Category filter

Create custom configuration profiles for Windows

This document will help you create custom configuration profiles for Windows devices.

Windows Configuration Service Providers (CSPs) allows admins to read, set, modify, or delete configuration settings on the device. MDM service providers use CSPs for management tasks and policies for Windows devices. To define these policies, administrators use payloads, which are specific settings or configurations communicated to a device to adjust its behavior or settings. These payloads, typically delivered via configuration profiles, can be used to manage various aspects of a device, such as security, networking, or application settings.

With Hexnode’s Deploy Custom Configuration feature, administrators can create custom configuration profiles using payloads and deploy them across managed Windows devices.

Note:

  • This feature is supported on:
    • Windows 10 (Pro, Enterprise, Education)
    • Windows 11 (Pro, Enterprise, Education)
  • To find different payloads and their compatibility with the Windows device, refer to Microsoft’s documentation on Configuration Service Provider (CSP).

Creating custom configuration profile

To create a custom configuration profile for Windows via policy,

  1. Log in to the Hexnode UEM console.
  2. Navigate to Policies > New Policy.
  3. Provide a policy name and description (optional).
  4. Go to Windows > Configurations > Deploy Custom Configuration and click on Configure.
  5. Click on Enable atomic execution to ensure the payloads within the policy is applied entirely.

    Since multiple payloads can be configured within a single policy, enabling this setting ensures that all custom payloads configured within the policy will either be successfully applied together or fail as a unit. If failure of any payload occurs, the policy will be marked as Failed in the Action History, with an information icon indicating the payload causing the error.

    Action History message when “Enforce atomic execution” is enabled on custom configuration for Windows policy.

    When the setting is disabled, and if failure of any paylaod occurs, the action will be marked as Success in the Action History with the information mentioning the payload causing the error. Only the payload having the error will fail, rest of the payloads will be successfully applied.

    Action History message when “Enforce atomic execution” is disabled on custom configuration for Windows policy.

  6. Click on Add Payload to add custom payload and configure the settings below.
    • Name: Provide a name for the custom payload. This is a required field.
    • OMA-URI: Specify the OMA-URI (Open Mobile Alliance – Uniform Resource Identifier), which is a distinct path to a configuration setting supported by a CSP. This is a required field.

      For example, the OMA-URI for the usage of camera on the device would be, ./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera.

    • Data Type: Choose the data type for the custom payload. Options include Boolean, String, String (XML), or Integer formats.
    • Value: Enter a value based on the selected data type format. This field is required.
      • For Boolean, choose between True or False.
      • For String, input a custom value.
      • For String (XML), upload an XML file.
      • For Integer, provide a numeric value.

      For example, the value for integer data type for the usage of camera would be, 1 for allowed, and 0 for not allowed.

Note:

  • Within a policy, each custom payload must have a unique name and OMA-URI such that duplicates are not allowed. If the name or OMA-URI is used more than once in the same policy, an error message stating ‘The name/OMA-URI is already in use’ will be displayed while configuring.

    ‘The name/OMA-URI is already in use’ error when name or OMA-URI is reused while configuring a custom configuration for Windows policy.

  • When multiple policies are created using the same OMA-URI, the most recent policy will be applied.
  • Configured settings might not work as expected if conflicting configurations are added.

What happens at the device end?

The specific payload that has been configured will take effect on the device. For example, if the payload is set to disable camera access, the camera will be disabled on the Windows device.

Camera being disabled on the Windows device via configuration profile.

  • Managing Windows Devices