Windows Profile Settings

Settings section in Device Profile, lets IT Admins configure additional settings which can then be applied to managed Windows devices. This document briefs all the Settings that can be configured in a Windows Device Profile.

Before You Begin

  1. Windows Device Profile should be created on Scalefusion Dashboard. To create a windows device profile, please visit Windows Device Profile
  2. Windows OS 7 and 8.1 devices should be enrolled with Scalefusion MDM agent.
  3. Iconography - The settings which work on both modes, that is, Modern Management and Agent based, are identified by iconography where windows icon is for modern management and Scalefusion icon is for Agent enrolled devices.
    No iconography against a setting would mean it is supported only on modern management mode.

Settings

  1. Create a new Windows Device Profile or edit an existing one and click on + sign next to Settings on the left panel.
  2. All Settings can be accessed under different headings.

These are described below:

Single/Kiosk App Mode

Use this option to set an application to run always and set the Windows Device in Kiosk app mode. Please refer to our help document here.

Device Management

Branding

Branding allows you to apply a home and/or lock screen wallpaper to your enterprise devices.

Feature

Description

Supported on

Home & Lock Screen Wallpaper

You can create a custom branding under Device Profiles & Policies > Branding section and then apply it in Device Profile. You will be able to select branding that is compatible with Windows.

Only Home screen wallpaper can be set on Win OS 7 and 8.1 devices

Win 10 Pro

Win 10 Enterprise

Win 7

Win 8.1

Email & Exchange

From here, you can configure Exchange ActiveSync settings for your profile.

  1. Feature

    Description

    Supported on

    Exchange Settings

    Select the Exchange Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.

    Win 10 Pro

    Win 10 Enterprise

    Email Settings

    Select the Email Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.

    Win 10 Pro

    Win 10 Enterprise

Certificates

All the certificates configured via Device Profiles & Policies > Certificate Management are listed here and admin can select the ones that have to be associated with this Device profile.

Security Settings

With these policies you can secure your Windows devices

Setting

Description

Bitlocker

BitLocker is Microsoft’s built-in full volume encryption feature which is designed to protect data by providing encryption for the hard disk volumes. To configure BitLocker settings and apply these settings to the Windows 10 managed devices, click here.

Windows Information Protector

Scalefusion helps you protect enterprise data on managed Windows 10 devices by providing Windows Information Protection policies or Enterprise Data Protection policies as they were earlier called. To know more about creating a Windows Information Protection Policy, click here

Windows Hello

Windows Hello for Business lets users access their device(s) using a PIN or Biometric authentication. To learn more about how Windows Hello settings can be configured and applied onto end user's devices, please click here.

Windows Defender

Microsoft's Windows Defender, now known as Microsoft Defender Antivirus provides real-time protection of Windows devices against software threats like viruses, malware, and spyware across email, apps, cloud, and the web. To configure Windows Defender policies, please click here.

Windows Updates

Scalefusion lets the IT Admins configure the OS update policy on the managed Windows 10 devices so that they can ensure that the rollouts are controlled. There are two ways in which OS updates can be configured and controlled. To learn about the various policies on offer around OS updates, please follow these:

Network Settings

Wifi & Network

Feature

Description

Supported on

Allow Device to connect Wifi

Choose to allow or restrict users to connect to Wifi.

Win 10 Pro

Win 10 Enterprise

Auto Configuring a Wifi

If you have created a Wifi configuration, then you can apply it to a Device Profile.

Win 10 Pro

Win 10 Enterprise

Allow users to configure Wifi

Use this option to allow/deny the end users to configure new Wifi connection on device.

Win 10 Pro

Win 10 Enterprise

Allow Auto Connect to WifiSense

Control if Wifi Sense should be used and connect automatically to shared networks or not.

Win 10 Pro

Win 10 Enterprise

Allow VPN Connections

Control if user is allowed to connect to VPN connections

Win 10 Pro

Win 10 Enterprise

Allow VPN usage on Cellular Data

Control if cellular data should be used  to connect to VPN connections

Win 10 Pro

Win 10 Enterprise

Allow VPN roaming on Cellular Data

Control if VPN should be allowed on roaming Cellular data.

Win 10 Pro

Win 10 Enterprise

VPN

Scalefusion provides the necessary mechanisms to remotely configure the VPN and publish to the Windows devices managed by Scalefusion. To learn about the VPN settings, please visit this document

Custom Settings

By using the Custom Settings feature, IT Admins can use a top-notch XML editor and push a CSP directly to the devices. To understand how to configure and push a custom settings payload to the device, please click here.

Scalefusion Agent Settings

Under this, you can configure settings which will take effect only if Scalefusion MDM agent has been installed on the device.

These settings are applicable on all Scalefusion MDM agent based Windows devices.
Management Settings

Setting

Description

Remove Local Admin Privileges for Enrolled User

Enabling this setting removes admin privileges for the enrolled user and makes the user a standard user with no admin rights. The enrolled user cannot perform any of the admin actions then.

This is an irreversible action. Once the user account is downgraded it cannot be revoked. Therefore, it is recommended to create an admin account first from Utilities > Global Settings > Windows Settings
Scalefusion MDM agent v5.0.0 or above should be installed on device
If the enrolled user is a built-in administrator then that account cannot be downgraded, that is, admin privileges cannot be removed.
  • Wait for BitLocker to be configured to remove admin privileges: This gets enabled only when the the main setting is enabled. If you are pushing Bitlocker policy as well, the admin privileges will be removed after Bitlocker settings are applied on device.

Auto Enroll to Modern Management

Enable this option if you are enrolling your devices via Agent based enrollment and want the devices to automatically enroll into Scalefusion modern management. This allows you to leverage both agent and modern management features on an agent enrolled Windows device.

Remove/Migrate device from 3rd party MDM (Modern Management).

A sub-setting of the above setting, this helps you easily migrate from your existing/older MDM solution. Enable this to remove the modern management of your older MDM and migrate them to Scalefusion completely. Please note,

  1. This is an experimental option and may not work always and for all MDMs. You can check the status in Device Information > Full Device Information > Management Mode
  2. This does not remove the agent apps or other applications installed by your previous MDM.
  3. This does not free up your subscription/license of your previous MDM
We recommend deleting your device from your previous MDM to remove all the agents and other apps from your other MDM.

Kiosk Settings

Setting

Description

Show System Tray

Enable this to show a custom system tray panel with basic indicators of time, network and volume. Please note that this panel does not display 3rd party apps.

Location Settings

Configure Location Settings on the device profile which get applied to the devices on which the profile is applied. When configured, they override the settings which have been set through Location & Geofencing > Location Settings on Dashboard.

Setting

Description

Override Global Location Settings

If this is enabled, the settings which have been set through Location & Geofencing > Location Settings on Dashboard, get overridden. This also enables the rest of Location settings and makes them configurable.

Attempt to automatically Enable Location

With this setting toggled on, Scalefusion attempts to automatically enable location if it is set to off on the Windows device.

Enable/Disable Location Tracking

Enable this setting to turn on Location tracking and set other configurations.

Location Tracking Mode

There are three modes for tracking Location:

  1. Basic
  2. High Accuracy
  3. Fleet Tracking
    These are accessible based on the plan you have purchased.

Location Collection Frequency

Choose a frequency in which the locations should be synced with server and reflected on dashboard. Frequencies differ on the basis of the Location Tracking Mode you have chosen

Select Location API

Select the preferred location method which will be used to capture location, from the following:

  • Webkit: In this method, Scalefusion uses the Webkit to attempt to fetch location. This is the default and recommended setting for most devices as the results are more accurate compared to other methods.
  • .Net APIs: In this, Scalefusion uses the .NET APIs to fetch the location.
  • WinRT APIs: In this, Scalefusion uses the WindowsRT APIs to fetch the location.
  • Google Maps API: Use this option if your organization uses Google Maps and has an API Key. Please note that your Google Maps account will be billed based on the location settings configured here.

Important Notes on Location Settings:

a. On Windows OS 7 & 8.1 machines, following Location APIs will work:

API Type

Windows 7

Windows 8.1

.Net API

-

Yes

WinRT API

-

-

Google Maps API

Yes

Yes

WebKit API

Yes

Yes

b. Location Services in Device Profile (Advanced Settings > General Settings > Security & Search) should be either set to Allow or None.

General

Setting

Description

Supported Devices

Scalefusion Sync Interval

Select the frequency in which Scalefusion syncs and updates the Device Info. The frequency levels can be:

  • 15 minutes
  • 30 minutes
  • 1 hour
  • 2 hours

NA

Enable Broadcast Messages View

Enable this to be able to send one-way messages to managed Windows devices. With having this setting enabled IT admins can send Broadcast messages to Windows devices from Utilities > Broadcast Messages section on Dashboard.

Broadcast messages can also be sent over to devices which have apps set as allowed or the devices are set up in kiosk mode.

NA

USB Peripheral Settings

Check the following USB device types if you want to block the user from connecting and using them:

  • Block Input Devices: When blocked the user would be prompted to restart the system whenever a new input device is detected.
  • Block Media Devices
  • Block Network Adapters
    For blocked devices, the USB Peripheral Report will reflect the status as Blocked but will still track the time duration for which it was connected with the Windows device
  • Input Devices: Keyboard, Mouse
  • Media Devices: External Camera, Wifi Adapter
  • Network Adapters: Network LAN cables

Advanced Settings

Policy Targets

Certain policies can be applied at Device level that is for all users or only the enrolled userThere may be cases where you want to block Google Chrome browsing only for the enrolled user and not other users. This is possible for supported policies by choosing a Policy Target between Device or Enrolled User. The supported policies are as below,

  1. Allowed Websites
  2. Chrome/Edge Configurations
  3. VPN Policy
  4. Settings App Policies

Select target (Device or enrolled user) from the drop-down on which you want to apply the target.

By default, the policies are applied at device level.
On Windows Home (10 & 11) only the VPN Policy will work.
Configure Settings App, Edge Browser and General Settings will not work on Windows Home (10 & 11).
Configure Settings App

Under Configure Settings App IT Admins can control the Settings app granularly. That is within Settings app they can choose which options to show or hide. Each section can be completely hidden or part of it can be hidden.

These settings are for all Windows versions so some options may not be seen on certain models
The Settings app in Allowed apps List, needs to be enabled for this to work.

To configure:

  1. Toggle on the Setting Configure Settings Options. Only then rest of the settings will get enabled.
  2. Once you set Configure Settings Options to ON, choose one of the following options:
  • Show Selected Settings: Shows the selected applications and items underneath, in the Settings app
  • Hide Selected Settings: Hides the selected applications and items underneath, in the Settings app
  1. The applications and settings are listed as follows. Select the ones which you want to show/hide on the managed devices.
    To select all, check the box on the right of the Setting's name
    1. Accounts
    2. Apps
    3. Cortana
    4. Devices
    5. Ease of access
    6. Extras
    7. Gaming
    8. Home page
    9. Mixed reality
    10. Network and internet
    11. Personalization
    12. Privacy
    13. Surface Hub
    14. System
    15. Time and language
    16. Update and security
    17. User accounts
Edge Browser
These are for the legacy Microsoft Edge. For the settings to take effect, Microsoft Edge needs to be restarted.

Feature

Description

Supported on

Cookie Policy

Choose a cookie Policy for Microsoft Edge. You can either allow the user to control or define strict policy for cookies.

Win 10 Pro

Win 10 Enterprise

Start Page URL

Specify a start URL that will be launched whenever the Edge browser is opened.

Win 10 Pro

Win 10 Enterprise

Auto Fill

Allow: Forces the autofill featureRestrict: Prevents using Autofill.User-Control: Lets  users choose to use the Autofill feature to populate the form fields automatically.

Win 10 Pro

Win 10 Enterprise

Pop Ups

Allow: Force pop-ups on all sites and turn off Pop-up blocker.

Restrict: Turn-on Pop-up Blocker which will block all the pop-ups.

User-Control: Let users control the Pop-up blocker.

Win 10 Pro

Win 10 Enterprise

Address Bar Dropdown

Allow:  Let Edge shows the address bar drop down list.Restrict: Minimizes network connections from Edge to Microsoft service, and hide the functionality of the Address bar drop-down list. It also disables the Show search and site suggestions as I type toggle in Settings.

Win 10 Pro

Win 10 Enterprise

Browser Extension

Allow: Let users to add or personalize extensions in Edge.Restrict: Prevent users from adding or personalizing extensions.

Win 10 Pro

Win 10 Enterprise

Clear Browsing history on Close

Allow: Clear the browsing history on exit.Restrict: Do not clear the browsing history on exit.User-Control: Let users configure the setting.

Win 10 Pro

Win 10 Enterprise

Allow accessing “about:flags”

Allow:  Lets users access the about:flags page in Edge, which is used to change developer settings and enable experimental features. ChooseRestrict: Prevents users from accessing the about:flags page.

Win 10 Pro

Win 10 Enterprise

Allow Flash

Allow: Allow Adobe flash to run.Restrict: Prevent Adobe flash to run.User-Control: Let users control on a per-site basis.

Win 10 Pro

Win 10 Enterprise

Autorun Flash

Allow: If Adobe flash is allowed then auto-run the flash files.Restrict:  If Adobe flash is allowed then prevent flash files from auto-running

Win 10 Pro

Win 10 Enterprise

Developer Tools

Allow: Allow users to use the F12 key and view the developer tools.Restrict: Prevent users to use the F12 key and view the developer tools.

Win 10 Pro

Win 10 Enterprise

In-Private Browsing

Allow: Allow in-private browsing.Restrict: Prevent in-private browsing.User-Control: Same as Allow

Win 10 Pro

Win 10 Enterprise

Save Passwords Locally

Allow: Lets Edge use Password manager to store passwords locally.Restrict: Prevent Edge from storing passwords locally.User-Control: Let users control when to save passwords locally.

Win 10 Pro

Win 10 Enterprise

Search suggestions in Address bar

Allow: Show search suggestions

Restrict: Block search suggestionsUser-Control: Let user control the search suggestion behaviour.

Win 10 Pro

Win 10 Enterprise

Force Fraudulent Website Warning

Allow: Force Windows Defender Smartscreen protection to prevent potential threats and prevent users from turning it off.Restrict: Turn off Windows Defender Smartscreen protection, leaves the user vulnerable to potential threats.User-Control: Let users choose if they want to use Windows Defender Smartscreen protection.

Win 10 Pro

Win 10 Enterprise

Override Fraudulent Websites warning

Allow: Let user’s ignore the warning and proceed to the site.Restrict: Does not allow users to ignore the warning and proceed to the site.User-Control: Same as allow..

Win 10 Pro

Win 10 Enterprise

Override malicious file warning

Allow: Allow users to download a potential malicious file or files from unverified sources.Restrict: Restrict users to download a potential malicious file or files from unverified sources.User-Control:Same as allow.

Win 10 Pro

Win 10 Enterprise

Allow "Do Not Track" request

Allow: Force Edge to send tracking information.Restrict: Prevent Edge from send tracking information.User-Control: Users can choose to send tracking information to sites they visit.

Win 10 Pro

Win 10 Enterprise

General Settings

General Settings: The settings can be configured under following heads:

  • System Settings
  • Start Layout Settings
  • Display Settings
  • Folder Settings
  • Application Settings
  • Scalefusion Sync Interval
  • Enable Broadcast Messages View
  • Security & Search

System Settings
  1. Feature

    Description

    Supported on

    Allow USB Connections & SD Card

    Use this setting to allow or restrict USB connections and external storage card.

    Win 10 Pro

    Win 10 Enterprise

    Microsoft Feedback Notifications

    Use this setting to enable or disable Microsoft feedback notifications.

    Win 10 Pro

    Win 10 Enterprise

    Modify Data & Time

    Use this setting to allow or restrict users from changing the device date & time.Note: There is a workaround where users can launch the legacy Date & Time dialog and change the settings.

    Win 10 Pro

    Win 10 Enterprise

    Allow Bluetooth

    Use this setting to allow or restrict bluetooth connections from the device.

    Win 10 Pro

    Win 10 Enterprise

    Allow Bluetooth Pre-pairing

    Enable this setting to automatically pair with devices that were previously connected.

    Win 10 Pro

    Win 10 Enterprise

    Allow Bluetooth Services Advertisement

    Control the bluetooth services advertisement behaviour.

    Win 10 Pro

    Win 10 Enterprise

    Install Non-Store Apps

    Allow or Restrict users to install/sideload applications from unknown sources.

    Win 10 Pro

    Win 10 Enterprise

    Store App Data in Device Memory

    Force the applications to store the data in device memory.

    Win 10 Pro

    Win 10 Enterprise

    Install Apps in Device Memory

    Force the applications to be installed in Device memory..

    Win 10 Pro

    Win 10 Enterprise

    Scalefusion Sync Interval

    Select an interval on how often should ScaleFusion poll for Device Info. This polling helps in,1. Updating the device Location.2. Updating the Inactivity time.3. Syncing the latest policies.4. Getting vital Device Information

Start Layout Settings
These settings are unchecked by default.
These settings are applicable on both Modern Managed and Scalefusion Agent enrolled devices. Few settings in particular can only be applied on Modern Managed devices and hence marked with windows icon only.

Feature

Description

Hide Switch Account

Use this setting to hide Switch user account option that is present on the left side of the Start menu

Hide Sign out

Use this setting to hide the Sign Out button that is present on the left side of the Start menu, under the Accounts icon (or picture)

Hide User tile

Tiling enables users to view each of their open programs or windows within a program simultaneously, rather than having to switch back and forth. Use this setting to hide start menu tiles for all users

Hide Change Account Settings

Accounts Settings allows you to manage your Microsoft Account, set your user picture, change sign-in options, change password, change PIN, connect your PC to work or school etc. It is present on the left side of the Start menu.

Use this setting to hide Change Account Settings option

Hide People Bar

The People feature adds a special icon to the notification area of your taskbar and allows pinning your contacts directly to the taskbar, so you can start messaging, call or compose an email just with one click.

Using this option, the People bar can be hidden.

Hide Lock

This option which is present under Switch Account, locks the computer but keep all the user's programs running. Hide the Lock feature through this setting.

Hide Hibernate

Hibernate option which is present in Start > Power, saves the current state of your PC—open programs and documents—to your hard disk and then turns off your PC. This feature can be hidden using Hide Hibernate settings.

Hide Sleep

Sleep feature present in Start > Power puts your system into a low-power state and turning off your display when you're not using it. Use this setting to Hide Sleep setting.

Hide Restart

This restarts your system. Use this setting to hide Restart

Hide Power Options

Hide all the power options present in Start menu, with this setting.

Hide Shutdown

The Shutdown feature which shuts down your system, can be hidden using this option.

Allow End Task

Allow or disallow End Task feature in Task Manager.

By default this option is checked.

Display Settings
The settings are supported on Windows 10 Pro and Enterprise Edition
These settings can be configured separately for device plugged in or running on battery

Feature

Description

Configure Display Off Timeout

Display off timeout is the amount of minutes Windows will wait idle with no activity while on the lock screen, before timing out and automatically turning off the display.

Configure the duration after which the display should timeout, through this setting

Configure Hibernate Timeout

Specify the duration of time after sleep that the system automatically wakes and enters hibernation.

Configure Unattended Sleep Timeout

The System unattended sleep timeout power setting is the idle timeout before the system returns to a low power sleep state after waking unattended. Specify a period of time before the system automatically enters sleep after waking from sleep in an unattended state.

Allow Stand By Device Sleep

Control your device's stand by behavior by choosing one of the options:

  • User Control - Default option
  • Enabled - If Enabled, the configure stand by timeout is active where you can configure the standby timeout duration
  • Disabled - Disables stand by mode

Choose Lid Close Behavior

Select what the behavior should be when system lid is closed

Choose Sleep Button Behavior

Select what the behavior should be when Sleep button is pressed

Choose Power Button Behavior

Select what the behavior should be when Power button is pressed

For Lid Close, Sleep button and Power button behaviours, following options are available to choose from:
- User Control
- Take No Action
- Sleep
- Hibernate
- Shut Down

Configure Ctrl + Alt + Del options for Enrolled user

With this, you can control the options displayed in the Ctrl + Alt + Del menu for an enrolled user. The options are:

  1. Disable Task Manager
  2. Disable Change Password
  3. Disable Log Off
  4. Disable Lock Computer

By default, all the options are unchecked.

Folder Settings

These settings let admin control the following folders from start layout, that is, whether they should be pinned or disabled from the Start menu:

  • File Explorer
  • Documents
  • Downloads
  • Music
  • Videos
  • Pictures
  • Personal
  • Network
  • Settings

For the above folders, following options are available to choose from:

  • User Control - Selected by default. This lets user control the behavior of a folder
  • Show - Shows the folder
  • Hide - Hides the folder

The applications and Services which admin can allow / restrict on managed devices.

  • Camera
  • Cortana
  • Microsoft account Connection
  • Add Non Microsoft Accounts
  • Sync Settings across Devices
  • Reset Device
  • Developer Unlock
  • Location Services

For Developer Unlock and Location Services, following are the settings to choose from:

  • Allow
  • Deny
  • None

Once you have configured the settings, click on UPDATE PROFILE. For further steps like applying a device profile to Windows 10 devices, please visit the document Windows Device Profile


How did we do?


Powered by HelpDocs (opens in a new tab)