Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part IV: Windows 10/11

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange Active Sync

With the Exchange Active Sync profile, you can add accounts used by email, calendar, and contacts. Users will be required to enter their Exchange ActiveSync password, after the account is added to the device. Added Exchange ActiveSync accounts can be reviewed within the settings application under accounts. By opening the mail or calendar application, users will receive a warning to repair their account by entering their corresponding password. Users are also eligible to add the password under the account overview in the settings application.

Setting Options Description
Exchange ActiveSync Settings Enabled or Disabled Enables Profile
Label e.g. Imagoverum Exchange or  e.g. {firstname} The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  External Exchange Active Sync address 
Domain e.g. Imagoverum Internal Domain Suffix for the Exchange Server
Sync Interval
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
E-Mail synchronization interval
Past Days of Mail to Sync
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
Period of mail to synchronize to the device
Use SSL Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.

Passcode

Passcode settings defines the requirements for the Password Sign-in option. Passcode setting configuration is supported on Windows 10 and Windows 11 Home, Pro, Business, Enterprise and Education editions.

Setting Options Description
Passcode Settings Enabled or Disabled Enables Passcode Settings
Allow Simple Not available Permit the use of repeating, ascending or descending characters
Allow Convenience Login Enabled or Disabled Allows the usage of picture password as Login method
Complexity not available Character groups that required to be used in the User’s passcode
Minimum Length 6-23 The smallest number of passcode characters allowed
Minimum Complex characters 3 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none Not available How often passcode must be changed
Auto-lock (minutes) 1-1200 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) not available Number of unique passcodes required before reuse
Maximum Failed Attempts 4-16 Number of passcode entry attempts allowed before the device is reset to factory settings

Restrictions

With Silverback, Administrators can increase security settings, prevent users from accessing several actions or sections on their device and much more options (e.g. prevent from removing their devices from the management) with restrictions that are available for managed Windows 10 or 11 devices. Every listed restriction is grouped into a dedicated section and all listed restrictions are part of the Policy Configuration Service Provider. To get an overview of all available restrictions, please refer to the following article: Tags Guide Part IV: Windows 10/11 Restrictions

Virtual Private Network

Setting Values
VPN Provider Windows (built-in)
Connection Name

e.g. Imagoverum VPN

Server name or address e.g vpn.imagoverum.com
VPN Type
  • Automatic
  • Point to Point Tunneling Protocol (PPTP)
  • L2TP/IPsec with certificate
  • L2TP/Ipsec with pre-shared key
  • Secure Socket Tunneling Protocol (SSTP)
  • IKEv2
Pre-Shared Key: e.g. Pa$$w0rd

Wi-Fi 

Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi profile
Setting Options Description
Wi-Fi Settings
  • Enabled or Disabled
Enables the sending of Wi-Fi settings.
SSID
  • e.g. Corporate Wi-Fi
Service Set Identifier of the wireless network.
Security Type
  • None
  • WEP
  • WPA 2
  • WPA 2 Enterprise
Defines the used Wireless network security.
Encryption Type
  • AES
  • TKIP
Defines the used Wireless network encryption.
Hidden Network
  • Enabled or Disabled
Enable if the target network is not open or hidden.
Automatically Join
  • Enabled or Disabled
The device will automatically join the Wi-Fi network.
Password
  • e.g. Pa$$w0rd
Password for authenticating to the wireless network.
Specify Trust (WPA 2 Enterprise only)
Use issuing CA Thumbprint
  • Enabled or Disabled
If you have configured the Certification Authority Integration and you keep this option, your selected Enrollment Issuing CA certificate from the Web Settings configuration will be installed 
Specify intermediate Trust
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
By selecting this option, you can add your custom Root and Intermediate certificates. Uploaded Root Certificates are installed under the Trusted Root Certification Authorities certificate store. Uploaded Intermediate Certificates are installed under the Intermediate Certification authorities certificate store. 

Wallpaper

Wallpaper for Lock Screen and Home Screen are available for Windows 10/11 Enterprise Devices, beginning with Version 1703. After applied settings the devices needs a reboot before Wallpaper setting will take effect. Supported file types are *.jpg, *.jpeg and *.png

Setting Options Description
Lock Screen URL enabled Enabled or Disabled Enables the wallpaper for Lock Screen
Lock Screen URL e.g. https://imagoverum.com/Lockscreen.png Defines the URL where the wallpaper file is located
Home Screen URL enabled Enabled or Disabled Enables the wallpaper for Home Screen
Home Screen URL e.g. https://imagoverum.com/Wallpaper.png Defines the URL where the wallpaper file is located

BitLocker

BitLocker Drive Encryption is an built-in solution on Windows 10/11 for data protection that addresses the threats of data thefts. BitLocker provides it's best protection when using it in combination with a Trusted Platform Module (TPM) version 1.2. or later. The Trusted Platform Mobile is a hardware component included in many of newer computers. In combination with BitLocker it helps to protect user data and ensures that a customer has not been manipulated while the system was offline.  In a nutshell BitLocker will encrypt the Windows operating system drive. 

Setting Options Description
BitLocker Settings
  • Enabled or Disabled
Enables the BitLocker Profile. BitLocker configuration is supported for Windows 10 Pro (from version 1809), Business, Enterprise, and Education (from version 1703) 
BitLocker base settings  

Require Device Encryption

  • Enabled or Disabled
Allows to require encryption to be turned on by using BitLocker.

Allow warning for other disk encryption

  • Enabled or Disabled
Allows to disable the warning prompt for other disk encryption on the user machines. Starting in Windows 10, version 1803, the setting can only be disabled for Azure Active Directory joined devices. 

When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.

The endpoint for a fixed data drive's backup is chosen in the following order:

  1. The user's Windows Server Active Directory Domain Services account.
  2. The user's Azure Active Directory account.
  3. The user's personal OneDrive (MDM/MAM only).

Encryption will wait until one of these three locations backs up successfully.

Allow standard users to enable encryption during Azure AD Join

  • Enabled or Disabled
Allows users without Administrative rights to enable BitLocker encryption on the device. This setting applies to Azure Active Directory Joined devices. 

Configure encryption methods

  • Not configured
  • On
  • Off
Allows to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.

Encryption for operating system drives

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

Encryption for fixed data-drives

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

Encryption for removable data-drives

  • AES-CBC 128 (recommended)
  • AES-CBC 256 (recommended)
  • XTS-AES 128
  • XTS-AES 256
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
BitLocker OS drive settings  

Additional authentication at startup

  • Not configured
  • On
  • Off
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.

Allow BitLocker without a compatible TPM

  • Enabled or Disabled
Block the use of BitLocker on computers without a compatible Trusted Platform Module. Requires a password for a startup key on a USB flash drive. 

Configure TPM startup

  • Allow
  • Do not allow
  • Required
Configure if TPM is allowed, required or not allowed for startup

Configure TPM startup key

  • Allow
  • Do not allow
  • Required
Configure if a TPM startup key is allowed, required or not allowed for startup

Configure TPM startup PIN

  • Allow
  • Do not allow
  • Required
Configure if a TPM startup PIN is allowed, required or not allowed for startup

Configure TPM startup key and PIN

  • Allow
  • Do not allow
  • Required
Configure if a TPM Startup key and PIN is allowed, required or not allowed for startup.

Configure minimum PIN length for startup

  • Not configured
  • On
  • Off
This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker.

Minimum TPM PIN Length

  • e.g. 20
The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

BitLocker-protected operating system drives can be recovered

  • Not configured
  • On
  • Off
This setting allows to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when turning on BitLocker.

Allow certificate-based data recovery agent

  • Enabled or Disabled
Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

User creation of recovery password

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

User creation of recovery key

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Omit recovery options from the BitLocker setup wizard

  • Enabled or Disabled
Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

Save BitLocker recovery information to AD Domain Services

  • Enabled or Disabled
Enable BitLocker recovery information to be stored in AD DS

BitLocker recovery Information stored to Azure AD

  • Backup recovery password and key package
  • Backup recovery password only
Choose which BitLocker recovery information to store in AD DS for fixed data drives. If Backup recovery password and key package selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only selected only the recovery password is stored in AD DS.

Store recovery information in Azure AD before enabling BitLocker

  • Enabled or Disabled
Prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. In this case a recovery password is automatically generated.

Configure pre-boot recovery message and URL

  • Not configured
  • On
  • Off
This setting allows to configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.

Pre-boot recovery message

  • Use empty recovery key message and URL
  • Use default recovery key message and URL
  • Use custom recovery message
  • Use custom recovery URL

 

Use default recovery message and URL:  The default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "to Use default recovery message and URL.

Use custom recovery message. The message you set will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

Use custom recovery URL: The URL you type in will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

BitLocker fixed data-drive settings 

Deny write access to fixed drives not protected by BitLocker

  • Not configured
  • On
  • Off

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

If this setting is enabled, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

Choose how BitLocker-protected fixed drives can be recovered

  • Not configured
  • On
  • Off
This setting allows to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when turning on BitLocker.

Allow data recovery agent

  • Enabled or Disabled
Specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

User creation of recovery password

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

User creation of recovery key

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Omit recovery options from the BitLocker setup wizard

  • Enabled or Disabled
Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

Configure storage of BitLocker recovery information to AD DS

  • Backup recovery password and key package
  • Backup recovery password only
Choose which BitLocker recovery information to store in AD DS for fixed data drives. If the Backup recovery password and key package are selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only is selected, only the recovery password is stored in AD DS.

Save BitLocker recovery information to Active Directory Domain Services

  • Enabled or Disabled
Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker recovery information to Azure Active Directory. Selecting Enanled will ensure the recovery keys are successfully stored in Azure Active Directory before enabling encryption. By selecting disabled, a device may become encrypted without recovery information stored in Azure Active Directory
BitLocker removable data-drive settings  

Deny write access to removable drives not protected by BitLocker

  • Not configured
  • On
  • Off
Determine whether BitLocker protection is required for removable data-drives to be writable on a computer

Write access to devices configured in another organization

  • Enabled or Disabled
Determine if removable data-drives configured by an external organization can be written to

Windows Hello

Windows Hello is a biometric framework built into Windows 10/11 that uses facial recognition, fingerprint identification, or iris scans as login methods.  Windows Hello is closely related to Microsoft Passport, which is responsible for the underlying encryption and authentication mechanism and helps to secure the communications and identities. 

Setting Options Description
Windows Hello Settings
  • Enabled or Disabled
Activates Windows Hello Settings
Require Security Device
  • Enabled or Disabled
Defines if a Trusted Platform Module (TPM) is required. If it is set to Disabled it will use the preferred mode. Devices attempt to use a TPM, but if not available will provision using software 
Minimum PIN Length
  • 4-127
Defines the Minimum PIN length 
Maximum PIN Length
  • 8-127
Defines the Maximum PIN length
Upper Case Letters
  • Allow, Require or Not allow 
Define if Upper Case Letters are allowed, mandatory or prohibited
Lower Case Letters
  • Allow, Require or Not allow 
Define if Lower Case Letters are allowed, mandatory or prohibited
Special Characters
  • Allow, Require or Not allow 
Define if Special Characters are allowed, mandatory or prohibited
Digits
  • Allow, Require or Not allow 
Define if Digits are allowed, mandatory or prohibited
History
  • 0-50
Defines, how many previous PINs can't be used. Default Value is 0, which means History is not activated 
Expiration
  • 0-730 
Defines the timeframe, when users will be forced to change the PIN. If set to 0, the PIN will never expire
Use Remote Passport
  • Enabled or Disabled
Windows Hello provides the ability for portable, registered device to be usable as a companion device for desktop authentication
Use Biometrics
  • Enabled or Disabled
Enable or disable the use of biometric gestures, such as facial recognition, fingerprint identification, or iris scan

Certificate Trusts

For Windows 10/11 devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.

Setting Options Description
Certificate Settings   Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Certificate

In this section you can distribute certificates to Windows 10/11 devices. Depending on your configured Certificate Deployment Method you will see different views and settings. 

Enterprise Certificate

Setting Options Description
Certificate Settings   Enabled or Disabled Enables Certificate Settings in this Tag
New Certificate Choose File Use the Button to Upload your Enterprise Certificate
Certificate Password e.g. Pa$$w0rd Enter here the certificate password

Individual Client

Setting Options Description
Certificate Settings   Enabled or Disabled Enables Certificate Settings in this Tag
Template Name e.g. Silverback User Defines the Template created on the Certification Authority. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom Subject Name Variable e.g. u_{firstname}.{lastname} Defines a custom subject name (Issued to) for requested certificates .  Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom UPN SAN Variable e.g. {UserName} Defines a custom UPN SAN Variable (Principal Name) for requested certificates. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom RFC 822 SAN Variable e.g. {SerialNumber}  Defines a custom RFC822 Subject Alternative name. Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication

Windows Update

With the configuration of Windows 10/11 Update you will gain control over how and when updates will be installed and which servicing channel will be used.

Setting Options Minimum Version Description
Windows Update Policy Settings
  • Enabled or Disabled

Enables the Windows Update Settings. Windows Update configuration is supported on the following Windows 10 and Windows 11 editions:

  • Pro
  • Business
  • Enterprise
  • Education

Automatic update behavior

  • Notify the user before downloading the update
  • Auto install the update and then notify the user to schedule a device restart
  • Auto install and restart (default)
  • Auto install and restart at a specified time
  • Auto install and restart without end-user control
  • Turn off automatic updates

Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.

Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.

Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.

Auto install and restart at a specified time. Specify  the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.

Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.

Servicing channel

  • Windows Insider build - Fast
  • Windows Insider build - Slow
  • Release Windows Insider Build
  • Semi-annual Channel (default)
  • Semi-annual Channel (only applicable to releases prior to 1903)

 

  • 1607
Allows to set which branch a device receives their updates from. 

Quality update deferral period (days)

  • e.g. 15
  • 1607
Defers Quality Updates for the specified number of days. Supported Values are 0-365.

Feature update deferral period (days)

  • e.g. 90
  • 1703
Defers Feature Updates for the specified number of days. Supported Values are 0-365.

Set feature update uninstall period (2 - 60 days)

  • 2-60 days
  • 1803
Enables to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.

Scheduled install day

  • Every day (default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday

 

Option to schedule the day of the update installation.

Active hours start

  • e.g. 08 AM
  • 1607

Allows, when used with Active Hours End to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.

The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. Please refer to Active Hours Max Range 

Active hours end

  • e.g. 05 PM
  • 1607
Added in Windows 10, version 1607. Allows, when used with Active Hours Start to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. 

Period for auto-restart warning reminder notification

  • e.g.  12
  • 1703

Allows to specify the period for auto-restart warning reminder notifications. Supported values are 2, 4, 8, 12, or 24 (hours). The default value is 4 (hours).

Period for auto-restart imminent warning notifications

  • e.g. 60
  • 1703

Allows  to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). Supported values are 15, 30, or 60 (minutes). 

Change notification update level

  • Use the default Windows Update notifications (default)
  • Turn off all notifications, excluding restart warnings
  • Turn off all notifications, including restart warnings

 

Display options for update notifications. This policy allows to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.

Deadline for feature updates

  • e.g. 90
  • 1903

Allows to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supported Values are 2 - 30 (Default = 7), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. 

Deadline for quality updates

  • e.g. 5
  • 1903

Allows to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supports values  from 2 - 30 (Default =7), which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. 

Deadline grace period

  • e.g. 1
  • 1903

Allows, when used with Deadline for feature updates or Deadline for quality updates to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.

Supports a numeric value from 0 - 7 (Default =2), which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once the deadline has been reached.

Auto update download over metered network

  • Enabled or Disabled
  • 1709

Option to download updates automatically over metered connections (off by default). 

A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.

This policy is accessible through the Update setting in the user interface or Group Policy. 

Windows drivers

  • Enabled or Disabled
  • 1607

Allows to exclude Windows Update (WU) drivers during updates. 

Auto reboot before deadline

  • Enabled or Disabled
  • 1903

If enabled and when used with Deadline for feature or quality updates, devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.

When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. 

Target release version
  • e.g. 1903
  • 1803

Allows to specify which version devices should be migrated to and/or which version they should keep until they reach the end of service or the policy is reconfigured. 

Update service url

 

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Update service url alternate
  • 1607

Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.

Allow non-Microsoft signed updates
  • Enabled or Disabled

 

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location
Disable dual scan
  • Enabled or Disabled

 

Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
Allow MU update service
  • Enabled or Disabled

 

Allows to manage whether to scan for app updates from Microsoft Update.
Update Power Policy for Cart Restarts
  • Enabled or Disabled
  • 1703

For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at Scheduled Install Time When you set this policy along with Active hours start, Active hours end and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after Active hours end, the device will wake up several times to complete the processes. All processes are blocked before Active hours start.

Delivery Optimization

Windows Updates or Upgrades may contain packages with very large files. Delivery Optimization can be utilized to reduce bandwidth consumption by sharing the work of downloading files among multiple devices. Delivery Optimization is a self-organized distributed cache that allows your clients to download the packages from alternate sources in additional internet located servers.

Review the Delivery Optimization reference for additional information.

Setting Options Minimum Version Description
General
Delivery Optimization Settings
  • Enabled or Disabled

Enables the Delivery optimization profile. Delivery Optimization is supported on the following Windows 10 and Windows 11 Editions:

  • Pro
  • Business
  • Enterprise
  • Education
Monthly Upload Data Cap (in GB)
  • e.g. 20
  • 1607

Specifies the maximum total data in GB that Delivery Optimization is allowed to upload to internet peers per calendar month.

Default values is 20. A value of 0 means unlimited

Download Mode
  • Not configured
  • HTTP only
  • HTTP blended with peering behind the same NAT (default)
  • HTTP blended with peering across a private group 
  • HTTP blended with Internet peering
  • Simple download mode with no peering
 

With this setting it is possible to control the download method that Delivery Optimization can use for downloads of Windows Updates, Apps and App updates. 

  • HTTP blended with peering across a private group: Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group uselect Custom at Source of Group IDs
  • Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. 
Additional settings for Download Mode HTTP blended with peering behind the same NAT / across a private group / Internet Peering
Min Background QoS (in KB/s)
  • e.g. 500
  • 1607

Defines the minimum download Quality of Service or speed in kb/s. for background downloads. 

Default value is 500

Additional settings for Download Mode HTTP blended with peering behind the same NAT / across a private group /
Select a Method to Restrict Peer Selection
  • None (Default)
  • Subnet Mask
  • 1803
Configure this policy to restrict peer selections via Subnet Mask. Subnet mask applies to both Download Modes via LAN and Group.
Additional settings for Download Mode HTTP blended with peering across a private group
Select the Source of Group IDs
  • AD Site
  • Authenticated domain SID
  • DHCP user option
  • DNS suffix
  • AAD
  • Custom
  Restricts the peer selection to a specific source. When set, the Group ID will be assigned automatically from the selected source. For DHCP user option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
Custom Group ID
  • e.g. 3fffed8c-49d9-4b91-a996-f74e297193f7
 

Allows to enter a custom Group ID. To retrieve an ObjectGUID from your Active Directory Copy the Distinguished Name with enabled Advanced Features in Active Directory Users and Computers copy the Distinguished Name and run the adjusted PowerShell command.

Get-ADObject -Identity "__value__" | Select-Object -Property ObjectGUID
Bandwidth
Delay Background Download From Http (in secs)
  • e.g. 0
  • 1803

Allows to delay the use of an HTTP source in a background download that is allowed for peer-to-peer. After the maximum delay is reached, download(s) will resume with HTTP. A download that is waiting for peer source will appear to be stuck for the device user. 

Recommended value is 3600 (1 h)

Delay Foreground Download From Http (in secs)
  • e.g. 0
  • 1803

Allows to delay the use of an HTTP source in a foreground (interactive) download that is allowed for peer-to-peer. After the maximum delay is reached, download(s) will resume with HTTP. A download that is waiting for peer source will appear to be stuck for the device user. 

Recommended value is 60 (1 Minute). Default value 0 means this setting is managed by the cloud service

Optimization Type
  • Not configured
  • Absolute
  • Percentage
  • Percentage and Business Hours
  Defines the type used for Bandwidth Optimization.
Additional settings for Optimization Type Absolute and Percentage

Max Background Download Bandwidth

  • e.g. 0
  • 1803

Configures the maximum background download bandwidth percentage that Delivery Optimization can use across all concurrent download activities. 

A value of 0 means an automatic and dynamic adjustment.

Max Foreground Download Bandwidth

  • e.g. 0
  • 1803

Configures the maximum foreground download bandwidth percentage that Delivery Optimization can use across all concurrent download activities. 

Downloads from LAN peers will will not be restricted with this settings

A value of 0 means an automatic and dynamic adjustment.

Additional settings for Optimization Type Percentage and business hours
Hours Start
  • Not configured
  • Values between 12 am and 11pm
  Sets the Business Hours starting time to Limit Background and Foreground Download Bandwidth.
Hours End
  • Not configured
  • Values between 12 am and 11pm
  Sets the Business Hours ending time to Limit Background and Foreground Download Bandwidth.
Traffic During Business Hours
  • e.g. 70
  Sets the percentage of throttle for traffic during business hours.
Traffic Outside of Business Hours
  • e.g. 30
  Sets percentage of throttle for traffic outside of business hours.
Caching
Peer Caching While the Device Connects Via VPN
  • Not configured
  • Enabled
  • Disabled
  • 1703
Controls if the device is allowed to participate in Peer Caching while connected via VPN to the domain network. 
Cache Drive
  • Not configured
  • Enabled
  This option allows to specify the device that Delivery Optimization should use for its cache. 
Specify Cache Drive
  • e.g, %SystemDrive% or D:\DOCache or D:
 

Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.

By default, %SystemDrive% is used to store the cache.

Min Disk Size Allowed to Use Peer Caching
  • e.g. 32
  • 1703

Configures the required minimum disk size in GB for the device to use Peer Caching. 

Recommended values are 64  to 256 GB. The default value is 32 GB

Min Peer Caching Content File Size
  • e.g. 100
  • 1703

Specifies the minimum content file size in MB to use Peer Caching. 

Default value is 100 (MB)

Min RAM Capacity Required to Enable Use of Peer Caching
  • e.g. 4
  • 1703

Specifies the minimum RAM size in GB to use Peer Caching. 

Default value is 4 (GB)

Min Battery Percentage Allow To Upload
  • e.g. 0
  • 1703

Defines the percentage of battery usage to allow the device to upload data to peers while running on battery. Any upload will automatically pause when the battery level falls below that threshold. 

Recommended value is 40. The default values is 0 and means not limited. 

 

Max Cache Age
  • e.g. 2592000
 

Controls the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.

A value of 0 means unlimited . The default value is 259200 which is equal to 3 days. 

Maximum Cache Size Type
  • Not configured
  • Absolute
  • Percentage
  Defines the Maximum Cache Size Type.
Additional Options for Cache Size Type Absolute
Absolute Max Cache Size 
  • e.g. 10
  • 1607
Configures the maximum cache size in GB. A value of zero means unlimited cache. The cache will be cleared if the device is running low in disk space. 
Additional Options for Cache Size Type Percentage
Max Cache Size
  • e.g. 20
  Controls the maximum percentage of the disk size (1-100) that Delivery Optimization can utilize. 
Local Server Caching
Cache Server Hostname
  • Not configured
  • Enabled
  This policy allows you to configure one or more Microsoft Connected Cache Servers.
Specify Cache Server Hostname
  • e.g. 10.0.0.50
 

One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.

Delay Background Download Cache Server Fallback (in secs)
  • e.g. 0
  • 1903
Configures the time in seconds to delay the fallback from a Cache Server to the HTTP source for a background content download. 
Delay Foreground download Cache Server Fallback (in secs)
  • e.g. 0
  • 1903

Configures the time in seconds to delay the fallback from a Cache Server to the HTTP source for a foreground content download. 

Delay Foreground Download From Http (in secs) takes precedence to allow download downloads from peers first

Defender Firewall

The Firewall configuration allows to control the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. You can manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. If you configure Firewall rules, please take into account that added rules are not displayed in the Windows Defender Firewall User Interface (wf.msc) under Inbound or Outbound Rules. Configured Firewall rules can be reviewed instead under Monitoring > Firewall or with the Registry Editor under the listed path below. The Registry Path will also display configured Firewall Profiles that can't be reviewed within the user interface. For additional information, please refer to Windows 10/11 Working with Firewall Rules and Remote Desktop

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm

 Ensure to press Save or Save & Close after changing the Defender Firewall Profile or after adding, removing, enabling or disabling Firewall Rules.

Settings Options Description
Defender Firewall Settings
  • Enabled or Disabled
Enables the Defender Firewall Profile. The Firewall configuration is supported beginning with Windows 10, version 1709.
Global Settings
Security Association Idle Time Before Deletion (in secs) 
  • e.g. 400
Security associations are deleted after network traffic is not seen for this number of seconds. Supported Values from 300 to 3600
Pre-shared Key Encoding 
  • None
  • UTF-8 (default)
Specifies the preshared key encoding that is used
IPsec Exemptions 
  • No IPsec exemptions (default)
  • Exempt neighbor discover IPv6 type-codes from IP-Sec
  • Exempt ICMP from IPsec
  • Exempt router discover IPv6 ICMP type-codes from IPsec
  • Exempt both IPv4 and IPv6 DHCP traffic from IPsec
Configure specific traffic to be exempt from performing IPsec.
Certificate Revocation List Verification 
  • Disables CRL checking (default)
  • CRL checking is attempted
  • CRL checking is required

Defines how certificate revocation list verification is enforced. The following options are available:

  • Disables CRL checking
  • CRL Checking is attempted specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
  • CRL checking is required means that checking is required and that certificate validation fails if any error is encountered during CRL processing
Packet Queuing 
  • All queuing is to be disabled (default)
  • Inbound encrypted packets are to be queued
  • Packets are to be queued after decryption

Specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved.

Disable FTP
  • Enabled or Disabled
Blocks stateful File Transfer Protocol (FTP)
Opportunistically Match Authentication Set Per Keying Module
  • Enabled or Disabled
If enabled, keying modules will ignore unsupported authentication suites.
Network Settings (applies to Domain, Private, or Public Network)
General  
Microsoft Defender Firewall
  • Enabled or Disabled
If this setting is not enabled, no network traffic will be blocked regardless of other policy settings
Disable Stealth Mode
  • Enabled or Disabled
When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific
IPsec Secured Packet Exemption With Stealth Mode
  • Enabled or Disabled
If stealth mode is enabled, this option will be ignored. Otherwise the stealth mode rules must not prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec
Shielded
  • Enabled or Disabled
If this value is true and Defender Firewall is on, the server must block all incoming traffic regardless of other policy settings
Disable Unicast Responses to Multicast Broadcasts
  • Enabled or Disabled
If true, unicast responses to multicast broadcast traffic is blocked.
Disable Inbound Notifications
  • Enabled or Disabled
If false, the Firewall may display a notification to the user when an application is blocked from listening on a port. If this setting is enabled, the Firewall must not display such notifications. 
Default Action For Outbound Connections
  • Allow (default)
  • Block
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections.
Default Action for Inbound Connections
  • Allow
  • Block (default)
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections.
Rule Merging  
Auth App Firewall Rules From the Local Store
  • Enabled or Disabled
If this value is false, authorized application firewall rules in the local store are ignored and not enforced
Global Port Firewall Rules From the Local Store
  • Enabled or Disabled
If this value is false, global port firewall rules in the local store are ignored and not enforced
Firewall Rules From the Local Store
  • Enabled or Disabled
If this value is false, firewall rules from the local store are ignored and not enforced
IPsec Rules From the Local Store
  • Enabled or Disabled
If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and security rule version
Firewall Rules Settings
Rule Settings
  • Enabled or Disabled

 

Name
  • e.g. Block Paint

Name of the rule.

The rule name must not include a forward flash

Description
  • e.g. Firewall Rule for blocking outbound traffic for MS Paint
Specifies the description of the rule
Direction
  • Out (default)
  • In
The rule is enabled based on the traffic direction 
Action
  • Allow (default)
  • Block
Specifies the action the rule enforces.
Network Type
  • All (default)
  • Domain
  • Private
  • Public
Specifies the profiles to which the rule belongs: Domain, Private or Public
Application Settings  
Application
  • All
  • Package Family Name
  • File Path
  • Windows Service
Rules that control connections for an app, program, or service
Package Family Name
  • e.g. Microsoft.MSPaint_6.2009.30067.0_x64__8wekyb3d8bbwe
The Package Family Name is the unique name of a Microsoft Store application. Package family names can be retrieved by running the Get-AppxPackage command from PowerShell
File Path
  • e.g. %SystemRoot%\system32\svchost.exe
Enter the full path of the application
Windows Service Name
  • e.g. eventlog
This is a service named used in cases when a service is sending or receiving traffics
IP Address Settings  
Local Addresses
  • e.g. 10.0.0.50
Comma separated list of local addresses covered by the rule.  If kept empty, Any Local Address will be applied
Remote Addresses
  • e.g. 88.130.55.97
  • e.g. LocalSubnet
Comma separated list of remote addresses covered by the rule. If kept empty, Any Remote Address will be applied. 
Port and Protocol Settings  
Protocol
  • Any (default)
  • TCP
  • UDP
  • Custom
Select the protocol for this port rule. Transport layer protocols, TCP and UDP, allows to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing te IP protocol. 
Local Ports (TCP/UDP)
  • e.g. 100-120,200,300-32
Comma separated list of ranges.
Remote Ports (TCP/UDP)
  • e.g. 100-120,200,300-32
Comma separated list of ranges.
Protocol (Custom)
  • 0-255
Enter a number between 0 and 255 representing te IP protocol. 
Advanced Settings  
Interface Types
  • Not configured
  • Remote Access
  • Wireless
  • LAN
Specifies the interface type to which the rule belongs. 
Authorized Local Users Settings  
Authorized Local Users
  • e.g. "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0) S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)"
Specifies the list of authorized local users for this rule. Enter the string in Security Descriptor Definition Language (SDDL) format. 

Defender Antivirus

Microsoft Defender is an anti-malware component of Microsoft Windows. Defender Antivirus monitor threats to your device, run scans, and get updates to help detect the latest threats. 

Setting Options Minimum Version Description
Defender Antivirus Settings
  • Enabled or Disabled
Enables the Defender Antivirus Profile. Defender Antivirus configuration is supported on the following Windows 10 and Windows 11 Editions:
  • Home
  • Pro
  • Business
  • Enterprise
  • Education
Real-time Protection
Turn on Real-Time Protection
  • Not configured
  • Yes
  • No
  Configuration of the Windows Defender Real-Time Monitoring functionality.
Turn On Behavior Monitoring
  • Not configured
  • Yes
  • No
  Configuration of the Windows Defender Behavior Monitoring functionality
Scan All Downloaded Files and Attachments
  • Not configured
  • Yes
  • No
  Configuration of Windows Defender IOAVP Protection functionality
Monitor File and Program Activity on Your Computer
  • Not configured
  • Yes
  • No
  Configuration of Windows Defender On Access Protection functionality.
Configure Monitoring for Incoming/Outgoing File and Program Activity
  • Not configured
  • All Files
  • Incoming Files
  • Outgoing Files
  Controls which sets of files should be monitored.
Intrusion Prevention System
  • Not configured
  • Yes
  • No
  Configuration of Windows Defender Intrusion Prevention functionality.
Exploit Guard
Configure Potentially Unwanted Application Protection
  • Not configured
  • Off
  • On
  • Audit Mode
  Specifies the level of detection for potentially unwanted applications. Windows Defender alerts when potentially unwanted software is being downloaded or attempts to install itself on the device. 
Prevent Users and Apps From Accessing Dangerous Websites
  • Not configured
  • Disabled
  • Enabled (block mode)
  • Enabled (audit mode)
  • 1709
Allows to turn network protection (block/audit) or off. Network protections protects employees using any app from accessing phishing scams exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. 
Scan Interval
Specify the Time for a Daily Quick Scan
  • Not configured
  • From 12:00 AM to 11:00 PM
  Selects the time of day that the Windows Defender quick scan should run. The scan type will depend on what scan type is selected in the Scan Type Setting.
Specify the Scan Type to Use for a Scheduled Scan
  • Not configured
  • Quick Scan 
  • Full Scan
  Selects whether to perform a quick scan or full scan.
Specify the Day of the Week to Run a Scheduled Scan
  • Every Day (Default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  Selects the day that the Windows Defender scan should run.
Specify the Time of Day to Run a Scheduled Scan
  • Not configured
  • From 12:00 AM to 11:00 PM
  Selects the time of day that the Windows Defender scan should run.
Specify the Interval to Check for Definition Updates
  • Not configured
  • No check
  • Check every 1 to 24 hours
  Specifies the interval in hours that will be used to check for signatures, so instead of using the configuration of day and time the check for new signatures will be set according to the interval.
Scan Settings
Check For Signatures Before Running Scan
  • Not configured
  • Yes
  • No
  • 1809
Allows to manage whether a check for new virus and spyware definitions will occur before running a scan.
Scan archive files
  • Not configured
  • Yes
  • No
  Configuration for scanning of archives.
Scan emails
  • Not configured
  • Yes
  • No
  Configuration for scanning of emails.
Run Full Scan on Mapped Network Drives
  • Not configured
  • Yes
  • No
  Configuration for a full scan of mapped network drives.
Scan Removable Drives
  • Not configured
  • Yes
  • No
  Configuration for a full scan of removable drives. During a quick scan, removable drives may still be scanned.
Scan Network Files
  • Not configured
  • Yes
  • No
  Configuration for a scanning of network files.
Turn on Script Scanning
  • Not configured
  • Yes
  • No
  Configuration for Windows Defender Script Scanning functionality. 
Disable Catch-up Full Scan
  • Not configured
  • Yes
  • No
  • 1809
This policy settings allows to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.  
Disable Catch-up Quick Scan
  • Not configured
  • Yes
  • No
  • 1809
Allows to configure catch-up scans for schedule quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. 
Configure Low CPU Priority for Scheduled Scans
  • Not configured
  • Yes
  • No
  • 1809
This policy setting allows to enable or disable low CPU priority for scheduled scans. 
Specify the Maximum Percentage of CPU Utilization During a Scan
  • Not configured
  • Enabled
  This settings allows to configure the average CPU load factor for the Windows Defender scan.
CPU utilization (in percent)
  • 0-100%
  Represents the average CPU load factor for the Windows Defender scan in percent.
Remediation
Configure Detected Threat Actions
  • Not configured
  • Enabled
  Enables the configurations for remediation actions for each threat severity levels.
Low Threat
  • Not configured
  • Clean
  • Quarantine
  • Remove
  • Allow
  • User defined
  • Block
 

Allows to specify any valid threat severity levels and the corresponding default action to take.

  • Clean - Service tries to recover files and try to disinfect.
  • Quarantine - Moves files to quarantine.
  • Remove - Removes files from system.
  • Allow - Allows file/does none of the above actions.
  • User defined - Requires user to make a decision on which action to take.
  • Block - Blocks file execution.
Moderate Threat
High Threat
Severe Threat
Specify Removal of Items From Quarantine Folders
  • Not configured
  • Enabled
  Allows to customize the time period in days that quarantine items will be stored on the system. 
Time period (in days)
  • 0-90 days 
  Time period in days that quarantine items will be stored on the system.
MAPS
Join Microsoft MAPS
  • Enabled or Disabled
  Turns on/off the Microsoft Active Protection Service
Send File Samples When Further Analysis Is Required
  • Send safe samples automatically (Default)
  • Always prompt
  • Never send
  • Send all samples automatically
  Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, and if the user has specified never to ask, the UI is launched to ask for user consent before sending data.
Malware Protection Engine
Select Cloud Protection Level
  • Not configured
  • Default
  • High
  • High+
  • Zero
  • 1709
This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. 
Specify Extended Cloud Check
  • Not configured
  • Enabled
  • 1709
Allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan in the cloud to make sure it's safe.
Cloud check timeout (in seconds)
  • 0-60 seconds
  • 1709
Allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan in the cloud to make sure it's safe.
User Experience
Hide Virus & threat protection
  • Enabled or Disabled
  Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
Controlled Folder Access
Configure Controlled Folder Access
  • Not configured
  • Disabled 
  • Enabled
  • Audit Mode
  • 1709
This policy enables setting the state for the controlled folder access feature. The controlled folder access features removes modify and delete permissions from untrusted applications to certain folders such as My Documents
Add an allowed app
  • e.g. C:\Program Files\Matrix42\WriteToMatrix42Folder.exe
  • 1709
Add allowed applications that gain access to protected folders and can make changes without a Windows Defender information 
Add a protected folder
  • e.g. C:\Protected Folder
  • 1709
Add a list of additional folders that needs to be protected.
Scan Exclusions
Add path
  • e.g. C:\Program Files\Internet Explorer
  Specify to trust a path that Windows Security has detected as malicious, which will result in a stop for Windows Security from alerting the users or blocking the program.
Add process
  • e.g. C:\Program Files\Internet Explorer\iexplore.exe
  Specify to trust a process that Windows Security has detected as malicious, which will result in a stop for Windows Security from alerting the users or blocking the program.
Add file extensions
  • e.g. exe, pdf
  Specify to trust a file type that Windows Security has detected as malicious, which will result in a stop for Windows Security from alerting the users or blocking the program.

Defender Security Center  

Windows 10/11 includes a built-in Windows Security Application, which provides the latest antivirus protection. Devices will be actively protected from the moment when a user starts Windows 10/11. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help to keep devices safe and protect it from threats. This security application has several sub settings pages like Virus & Threat Protection, Account Protection etc. and can be usually viewed and configured by users. With the following options the application appearance for managed devices can be configured. 

Setting Options Minimum Version Description
Microsoft Defender Security Center app and notifications
Defender Security Center
  • Enabled or Disabled
Enabling this option will grant a customization of Microsoft Defender Security Center settings for managed devices. Defender Security Center configuration is supported on the following Windows 10 and Windows 11 Editions:
  • Home
  • Pro
  • Business
  • Enterprise
  • Education
Virus and threat protection
  • Not configured
  • Hide
  • Show
  • 1709
Configure if users can view the Virus and threat protection area in the Microsoft Defender Security Center. Hiding this section will also block all notifications related to Virus and threat protection
Ransomware data recovery
  • Not configured
  • Hide
  • Show
  • 1803
Define if users can view the Ransomware data recovery area. Hiding this section will also block all notifications related to Ransomware protection. 
Account protection
  • Not configured
  • Hide
  • Show
  • 1803
Select whether users can view the Account protection area. Hiding this section will also block all notifications related to Account protection.
Firewall and network protection
  • Not configured
  • Hide
  • Show
  • 1709
Specify if users can view the Firewall and network protection area. Hiding this section will also block all notifications related to Firewall and network protection.
App and browser Control
  • Not configured
  • Hide
  • Show
  • 1709
Configure if users can view the App and browser control area. Hiding this section will also block all notifications related to App and browser control.
Exploit protection settings modifying
  • Not configured
  • Disable
  • Enable
  • 1709
Prevents users from making changes to the exploit protection settings area. 
Device performance and health
  • Not configured
  • Hide
  • Show
  • 1709
Select whether users can view the Device performance and health area or not. Hiding this section will also block all notifications related to this section. 
Family options
  • Not configured
  • Hide
  • Show
  • 1709
Configure if users can view the Family options in the Microsoft Defender Security center application. Hiding this section will also block all notification related
Device security area
  • Not configured
  • Hide
  • Show
  • 1803
Use this setting to disable the display of the Device security area. 
TPM Troubleshooter page
  • Not configured
  • Hide
  • Show
  • 1803
Use this setting to disable the display of the Device security area. 
Clear TPM button
  • Not configured
  • Disable
  • Enable
  • 1809
Configures if the Clear TPM button within the Security processor troubleshooting area is shown to users. 
TPM firmware update warning
  • Not configured
  • Disable
  • Enable
  • 1809
Defines if recommendations to update the TPM Firmware are shown when a vulnerable firmware is detected.
Secure boot area
  • Not configured
  • Hide
  • Show
  • 1803
Use this setting to hide the Secure boot area. 
Windows Security Center icon in the system tray
  • Not configured
  • Disable
  • Enable
  • 1809
Specifies whether the Windows Security Center is shown as a tray icon in the Taskbar or is hidden. 
Hide all notifications
  • Not configured
  • Hide
  • Show
  • 1709
Determines if notifications will be displayed on devices. If hide is selected, users can't see Windows Defender Security Center notifications.
Hide non-critical notifications
  • Not configured
  • Hide
  • Show
  • 1709
Determines if non-critical notifications will be displayed on devices. If hide is selected, Windows Defender Security Center only display notifications which are considered as critical. 
IT contact information
Display contact information in app
  • Enabled or disabled
  • 1709
Enabling this policy will display a customized company name and contact information in a contact fly out from Windows Defender Security Center.  If not enabled or without a provided company name or a minimum of one contact method Windows 10 will not display the contact fly out notification.
Display contact information in notifications
  • Enabled or disabled
  • 1709
Enabling this policy will display a customized company name and contact information in the notifications. If not enabled or without a provided company name or a minimum of one contact method Windows 10 will display a default notification text
Specify contact company name e.g. Imagoverum
  • 1709
Provides a predefined company name in contact fly outs and notifications.
Contact phone number or Skype ID e.g +4969667788650
  • 1709

Provides a predefined phone number or Skype ID in contact fly outs and notifications.

Skype will be used to initiate the call. 

Contact email address e.g. support@imagoverum.com
  • 1709

Provides a predefined email address in contact fly outs and notifications.

The default mail application will be used to initiate email actions.

Contact website e.g. https://imagoverum.com
  • 1709

Provides a predefined help portal website in contact fly outs and notifications.

The default browser will be used to initiate this action 

Defender SmartScreen

Microsoft Defender SmartScreen is a built-in threat protection of Windows 10/11 and Microsoft Edge that protects users and your organization against phishing or malware websites and applications and the downloading of potentially malicious files. Please review additional information here: Microsoft Defender SmartScreen

Setting Options Minimum Version Description
Defender SmartScreen Settings
  • Enabled or Disabled

Enables the Defender SmartScreen Profiles. Defender SmartScreen configuration is supported on the following Windows 10 and Windows 11 Editions:

  • Pro
  • Business
  • Enterprise
  • Education
Microsoft Edge
Configure Windows Defender SmartScreen
  • Not configured
  • Disabled
  • Enabled
  • Microsoft Edge (non-chromium based) version 45 and earlier
Microsoft Edge is using Windows Defender SmartScreen for protecting users from potential security risks by default. Enabling this setting will protect users from potential threads and prevents users from turning SmartScreen on or off in Microsoft Edge. Disabling this setting will not protect users from threats and will prevent users from turning SmartScreen on. 
Prevent Bypassing Windows Defender SmartScreen Prompts for Sites
  • Not configured
  • Disabled
  • Enabled
  • Microsoft Edge (non-chromium based) version 45 and earlier
Microsoft Edge allows by default users to bypass or ignore Defender SmartScreen warnings about potentially malicious sites to access them. Enabling this setting will prevent users from bypassing the warnings. 
Prevent Bypassing Windows Defender SmartScreen Prompts for Files
  • Not configured
  • Disabled
  • Enabled
  • Microsoft Edge (non-chromium based) version 45 and earlier
By default, Microsoft Edge allows users to bypass or ignore warnings about potentially malicious when downloading unverified files. Enabling this setting will prevent users from bypassing the warnings and block the download of unverified files. 
Reputation-based protection
Check apps and files
  • Not configured
  • Disabled
  • Enabled
  • 1703
Configures the Microsoft Defender SmartScreen for Windows. 
File execution
Ignore Warnings and Run Malicious Files
  • Not configured
  • Allow
  • Block
  • 1703
Defines if users can ignore SmartScreen warnings and run malicious files. 
Source-based protection
Install Apps only from Microsoft Store
  • Not configured
  • Disabled
  • Enabled
  • 1703
Allows to control whether users are allowed to install apps only from the Microsoft App Store. Installations are only blocked if the device is online. For blocking offline installation, Check apps and files must be set to Enabled and Ignore Warnings and Run Malicious Files to Block. 

Power Options

Windows 10/11 brings the ability to control the Power & Sleep Settings for devices. This helps and ensures Administrator to economic protection and saving money for energy costs within the organization. Power management options for Windows 10/11 includes the following options:

  • Manage whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
  • Specify the period of inactivity before Windows turns off the display.
  • Specify the period of inactivity before Windows transitions the system to sleep.
  • Specify battery charge level at which Energy Saver is turned on.
  • Prompt for a password when the system resumes from sleep.
Setting Options Minimum Version Description
Power Options
  • Enabled or Disabled
Enables the Power Options Profile. Power Option configuration is supported on the following Windows 10 and Windows 11 Editions:
  • Pro
  • Business
  • Enterprise
  • Education
Predefine Lid Switch Action
  • Not configured
  • Sleep
  • Hibernate
  • Shutdown
  • 1903
Specifies the action that Windows takes when the user closes the lid on the device.
Predefine Power Button Action
  • Not configured
  • Sleep
  • Hibernate
  • Shutdown
  • 1903
This setting specifies the action that Windows takes when the user presses the power button. 
Predefine Sleep Button Action
  • Not configured
  • Sleep
  • Hibernate
  • Shutdown
  • 1903
This setting specifies the action that Windows takes when the user presses the sleep button. 
Use Standby States When Putting the Computer in a Sleep State
  • Not configured
  • Disabled
  This option manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. 
Specify Inactivity Timeout Before Windows Turns Off the Display
  • Not configured
  • Enabled
  • 1709
Allows to specify the period of inactivity before Windows turns off the display. If enabled, a value for Set Screen Off Inactivity Timeout (seconds) is required. 
Set Screen Off Inactivity Timeout (seconds)
  • e.g. 300
  • 1709
Defines the idle time in seconds should elapse before Windows turns off the display.
Specify Period of Inactivity Before Hibernating
  • Not configured
  • Enabled
  • 1709

This setting allows to specify the period before Windows transitions to hibernate. If enabled, a value for  Inactivity Timeout for Hibernating (seconds) is required. 

If the user has configured on the lock screen a slide show and the device is locked, this can prevent the sleep transitions.  Please refer to Restrictions > Device Lock

Inactivity Timeout for Hibernating (seconds)
  • e.g. 300
  • 1709
Defines how much idle time should elapse before Windows transitions to hibernate. 
Specify Inactivity Timeout Before Windows Turns Into Sleep
  • Not configured
  • Enabled
  • 1709

Allows to specify the period of inactivity before Windows transitions to sleep. If enabled, a value for Sleep Inactivity Timeout (seconds) is required. 

If the user has configured on the lock screen a slide show and the device is locked, this can prevent the sleep transitions.  Please refer to Restrictions > Device Lock

Sleep Inactivity Timeout (seconds)
  • e.g. 300
  • 1709
Defines how much idle time should elapse before Windows transitions to sleep. 
Specify Inactivity Timeout for Unattended Sleep
  • Not configured
  • Enabled
  • 1903

Allows to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.  If enabled, a value for Unattended Sleep Timeout (seconds) is required. 

If the user has configured on the lock screen a slide show and the device is locked, this can prevent the sleep transitions.  Please refer to Restrictions > Device Lock

Unattended Sleep Timeout (seconds)
  • e.g. 300
  • 1903
Defines how much idle time should elapse before Windows transitions automatically to sleep when left unattended. A value of 0 seconds results in Windows does not automatically transition to sleep.
Require a Passcode When the System Resumes From Sleep
  • Not configured
  • Disabled
  If this setting is disabled, the user is not prompted for a password when the system resumes from sleep. 
Allow Hybrid Sleep
  • Not configured
  • Disabled
  • 1903
Specifies whether Hybrid Sleep mode is allowed or not. Hybrid Sleep mode is a combination of the Sleep and Hibernate modes desktops. If you disable this setting, a hiberfile is not generated when the system transitions to Sleep. 
Specify Battery Level for Energy Saver Activation
  • Not configured
  • Enabled
  • 1903
This setting allows to specify the battery charge level at which Energy Saver is turned on. The Energy Saver will automatically turn on at (and below) the specified battery charge level. If enabled, a value for Battery Level (percentage) is required. 
Battery Level (percentage)
  • e.g. 30
  • 1903
Defines a percentage value that indicates the battery charge level when Energy Saver turns on. Supported values are 0-100. Default value is 70. 

Microsoft Edge 

Microsoft Edge is the built in Browser in Windows 10/11, which has been reinvented from Microsoft . The "first" version of Microsoft Edge, also called now as Microsoft Edge Legacy has been set as deprecated and has been replaced with the new Microsoft Edge which runs on a Chromium base. This Microsoft Edge profile include over 60 settings from various sections of Microsoft Edge like Password Manager, SmartScreen settings and other customizing options.  

Setting Options Minimum Version Description
Microsoft Edge Settings
  • Enabled or Disabled
Enables the Microsoft Edge profile. The Microsoft Edge configuration is supported on the following Windows 10 and Windows 11 Editions:
  • Home
  • Pro
  • Business
  • Enterprise
  • Education
InPrivate Mode
  • Not configured
  • Allowed
  • Disabled
  • Forced
  • Version 77 or later

Specifies whether the user can open websites with the InPrivate Mode. 

  • Allowed = InPrivate mode will be available for users
  • Disabled = InPrivate mode will not be available for users and prevent users from using it
  • Forces: Websites will always be opened in the InPrivate Mode. 
Password manager and protection
Enable Password Manager
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Enable Microsoft Edge to save user passwords. If enabled, users can save their passwords in Microsoft Edge and the next time they visit the site, Microsoft Edge will enter the password automatically. If disabled, users can't save new passwords, but they are still able to use previously saved passwords. 
Allow Microsoft Edge to monitor user passwords
  • Not configured
  • Disabled
  • Enabled
  • Version 85 or later
Allow users to be alerted if their passwords are found to be unsafe. If enabled and a user consents to enabling the policy, the user will get alerted if any of their passwords stored in Microsoft Edge are found to be unsafe. If disabled, users will not be asked for permissions to enable this functionality and passwords will not be scanned and users will not be alerted. 
Configure the change password URL
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, the password protection service sends users to a URL to change their password. 
The change password URL
  • Version 77 or later
This setting will appear, if the Configure the password URL is enabled. The password protection service sends users to this URL to change their password.
Enable Password reveal button
  • Not configured
  • Disabled
  • Enabled
  • Version 87 or later
This setting controls the default display of the browser password reveal button for password input fields on websites. If disabled, the browser user setting won't display the password reveal button. 
Configure password protection warning trigger
  • Not configured
  • Password protection warning is off
  • Password protection warning is triggered by password reuse
  • Version 77 or later
Allows to control to trigger password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites. If Password protection warning is off is selected, no password warnings will appear to users. If Password protection warning is triggered by password reuse, password warnings will appear when users reuse their protected passwords. 
Password Protection Login URLs
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, a list of enterprise login URLs where the password protection service should capture salted hashes of a password can be configured. Use the Add Url button to add password protection login Urls. 
SmartScreen Settings
Configure Microsoft Defender SmartScreen
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software. By default, this feature is turned on. This setting provides the possibility to prevent users to disable the Microsoft Defender Smart Screen. 
Force checks on downloads from trusted sources
  • Not configured
  • Disabled
  • Enabled
  • Version 78 or later
This policy setting controls whether Microsoft Defender SmartScreen checks download reputation from a trusted source. If enabled, SmartScreen checks the download's reputation regardless of source. If disabled, no check for the download's reputation will be done when downloading from a trusted source. 
Block potentially unwanted apps
  • Not configured
  • Disabled
  • Enabled
  • Version 80 or later
Potentially unwanted app blocking with Microsoft Defender SmartScreen provides warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites. Potentially unwanted app blocking with Microsoft Defender SmartScreen is turned off by default. If enabled, the potentially unwanted app blocking with Microsoft Defender SmartScreen is turned on. 
Prevent bypassing prompts for sites
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
This setting controls whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites. If enabled, users can't ignore SmartScreen warnings and users will be blocked from accessing the site. 
Prevent bypassing warnings about downloads
  • Not configured
  • Disabled
  • Enabled
  • Version 78 or later
This option controls whether users can override Microsoft Defender SmartScreen warnings about unverified download. If enabled, users can't ignore the SmartScreen warnings and they will be prevented from completing unverified downloads. 
Configure Allowed Domains
  • Not configured
  • Enabled
  • Version 77 or later
Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings. If enabled, use the Add an allowed domain button to enter the list of trusted domains. 
Startup, home page and new tab page
Show Home button on toolbar
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
This option controls the display of the Home button on Microsoft Edge's toolbar. If enabled, the Home Button is always shown. If disabled, the Home button will never appear on the toolbar. If not configured, users can choose whether show the home button or not. 
New tab page URL
  • Not configured
  • Enabled
  • Version 77 or later
Allows to configure the New Tab page URL, which will be opened by default when using the New Tab button.  If enabled, you can specify the default New Tab page URL through an additionally appearing option.  
Set as the home page
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
If enabled, the New tab page URL will also be used as the default home page URL when pressing the Home button. If enabled the Configure the home page URL option will be marked as inactive. 
Configure the home page URL
  • Not configured
  • Enabled
  • Version 77 or later
Configures the default home page URL, which will be opened by using the Home Button. If enabled, you can specify the home page URL with the additionally appearing option Specify the home page URL.  
Hide the default top sites from the new tab page
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Allows to configure if top sites from the new tab page in Microsoft Edge are visible or remain as visible. 
Enable preload of the new tab page for faster rendering
  • Not configured
  • Disabled
  • Enabled
  • Version 85 or later
This setting controls the preloading of the new tab page for a faster rendering. If enabled, preloading the New tab page is enabled and users can't change this setting. 
Action to take on startup
  • Not configured
  • Restore the last session
  • Open a new Tab
  • Open a list of URLs
  • Version 77 or later
Allows to specify how Microsoft Edge behaves when it starts. If Open a list of URLs is selected, you can add Startup Urls with the appearing Add Url button. 
Proxy Server
Configure proxy server settings
  • Not configured
  • Never use a proxy
  • Auto detect proxy settings
  • Use a .pac proxy script
  • Use fixed proxy servers
  • Use system proxy setting
  • Version 77 or later

Configures the proxy settings for Microsoft Edge. If you enable this policy, Microsoft Edge ignores all proxy-related options specified from the command line.

Microsoft deprecated already most of the Proxy Server configuration with no new options. This feature might not work correctly and might need to be reworked when new Proxy settings will be present. 

Performance
Enable startup boost
  • Not configured
  • Disabled
  • Enabled
  • Version 88 or later
Allows Microsoft Edge processes to start at a user sign-in and restart in background after the last browser window is closed
Default Search Provider
Default search provider settings
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Enables the ability to use a default search provider.
Specify Search URL
  • Not configured
  • Enabled
  • Version 77 or later

If enabled, you can specify the URL of the search engine used for a default search. The URL contains the string '{searchTerms}', which is replaced at query time by the terms the user is searching for. Please refer to the Microsoft Edge Policy description for further examples.

For Google, try the following

Keyword
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, this setting allows to specify the keyword, which is the shortcut used in the Address Bar to trigger the search for this provider.
Search by image
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, a URL to the search engine used for image search can be specified. Search requests are sent using the GET method. Please refer to the Microsoft Edge Policy description for further examples. 
Default search provider name
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, you can set the name of the default search provider. The provider’s name should be set to an organization-approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008.
Parameters for an image URL that uses POST
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, Parameters can be added which are used when an image search that uses POST is performed. The policy consists of comma-separated name/value pairs. If a value is a template parameter, like {imageThumbnail} in the preceding example, it's replaced with real image thumbnail data. Please refer to the Microsoft Edge Policy description for further examples. 
URL for suggestions
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, a custom URL for suggestions for the search engine can be defined. The URL contains the string '{searchTerms}', which is replaced at query time by the text the user has entered so far. Please refer to the Microsoft Edge Policy description for further examples. 
The new tab page search box
  • Not configured
  • Search Box (recommended)
  • Address bar
  • Version 85 or later

This setting allows to configure the new tab page search box to use Search Box Recommended or Address bar to search on new tabs. 

  • Search box (Recommended) - the new tab page uses the search box to search on new tabs.
  • Address bar - the new tab page search box uses the address bar to search on new tabs.
Character encodings
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, you can specify character encodings supported by the search provider. Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided. Add encodings by pressing the Add search provider encoding button.
Sleeping Tabs
Configure sleeping tabs
  • Not configured
  • Disabled
  • Enabled
  • Version 88 or later
This setting configures whether to turn on sleeping tabs for Microsoft Edge. Sleeping tabs reduces CPU, battery, and memory usage by putting idle background tabs to sleep. Microsoft Edge uses heuristics to avoid putting tabs to sleep that do useful work in the background, such as display notifications, play sound, and stream video. By default, sleeping tabs is turned on.
Background tab inactivity timeout
  • Not configured
  • 5
  • 15
  • 30
  • 1 hour
  • 2 hours (default)
  • 3 hours
  • 6 hours
  • 12 hours
  • Version 88 or later
Allows to configure the timeout after which inactive background tabs will be automatically put to sleep if the the Configure sleeping tabs option is set to enabled. 
Block sleeping tabs on specific sites
  • Not configured
  • Enabled
  • Version 88 or later
If enabled, a list of sites, based on URL patterns can be configured, that are not allowed to be put into sleeping tabs. Use the Add Url button to enter specific sites that are not allowed to be put to sleep. 
Content Settings
Default geolocation setting
  • Not configured
  • Allow sites to track users' physical location
  • Don't allow any site to track users' physical location
  • Ask whenever a site wants to track users' physical location
  • Version 77 or later
Define whether websites can track the physical location of a users. 
Default images setting
  • Not configured
  • Allow all sites to show all images
  • Don't allow any site to show images
  • Version 77 or later
Allows to configure if websites can display images. 
Allow images on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default image setting is set to Not configured or Don't allow any site to show images. After enabling this setting, specific sites can be added to display images.
Block images on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default image setting is set to Not configured or Allow all sites to show all images. After enabling this setting, specific sites can be added to block images.
Default insecure content setting
  • Not configured
  • Do not allow any site to load mixed content
  • Allow users to add exceptions to allow mixed content
  • Version 80 or later
Allows to control whether users can add exceptions to allow mixed content for specific sites. 
Allow insecure content on specified sites
  • Not configured
  • Enabled
  • Version 80 or later
This option will be active if Default insecure content setting is set to Not Configured or to Do not allow any site to load mixed content. After enabling this setting, specific sites can be added to allow insecure content. 
Block insecure content on specified sites
  • Not configured
  • Enabled
  • Version 80 or later
This option will be active if Default insecure content setting is set to Not Configured or to Allow users to add exceptions to allow mixed content. After enabling this setting, specific sites can be added to block insecure content. 
Default JavaScript setting
  • Not configured
  • Allow all sites to run JavaScript
  • Don't allow any site to run JavaScript
  • Version 77 or later
Allows to control whether websites can run JavaScript
Allow JavaScript on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default JavaScript setting is set to Not Configured or to Don't allow any site to run JavaScript. After enabling this setting, specific sites can be added to allow JavaScript. 
Block JavaScript on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default JavaScript setting is set to Not Configured or to Allow all sites to run JavaScript. After enabling this setting, specific sites can be added to block JavaScript. 
Default notification setting
  • Not configured
  • Allow sites to show desktop notifications
  • Don't allow any site to show desktop notifications
  • Ask every time a site wants to show desktop notifications
  • Version 77 or later
Allows to control whether websites can display desktop notifications. 
Allow notifications on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default Notification setting is set to Not Configured or to Don't allow any site to show desktop notifications or to Ask every time a site wants to show desktop notifications. After enabling this setting, specific sites can be added to allow notifications. 
Block notifications on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default Notification setting is set to Not Configured or to Allow sites to show desktop notifications or to Ask every time a site wants to show desktop notifications. After enabling this setting, specific sites can be added to block notifications. 
Default pop-up window setting
  • Not configured
  • Allow all sites to show pop-ups
  • Do not allow any site to show pop-ups
  • Version 77 or later
Allows to control whether websites can show pop-up windows. 
Allow pop-up windows on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default pop-up setting is set to Not Configured or to Do not allow any site to show pop-ups. After enabling this setting, specific sites can be added to allow pop-up windows. 
Block pop-up windows on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default pop-up setting is set to Not Configured or to Allow all sites to show pop-ups. After enabling this setting, specific sites can be added to block pop-up windows. 
Default cookies setting
  • Not configured
  • Let all site create cookies
  • Don't let any site create cookies
  • Keep cookies for the session, except the 'Save cookies on exit' exclusions
  • Version 77 or later
Allows to Control whether websites can create cookies on managed devices. 
Allow cookies on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default cookies setting is set to Not Configured or to Don't let any site create cookies or to Keep cookies for the session, except the 'Save cookies on exit' exclusions. After enabling this setting, specific sites can be added to allow cookies. 
Block cookies on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default cookies setting is set to Not Configured or to Let all site create cookies or to Keep cookies for the session, except the 'Save cookies on exit' exclusions. After enabling this setting, specific sites can be added to block cookies. 
Session-only cookies on specific sites
  • Not configured
  • Enabled
  • Version 77 or later
This setting allows to define specific sites where Cookies will be deleted after the sessions ends by closing the window. If enabled is selected, you can add Urls to specify session-only cookies. 
Save cookies on exit
  • Not configured
  • Enabled
  • Version 86 or later
With this option, a specified set of cookies is exempt from deletion when the browser closes. If enabled, specific URLs can be added, where cookies are saved when Microsoft Edges closes. 

Start Menu

Customize the Start Menu User Experience for all managed Windows 10/11 Pro, Enterprise, Business and Education devices. These controls allow on one side to hide or show pinned folders or to hide various items in the Start Menu and additionally it enables you to customize Start Layouts for different departments or different organization, with a minimal effort for you as an Administrator. Any layout can be updated simply by overwriting the xml file that contains a captured layout. 

Please refer to the following Guides or examples and tutorials for the Custom Start Layout Template generation: 

After exporting your Custom Start Layout, simply upload the file into Silverback and adjust it, if needed, on the fly. Additionally, please review all new options for the Start Menu Configuration below: 

Setting Options Minimum Version Description
Start Menu Settings
  • Enabled or Disabled

Enables the Start Menu settings profile. Start Menu configuration is supported on the following Windows 10 and Windows 11 Editions:

  • Pro
  • Business
  • Enterprise
  • Education
Context Menus
  • Not configured
  • Disabled
  • 1803
Configuring this setting allows to prevent context menus from being invoked in the Start Menu.
Force Start Size
  • Not configured
  • Non-fullscreen
  • Fullscreen

 

This setting controls the Start Size to non-fullscreen size or fullscreen size of the Start Menu.
Pin to Taskbar
  • Not configured
  • Disabled
  • 1703
Allows to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
Pinned Folders
Documents
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Documents shortcut on the Start menu.
Downloads
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Downloads shortcut on the Start menu.
Music
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Music shortcut on the Start menu.
Pictures
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Pictures shortcut on the Start menu.
Videos
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Videos shortcut on the Start menu
Network
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Network shortcut on the Start menu.
Personal Folder
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Personal Folder shortcut on the Start menu.
File Explorer
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the File Explorer shortcut on the Start menu.
Settings
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Settings shortcut on the Start menu.
Home Group
  • Not configured
  • Hide
  • Show
  • 1703
This setting controls the visibility of the Home Group shortcut on the Start menu.
Hide Items
Application List
  • Not configured
  • Collapse
  • Collapse and disable settings app
  • Remove and disable settings app
  • 1709

Allows to configure Start by collapsing or removing the all apps list.

This setting requires reboot to take effect.

Frequently Used Apps
  • Not configured
  • Hide
  • 1703

Allows to configure Start by hiding most used apps.

This setting requires reboot to take effect.

Recently Added Apps
  • Not configured
  • Hide
  • 1703

Allows to configure Start by hiding recently added apps.

This setting requires reboot to take effect.

People Bar
  • Not configured
  • Hide
  • 1709
Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
User Tile
  • Not configured
  • Hide
  • 1703

Allows to configure Start by hiding the user tile.

 This setting requires reboot to take effect.

Recent Jumplists
  • Not configured
  • Hide
  • 1703

Allows to configure Start by hiding recently opened items in the jump lists from appearing.

 This setting requires reboot to take effect.

Change Account Settings
  • Not configured
  • Hide
  • 1703
Allows to configure Start by hiding "Change account settings" from appearing in the user tile.
Lock
  • Not configured
  • Hide
  • 1703
Allows to configure Start by hiding "Lock" from appearing in the user tile.
Sign Out
  • Not configured
  • Hide
  • 1703
Allows to configure Start by hiding Sign out from appearing in the user tile.
Switch Account
  • Not configured
  • Hide
  • 1703
Allows to configure Start by hiding Switch account from appearing in the user tile.
Power Button
  • Not configured
  • Hide
  • 1703

Allows to configure Start by hiding the Power button from appearing.

 This policy requires reboot to take effect.

Sleep
  • Not configured
  • Hide
  • 1703
Allows IT Admins to configure Start by hiding Sleep from appearing in the Power button.
Hibernate
  • Not configured
  • Hide
  • 1703

Allows to configure Start by hiding "Hibernate" from appearing in the Power button. 

This setting can only be verified on laptops as Hibernate does not appear on regular PC's.

Shut Down
  • Not configured
  • Hide
  • 1703
Allows to configure Start by hiding Shut down and Update and shut down from appearing in the Power button.
Restart
  • Not configured
  • Hide
  • 1703
Allows to configure Start by hiding Restart and Update and restart from appearing in the Power button.

Custom Start Layout Template

Start Layout
  • Not configured
  • XML File
  • 1709
Allows you to override the default Start layout and prevents the user from changing it. If XML File is selected, you can either upload your exported file or simply paste the content of the file into the corresponding text form.

Remote Desktop 

This profile allows  to configure Remote Desktop devices for Windows 10 and Windows 11 devices. These options includes first of all to allow or prevent remote access to computer by using Remote Desktop Services and prevent or allow mapping of clients drives in a Remote Desktop Services session. With passwords options, you can define if the option to save credentials will be applied for Remote Desktop connections and if password prompts will be forced upon connections. As additional security options you can specify whether a Remote Desktop Session Host server requires a secure RPC communication with all clients or if it allows unsecured communication. If you are using native RDP encryption as secure communication between client computers and RD Session Hosts, you can specify encryption levels for these connections. For additional information, please refer to Windows 10/11 Working with Firewall Rules and Remote Desktop

Setting Options Description
Remote Desktop Settings
  • Enabled or Disabled

Enables the Remote Desktop profile. Remote Desktop configuration is supported on the following Windows 10 and Windows 11 Editions:

  • Pro
  • Business
  • Enterprise
  • Education
Allow users to connect remotely
  • Not configured
  • Enabled
  • Disabled
This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
Do not allow drive redirection
  • Not configured
  • Enabled
  • Disabled
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
Do not allow passwords to be saved
  • Not configured
  • Enabled

Controls whether passwords can be saved on this computer from Remote Desktop Connection.

If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.

Always prompt for password upon connection
  • Not configured
  • Enabled
  • Disabled

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.

Require secure RPC communication
  • Not configured
  • Enabled
  • Disabled

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

If the status is set to Not Configured, unsecured communication is allowed.

Client connection encryption level
  • Not configured
  • High
  • Client Compatible
  • Low

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.

If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

  • High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.

  • Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.

  • Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.

Custom Profiles 

Custom Profiles are very helpful if you are dependent to a new feature that Microsoft will release between any of our Silverback releases. Custom Profiles will ensure that you as an Administrator will be able to address missing features by generating a profile by yourself.  Please refer to Create a Custom Profile for Windows 10/11 for additional information

Policy 

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Lockdown 

Lockdown policies allows Administrators to configure their own device compliance and the option to define actions that should be automatically executed when a violation is detected. Enabling a lockdown policy ensures that the device is inspected regularly to ensure the compliance from the initial enrollment on due to the device lifecycle. Each policy can be enabled or disabled through their associated checkbox.

Lockdown Actions

The following lockdown actions can be configured:

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Factory Wipe The device is hard reset to factory default settings.
Factory Wipe and persist user data Will perform a remote reset on the device and persist user accounts and data. Additionally, the device remains enrolled during the factory reset execution and assigned profiles and applications will be re-applied to the device after the factory reset process is finished. 
Delete Business Data Deletes the device and removes all corporate data.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 

The trigger for executing lockdown actions is the Device Information command which starts to compare the Awaited Response within the device information received from the Get Defender Health Info and Get Security Info command, which can be reviewed in the Pending Commands overview for a particular device. 

Lockdown Policies

The following lockdown policies can be configured. If a mismatch between the awaited device information response and the last actual response from manged device(s) will occur, the lockdown actions will be executed and the device will be marked as non-compliant. Compliance Violations will be shown in the Device Overview for the particular device. Red marked violations are the indicator for violations that lead to a blocked device. In email notifications administrators will receive additional information to get an overview about the violated policy, the executed action, user and device information and the reported status that led to the policy violation. The email(s) are sent one time and at the detection point.

Policy  General Options Description
Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Factory Wipe
Hardware authentication can be enabled or disabled from this screen. Please refer to Hardware Authentication for additional information.
Device Security
Require Secure Boot Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Secure Boot Status

Awaited Response: Enabled

Require Encryption Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Encryption Compliance

Awaited Response: Encrypted

Require Antivirus Status is on and monitoring Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Antivirus Status

Awaited Response: Antivirus is on and monitoring

Require Most Recent Antivirus Signature Version Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Antivirus Signature Status 

Awaited Response: The security software reports that it is the most recent version

Require Antispyware Status is good and does not need user attention Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Antispyware Status

Awaited Response: The status is good and does not need user attention

Require Most Recent Antispyware Signature Version Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked:  Antispyware Signature Status

Awaited Response: The security software reports that it is the most recent version.

Require Firewall is on and monitoring Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Firewall Status

Awaited Response: Firewall is on and monitoring

Require Running Virtualization-based Security Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Virtualization-based Security Status

Awaited Response: Running

Require Running Local System Authority Credential Guard Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Local System Authority Credential Guard Status

Awaited Response: Running

Windows Defender
Require Defender Service is running Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Defender service is running

Awaited Response: Yes

Require Non-outdated Signature Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Signature is outdated

Awaited Response: No

Require Well initialized device state Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Current state of the product

Awaited Response: Well initialized state

Require Clean device state Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Current state of the device

Awaited Response: Clean

Require Running Real-time protection Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Real-time protection is running

Awaited Response: Yes

Require Running Network protection Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Network protection is running

Awaited Response: Yes

Require Enabled Tamper protection Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Factory Wipe and persist user data
  • Delete Business Data

Device Information Value that is checked: Tamper protection feature is enabled

Awaited Response: Yes

Power Options
Required Minimum Battery level (percentage)

Enabled or Disabled

  • 100
  • 90
  • 80
  • 70
  • 60
  • 50
  • 40
  • 30
  • 20
  • 10

Device Information Value that is checked: Battery Level

Awaited Response: e.g. 90%

Apps

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Two different App Types are available for Windows devices:

Type Description
Enterprise

Applications owned by an Organization

Windows 10/11 with *.msi file 

Business Applications from Windows Store for Business


Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise or Market
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remove Removes the App from the Tag

Content 

Content Management is not supported on Windows 10/11. 

  • Was this article helpful?