Configure Windows devices

Can enrolled Windows 10/11 devices be configured and what are the capabilities of Relution?

Windows 10/11 devices are controlled via so-called Configuration Service Providers (CSP). These provide access to certain settings in the Windows system. The CSPs receive configuration guidelines from Relution via an XML-based SyncML format.

All configurations that can be applied to Windows 10/11 devices are described below.

Antivirus settings management

For Windows 10/11 devices, the following configurations can be made for Antivirus:

• Scan settings for type, interval and others
• File types included in the scan
• File types excluded in the scan
• Advanced settings for Windows Defener and others
• Threat management for all valid threat severity levels
• Rules for the attack surface reduction (ASR).

App compliance - add required apps

For Windows 10/11 devices, it is possible to install required apps on devices via a policy. With the configuration “App compliance”, native apps from the Relution App Store as well as public apps directly from the Windows Store can be added.

If the “Auto Install” option is selected for an app, the app is automatically installed on the device. Otherwise, the device is listed as incompatible as long as the app is not installed.

Block and allow lists are not supported by Windows 10/11.

Configure BitLocker

Hard disks of enrolled Windows 10/11 devices can be encrypted in Relution via the “Bitlocker” configuration. BitLocker is a security feature from Microsoft that is integrated in certain versions of the Windows operating system. The feature provides for the encryption of system drives, hard disks or removable media. The stored data is protected against theft and unauthorized reading.

Add e-mail configurations for multiple users

With Relution, e-mail accounts can be preconfigured for different users without the need for manual configuration by users directly on the device.

Manage Exchange accounts

With Relution, Exchange accounts can be pre-configured for different users and made available on the device without manual setup. No password entry is required in the Exchange configuration. The personal password must thus be entered directly on the Windows device.

As an alternative to manually storing an Exchange host, a Secure Mail Gateway can also be used. In the Relution settings, the Windows operating system can be selected under permissions for enrolled devices, and certain Windows versions can be excluded.

The globally configured Secure Mail Gateway can then be activated in the Exchange configuration.

Configure global proxies

A global proxy can be set up either automatically or manually. A global proxy can be used, for example, as a parental control filter, especially in homeschooling, when students also access web content via the private WiFi.

Set Wallpaper

A background image can be defined for the desktop and lock screen, and a color text can be added to the background image. This feature is available for the Windows 10/11 Enterprise and Education editions.

Manage password policies

The password configuration can be used to specify that a password must be used on the device by the user, which is subject to certain conventions that can be defined.

Configuring remote desktop service

In order to use the Remote Desktop functionality on a Windows 10/11 device, it must be enabled for this purpose. The function can be activated on devices via the configuration “Remote desktop service”. Afterwards, all members of the Remote Desktop user group on the target device have the option to access the device and transfer their screen completely. The functionality is not available for Windows 10/11 Home devices.

Manage restrictions for devices

Applied restrictions can be used to limit the range of functions of enrolled Windows devices. Settings for the following categories are available for this purpose and can be switched on or off:

• Adding non-Microsoft accounts
• App management
• Camera
• Connections like Bluetooth, data roaming and VPN
• Experience and removing the MDM profile on the device
• Reset system and device to factory settings
• VPN
• WiFi.

Personalize start menu

The Start menu on a Windows 10/11 device can be personalized via the “Start menu” configuration. Among other things, the following information can be predefined:

• Hide most used apps
• Hide context menu
• Hide app list
• Set display size
• Pin folders like Documents, Downloads or My Documents
• Hide buttons like Shutdown, Restart or Hibernate
• Hide user buttons like Lock, Logout or Change account.

Manage VPN settings

With the “VPN” configuration, Virtual Private Networks are predefined and made available to the enrolled Windows 10/11 devices to establish a protected network connection.

Configure Windows Firewall

To protect the computer and data traffic and to prevent attacks from outside, settings for the Windows Firewall can be preconfigured.

Configure Windows Hello

The parameters for PIN assignment can be predefined via the “Windows Hello” configuration by specifying the Azure Active Directory client ID. This is then used for secure access to enrolled Windows 10/11 devices by specifying the PIN and for biometric authentication via fingerprint and facial recognition. Using these options, logging in to the Windows 10/11 device becomes easier and more secure, as the PIN is assigned to only one device and is secured for recovery with the stored Microsoft account.

Manage Windows licensing

With the “Windows Licensing” configuration, a license key can be stored on the devices in the XXXXX-XXXXX-XXXXX-XXXXX format for the Windows 10/11 Education, Enterprise, Pro and Home editions.

Manage Windows updates

The “Windows updates” configuration can be used to define the partially or fully automatic installation of operating system updates with or without user interaction, or to switch it off completely.

Manage WiFi settings

Via the configuration “WiFi”, networks are predefined and made available to the enrolled Windows devices.

Install certificates on devices

Via the Windows 10/11 configuration “Certificate”, uploaded certificates are installed on the device by default according to the applied policy. The certificates are used for the authorized installation of Modern Apps installations such as msix files. It can be defined in which KeyStore or certificate store the certificate should be stored on the device. This can be used to determine whether the certificate is valid for the entire system or only for a user.

Can actions be performed directly on enrolled Windows 10/11 devices with Relution and what are the possibilities?

Enrolled devices can be controlled via actions. With Relution 5, the following actions can be applied to Windows 10/11 devices:

• Remove app from device
• Install app on device (native and public from Relution App Store)
• Add local user accounts
• Reset device to factory settings
• Reboot device
• Scan device (Windows Defender Scan)
• Update device information under “Device details.

Can Relution be used to distribute apps to enrolled Windows 10/11 devices?

With Relution, both native apps from the Relution App Store and public apps from the Windows Store can be installed and uninstalled on enrolled Windows 10/11 devices. Supported app formats are .msix, .msixbundle, .appx and .appxbundle. To install apps on Windows 10/11 devices and convert formats to MSIX using the Microsoft MSIX Packaging Tool, see insight Apps for Windows 10/11 devices.

How are Windows 10/11 devices enrolled in Relution?

To enroll a Windows 10/11 device, a Windows enrollment must be created and performed in Relution. See insight Manage Windows 10/11 devices.

Will Relution’s Windows 10/11 support be expanded?

With Relution 5, the management of Windows 10/11 devices was introduced. The range of functions for configuring, restricting and securing Windows 10/11 devices as well as installing applications will be continuously expanded from now on.