Agent settings: Windows MDM Configuration

Tools > Configuration> Agent settings > Windows MDM configuration

Use this page to configure Microsoft configuration service profiles (CSPs) with the configuration profile editor. For more information about the configuration profile editor, see Configuration Profile Editor.

The Windows MDM device section of the configuration profile editor contains the following settings for Windows 10/11 devices:


General: Set mandatory settings for all configuration profiles.

Certificates: Import certificates for Wi-Fi settings. Only certificates referenced in the Wi-Fi CSP will be installed on Windows devices.


  • Display: Configure display settings, including per process DPI and GDI DPI scaling.
  • Projection: Create rules for projecting to and from a PC.
  • User Rights: Set user and user group rights.
  • Endpoint Protection: Configure security settings, scans, and monitoring.
  • Windows Settings: Configure system settings, including time settings, power settings, and sign-in options.
  • Windows Search: Configure search permissions, including Cortana, location access, and remote queries.
  • Windows AppStore: Configure AppStore settings, including auto-updates, trusted apps, and data volume limits.
  • Device Passwords: Configure device password requirements, including password type, password complexity, and the amount of idle time before the device locks.
  • General Restrictions: Configure general restrictions, such as location, camera, gaming service, and telemetry settings.
  • Lock screen experience: Configure the lock screen settings.
  • Remote Procedure Call: Configure remote procedure call settings
  • Start: Configure task bar settings and what will appear in the Start menu.
  • Accounts: Configure if the user can add accounts and which domains are allowed to sync email on the device.

Endpoint Protection

  • Windows Defender: Configure Windows Defender settings, including Device Guard, Defender, and Application Guard.
  • Windows Encryption: Configure BitLocker device encryption policies.

Dynamic CSP

  • Email2: Configure simple mail transfer protocol (SMTP) email accounts.


  • Connectivity and Cellular: Configure connectivity settings, such as cellular settings, Bluetooth, and Wi-Fi.
  • Wi-Fi: Configure how devices connect to your wireless network, including authentication information. These settings will override any Wi-Fi settings configured in Mobility Legacy > Mobile Connectivity agent settings.
  • Network Proxy: Configure a proxy server for Ethernet and Wi-Fi connections. Settings include the proxy address and port and exception definitions.
  • Firewall: Enable and configure public, domain, and public firewalls on the device.
  • Firewall Rules: Create firewall rules. These rules mirror the Windows advanced firewall settings available on the device but can be configured remotely. These rules only apply to active firewalls. To enable a firewall, use the Firewall CSP.


  • Custom Settings: Add custom CSPs for items that aren't directly available in the Windows MDM Configuration agent settings.

Kiosk (Preview)

  • Kiosk: Configure the kiosk mode login and what app will run.


  • Experience: Configure Windows Experience settings, including Find My Device, clipboard history, account synchronization, and Windows Spotlight settings.
  • Personalization: Set background and lock screen images.
  • Power & Sleep: Configure power settings for when the device is plugged in or on battery.
  • Printers: Add approved printers to the device.
  • Windows Update: Configure how the device will receive security updates and other downloads through the Windows automatic updating service.

Administrators can access this editor only if the Modify Mobile Device Configuration Profiles option has been activated for their account.

ClosedSetting a default policy

The Windows MDM default policy will be sent to devices when they first enroll in MDM. When a default policy is set, a scheduled task for distributing the policy is automatically created. The scheduled task is called CONFIGURATION_NAME (Enrollment policy). For more information about scheduled tasks, see Scheduling tasks.

Devices that have been enrolled before a default policy is set will not automatically receive it. To send the policy to devices that are already enrolled, manually add the devices to the task by creating a targeted query or dragging and dropping the devices onto the task. Then, run the task.

There can only be one default policy set at a time. If you set another policy as the default, you will be asked to confirm which policy to use.

To set a default policy

1.Create a configuration with the settings you want to send to devices. The available settings are described above.

2.Click configuration in the Available configurations list.

3.Click the Select button to move the configuration to the Selected configurations list.

4.Enable the Set as default enrollment policy check box.

5.Save the configuration.

ClosedUsing custom settings

You can add custom CSPs for items that aren't directly available in the Windows MDM Configuration agent settings. There are hundreds of available CSPs. Microsoft's CSP documentation is here:

Each custom CSP requires the following information:

  • Operation: Either Add, Replace, or Delete.
  • OMA URI: Open Mobile Alliance Uniform Resource Identifier. Use the Microsoft Configuration Service Provider reference to identify the syntax for the CSP you're creating.
  • Data type: Match this with the data type that your OMA URI requires.
  • Data: The CSP value. This must match your selected data type.

For example, here's a CSP that disables a device's camera:

  • Operation: Add
  • OMA URI: ../Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera
  • Data type: Integer
  • Data: 0

You can add multiple custom settings by using the + and - buttons. Plus adds a new setting and Minus deletes the current setting. When you have more than one custom setting configured, use the scroll bar to view them.