Windows 10/11 device
  • Open Settings Application
  • Navigate to Accounts > Access work or school and open the Silverback MDM Profile by clicking Info
  • Under Policies you should see now WindowsLogon

Review User Experience

  • Open lusrmgr.msc
  • Add a new user
  • Restart the device
  • Login with the newly created user
  • Instead of seeing first sign-in animation you should see now the Preparing Windows information