Configuration Manager/Configure client settings

Create custom client settings

Open the Configuration Manager console and go to the Administration → Site Settings.

Right-click the blank and select a type to create a new one.

Enter a name and description, select one or more custom settings, and then click OK to save.

Deploy custom client settings

Select and right-click a custom client setting, and then click Deploy.

Select a collection and click OK to save.

Configure custom client settings

Right-click the selected custom client setting and click Properties.

General Settings

Modify the name or description, and enable or disable custom settings here.

BITS Settings

Modify the Background Intelligent Transfer Service (BITS) settings here.

• Limit the maximum network bandwidth for BITS background transfers
  • Set to Yes to enable BITS bandwidth throttling.

• Throttling window start/end time
  • Specify the start/end time for the BITS throttling.

• Maximum transfer rate during throttling window (Kbps)
  • Specify the maximum transfer rate for clients during the window.

• Allow BITS downloads outside the throttling window
  • Allow clients to use separate BITS settings outside the specified window.

• Maximum transfer rate outside the throttling window (Kbps)
  • Specify the maximum transfer rate that clients can use outside the BITS throttling window.

Client Cache Settings

Configure BranchCache, cache size, and peer cache here.

• Configure BranchCache
  • Enable or disable BranchCache.

• Enable BranchCache
  • Set toYes to enable BranchCache settings on clients.

• Maximum BranchCache cache size (percentage of disk)
  • Specifies how much disk space that BranchCache can use as a percentage.

• Configure client cache size
  • The default size is 5,120 MB, set to Yes to customize the size.

• Maximum cache size (MB)
  • Specify the maximum size for the cache.

• Maximum cache size (percentage of disk)
  • Specifies how much disk space that cache can use as a percentage, whichever is less.

• Minimum duration before cached content can be removed (minutes)
  • Specify the minimum time for the client to keep cached content, the maximum value is 10,080 minutes (one week).

• Enable as peer cache source
  • Set to Yes to enable peer cache.

• Port for initial network broadcast
  • Specify the port for the initial network broadcast to find the peer cache sources.

• Port for content download from peer
  • Specify the port for content downloading from a peer cache source.

Client Policy Settings

Specify how clients retrieve policy.

• Client policy polling interval (minutes)
  • Specifies how frequently the clients download the policy.

• Enable user policy on clients
  • Set to Yes to enable clients to receive applications and programs from these users and assign management tasks.

• Enable user policy requests from internet clients
  • Set to Yes to receive the policy from internet computers.

• Enable user policy for multiple user sessions
  • There are very few scenarios where this setting can be used, so keep it off by default.

Cloud Services Settings

Configure cloud services here.

• Allow access to cloud distribution point
  • Set to Yes to enable clients to obtain content from the Cloud Management Gateway (CMG).

• Automatically register new Windows 10 or later domain joined devices with Microsoft Entra ID
  • Configure Microsoft Entra ID to support hybrid join.
• Enable clients to use a cloud management gateway
  • Set to No to scope the usage of the CMG service.

Compliance Settings

Configure compliance settings here.

• Enable compliance evaluation on clients
  • Set to Yes to enable compliance evaluation and configure the other settings.

• Enable User Data and Profiles
  • Set to Yes if you want to deploy user data and profiles items.

• Script Execution Timeout (seconds)
  • Specify the timeout, which can be set from a minimum of 60 seconds to a maximum of 600 seconds.

Computer Agent Settings

Configure general settings for communication between server and client.

• Deployment deadline greater than 24 hours, remind user every (hours)
  • Configure notification frequency for deadline greater than 24 hours.

• Deployment deadline less than 24 hours, remind user every (hours)
  • Configure notification frequency for deadline less than 24 hours.

• Deployment deadline less than 1 hour, remind user every (minutes)
  • Configure notification frequency for deadline less than 1 hour.

• Default Application Catalog website point
  • This functionality is no longer supported.

• Add default Application Catalog website to Internet Explorer trusted sites zone
  • This functionality is no longer supported.

• Allow Silverlight applications to run in elevated trust mode
  • This functionality is no longer supported.

• Organization name displayed in Software Center
  • Specify the name that users see in Software Center.

• Use new Software Center
  • The default setting is Yes, previous version is no longer supported.

• Enable communication with Health Attestation Service
  • Set to Yes to enable the Health Attestation service. For more information, see Microsoft Documentation.

• Use on-premises Health Attestation Service
  • Set to Yes to use an on-premises service, or set to No to use the Microsoft cloud-based service.

• Install permissions
  • Configure how users can install software and updates. For most cases, select All Users.

• Suspend BitLocker PIN entry on restart
  • Enable it bypasses the requirement to enter a PIN when the computer restarts after a software installation.

• Additional software manages the deployment of applications and software updates
  • Do not enable this option unless you know what you are doing.

• PowerShell execution policy
  • Configure whether unsigned scripts can be run on client computers, select Restricted to use the current PowerShell configuration on the client computer.

• Show notifications for new deployments
  • Set to Yes to display a notification for deployments available for less than a week.

• Disable deadline randomization
  • Set to "Yes" to determine whether clients can delay installation of required software updates by up to two hours.

• Grace period for enforcement after deployment deadline (hours)
  • Give more time to install the software updates in special cases where time is exceeded, which can be set to up to 120 hours.

• Enable Endpoint analytics data collection
  • Set to Yes to enable local data collection.

Computer Restart Settings

Configure restart behavior on clients.

• Configuration Manager can force a device to restart
  • Set to Yes to let the computer automatically restart when a deployment requires it.

• Specify the amount of time after the deadline before a device gets restarted (minutes)
  • The default value is 90 minutes, which can be set to up to 20160 minutes (two weeks).

• Specify the amount of time that a user is presented a final countdown notification before a device gets restarted (minutes)
  • The default value is 15 minutes, which must be shorter in duration than the shortest time settings of the maintenance windows.

• After the deadline, specify the frequency of restart reminder notifications to the user (minutes)
  • Configure notification frequency for restart reminder notifications.

• When a deployment requires a restart, show a dialog window to the user instead of a toast notification
  • Set to Yes to use a dialog box instead of a notification.

• When a deployment requires a restart, allow low-rights users to restart a device running Windows Server
  • Set to Yes if needed but not recommended.

Delivery Optimization Settings

• Use Configuration Manager Boundary Groups for Delivery Optimization Group ID
  • Set to Yes to use the boundary group identifier as the Delivery Optimization group identifier on the client.

• Enable devices managed by Configuration Manager to use Microsoft Connected Cache servers for content download
  • Set to Yes to allow clients to download content from an on-premises distribution point which Microsoft Connected Cache server enabled.

Endpoint Protection Settings

These options are available after installing the Endpoint Protection point.

• Manage Endpoint Protection client on client computers
  • Set to Yes to manage existing Endpoint Protection and Windows Defender clients on computers.

• Install Endpoint Protection client on client computers
  • Set to Yes to install and enable the Endpoint Protection client to target computers.

• Allow Endpoint Protection client installation and restarts outside maintenance windows. Maintenance windows must be at least 30 minutes long for client installation
  • Set to Yes to override the typical installation behaviors with maintenance windows.

• For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restarts)
  • Set to Yes to disable the write filter on the Windows Embedded device and restart the device.

• Suppress any required computer restarts after the Endpoint Protection client is installed
  • Set to Yes to prevent the computer from restarting after the Endpoint Protection client is installed.

• Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)
  • Specify the number of hours that users can postpone the restart.

• Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers
  • Set to Yes to install only the initial definition update during the initial installation of the definition update.

• Microsoft Defender for Endpoint client on Windows Server 2012 R2 and Windows Server 2016
  • Select Microsoft Monitoring Agent (MMA) for compatibility.

Enrollment Settings

Configure enrollment settings for devices or users.

• Polling interval for modern devices (minutes)
  • Set a interval for modern devices request the policy. This option is only available in device settings.

 Note:
The following options are only available when the type of settings is User.

• Allow users to enroll mobile devices and Mac computers
  • Set to Yes to enable it.

• Enrollment profile
  • Select a profile for enrollment.

• Allow users to enroll modern devices
  • Set to Yes to enable it.

• Modern device enrollment Profile
  • Select a profile for enrollment.

Hardware Inventory Settings

Use the Hardware Inventory to gather information about the hardware configuration of clients.

• Enable hardware inventory on clients
  • Set to Yes to enable it.

• Hardware inventory schedule
  • Specify a schedule to run the hardware inventory cycle.

• Maximum random delay (minutes)
  • Specify a number to determine the maximum delay for the hardware inventory cycle run, which can be set to up to 240 minutes (4 hours).

• Hardware inventory classes
  • Select what hardware information you want to collect.

 Note:
The following options are only available when configuring the Default Client Settings.

• Maximum custom MIF file size (KB)
  • Specify the maximum size for each custom Management Information Format (MIF) file that the client collects during a hardware inventory cycle. The agent doesn't process any files that exceed this size.

• Collect MIF files
  • Specify whether to collect MIF files from clients during the hardware inventory cycle.

Metered Internet Connections Settings

• Allow
  • All communications are allowed over the metered internet connection.

• Limit
  • Allow communications for download software, download policy and send client state.

• Block
  • All communications are blocked over the metered internet connection.

Power Management Settings

• Allow power management of devices
  • Set to Yes to enable power management on clients.

• Allow users to exclude their device from power management
  • Set to Yes to allow users to exclude their computer.

• Allow network wake-up
  • Set to Yes to enable it.

• Enable wake-up proxy
  • Set to Yes to enable it.

• Wake-up proxy port number (UDP)
  • Specify a port that clients use to send wake-up packets to sleeping computers.

• Wake On LAN port number (UDP)
  • Specify a port that clients use for Wake On LAN.

• Windows Defender Firewall exception for wake-up proxy
  • Change the settings to configure the Windows Defender Firewall rules automatically.

• IPv6 prefixes if required for DirectAccess or other intervening network devices. Use a comma to specify multiple entries
  • Enter an IPv6 prefix if needed.

Remote Tools Settings

Configure settings for remote tools.

• Enable Remote Control on clients/Firewall exception profiles
  • Configure to enable this feature and add firewall rules.

• Users can change policy or notification settings in Software Center
  • Enable it if needed.

• Allow Remote Control of an unattended computer
  • Set to Yes to allow the administrators to remotely control logged-off or locked computers.

• Prompt user for Remote Control permission
  • Set to Yes to ask for permission before allowing a remote control session.

• Prompt user for permission to transfer content from shared clipboard
  • Set to Yes to ask for permission before starting file transfers.

• Grant Remote Control permission to local Administrators group
  • Set to Yes to allow members of the Administrators group to start the remote control connection without asking for permission.

• Access level allowed
  • Specify the level of remote access, it can be No Access, View Only or Full Control.

• Permitted viewers of Remote Control and Remote Assistance
  • Specify the users who can view the session.

• Show session notification icon on taskbar
  • Set to Yes to show an icon on the taskbar of the client computer during a remote control session.

• Show session connection bar
  • Set to Yes to show a connection bar during a remote control session.

• Play a sound on client
  • Specifies whether to play sound effects after performing an action.

• Manage unsolicited Remote Assistance settings
  • Enable it to let Configuration Manager manage unsolicited remote assistance sessions.

• Manage solicited Remote Assistance settings
  • Enable it to let Configuration Manager manage solicited remote assistance sessions.

• Level of access for Remote Assistance
  • Specify the level of remote assistance, it can be No Access, View Only or Full Control.

• Manage Remote Desktop settings
  • Enable it to let Configuration Manager manage remote control sessions.

• Allow permitted viewers to connect by using Remote Desktop connection
  • Enable it if needed.

• Require network level authentication
  • Set to Yes to use network-level authentication (NLA) to establish remote desktop sessions.

Software Center Settings

Configure settings for the software center.

• Select the user portal
  • Select Company Portal to make the notifications from Configuration Manager and Intune both launch the Company Portal.
  • Select Software Center to make the notifications from Configuration Manager launch the Software Center, and the notifications from Intune launch the Company Portal.

• Select these new settings to specify company information
  • Set to Yesto allow the customize configuration of Software Center.

• Software Center settings
  • Customize your Software Center.

Software Deployment Settings

Configure a schedule for re-evaluating the rules for all deployments.

The default value is every 7 days.

Software Inventory Settings

Use Software Inventory to gather information about the files of clients.

• Enable software inventory on clients
  • Set to Yes to enable it.

• Schedule software inventory and file collection
  • Specify a schedule to run the software inventory cycle.

• Inventory reporting detail
  • Specify the level of report detail, it can be File only, Product only or Full details (default).

• Inventory these file types
  • Specify file types and locations to inventory.

• Collect files
  • Specify file types and locations to collect.

• Configure the display names for manufacturer or product
  • In the file header information, the manufacturer and product names aren't always standardized, Configure this setting to standardize it.
  • This option is only available in the default client settings.

Software Metering Settings

Configure these settings to enable software metering.

• Enable software metering on clients
  • Set to Yes to enable it.

• Schedule data collection
  • Specify a schedule to run the software metering usage report cycle.

Software Updates Settings

Configure how client computers deploy software updates.

• Enable software updates on clients
  • Set to Yes to enable it.

• Software update scan schedule
  • Specify a schedule to run the software updates scan cycle. This scan determines the state for software updates on the client such as required or installed.

• Schedule deployment re-evaluation
  • Specify a schedule to run the software updates deployment evaluation cycle. Use this to reinstall software updates when no longer found but still needed.

• Allow user proxy for software update scans
  • Enable it if needed but not recommend.

• Enforce TLS certificate pinning for Windows Update client for detecting updates
  • Further increase the security for WSUS scanning by enforcing certificate pinning, recommended to enable.

• When any software update deployment deadline is reached, install all other software update deployments with deadline coming within a specified period of time
  • Enable it if needed.

• Period of time for which all pending deployments with deadline in this time will also be installed
  • Use this setting to specify the period of time for the previous setting.

• Allow clients to download delta content when available
  • Set to Yes to allow clients to use delta content files. If the settings are disabled, only the UUP update will do a delta download.

• Port that clients use to receive requests for delta content
  • Specify a port that clients use to download the delta content.

• If content is unavailable from distribution points in the current boundary group, immediately fallback to a neighbor or the site default
  • Set to Yes to immediately fallback without waiting for the fallback time to expire.

• Enable management of the Office 365 Client Agent
  • Set to Yes to enable it.

• Enable update notifications from Microsoft 365 Apps
  • Choose whether to enable update notifications from Microsoft 365 Apps. This setting is also determined by the user experience settings of software update deployment.
  • If notifications from both Software Center and Microsoft 365 Apps are enabled, the end user will receive notifications from Software Center and Microsoft 365 Apps.

• Enable installation of software updates in "All deployments" maintenance window when "Software Update" maintenance window is available
  • Set to Yes to install the updates during the All deployments maintenance window but Software Update maintenance window is configured.

• Specify thread priority for feature updates
  • Configure it if needed.

• Enable third party software updates
  • Enable it if you configure third party software updates.

• Enable Dynamic Update for feature updates
  • Enablt it if needed .For more information, read this blog.

• Enable features introduced via servicing are off by default.
  • Enable it if needed. For more information, read this blog.

State Messaging Settings

• State message reporting cycle (minutes)
  • Specifies how often clients report state messages.

User And Device Affinity Settings

• User device affinity usage threshold (minutes)
  • Specify the number of minutes before creating an affinity mapping.

• User device affinity usage threshold (days)
  • Specify the number of days over which the client measures the threshold for usage-based device affinity.

• Automatically configure user device affinity from usage data
  • Set to Yes to enable it.

• Allow user to define their primary devices
  • Set to Yes to enable the option for users to define their primary device in Software Center. This option is only available in user settings.

Windows Diagnostic Data

The Windows Analytics service is configured here, but it is retired and no longer supported. You can use the Desktop Analytics service instead.