Review: Scalefusion

I am on the hunt for a mobile device management solution (MDM) that can manage Windows 10 devices for free or for a low cost with little or no minimums.

If I can find this type of MDM solution, then I will use it to improve our ability to support client hardware for our small businesses customers.


The basic features that I’m most interested are pretty simplistic:

  • Profiles – manage Windows Updates settings you force auto installation of updates
  • Applications – inventory including version and the ability to remotely install an MSI (because I want to be able to remotely install teamviewer)
  • Updates – ability to view which OS updates have been installed
  • Antivirus – ability to view antivirus status
  • Encryption – ability to view encryption status
  • Organizational Groups – ability to establish a hierarchy for managing multiple customers

Nice to have would be:

  • Profiles – ability to push Custom XML settings (to configure any available CSP)
  • Scripting – ability to run a powershell script
  • Encryption – ability to enforce encryption and harvest keys

Today, I signed up for a free trial of Scalefusion. Scalefusion has a low per device fee ($2 – $4 per device per month), no minimums, and allows for a 14 day free trial.

First Impressions

My device enrolled in Scalefusion MDM

I’ll admit that I’m not a huge fan of the UI. I’d rather see all of my device details on the main screen and a listing of installed apps. I don’t want to be too much of a princess about it so I’ll say that the UI is sufficient enough that it wouldn’t stop me from using this MDM especially since the developers just added an amazing new feature, the ability to deploy Custom XML.

The most basic information that you would need to know about a device that you are managing is available in this system (e.g.- Antivirus Status, Firewall Status, OS Build Version, Drive Space, RAM, BIOS version). I would have loved to be able to see which Win-32 applications are installed too, but you win some you lose some, right?

Can it do what I need it to do?

Here are the results for each task that I attempted:

Policies – Scalefusion now supports Custom XML policies so you can literally apply any Microsoft CSP that you need to. I’ve been concerned that I need to manage WiFi, Windows Updates, Firewall, and Defender and no other products seem to be able to do that.

Applications – This tool can only deploy MSIX and APPX so special packaging will be required. I don’t see this as a showstopper though I would love to see this added in the future.

Updates – Given my previous statements about Customer XML, it’s no surprise that I was able to push the settings that I needed to configure updates.

Antivirus – I was able to see the antivirus status but I can’t see the definitions status for Defender so that is the only thing missing that is a bit of a gap for AV.

Encryption – I could see the encryption status. I could force encryption, but I could not escrow the key into Scalefusion. I can escrow the key into O365, but a lot of small business customers are using G-suite instead of O365 so we would not be able to escrow Bitlocker keys for the most part.

Scripting – There was no scripting option so I would have to find another way to do troubleshooting (for example – renaming the software distribution folder) but again if this means that we don’t have to manage an agent then I’m still happy without this particular feature.

Organizational Groups – There is a way to establish an organizational hierarchy which would conceivably allow management of multiple organizations within the same environment.

In Summary

If I haven’t made it clear yet in my previous statements, I absolutely love the fact that this solution includes Custom XML and the 0 minimums for enrollment. There is a strong possibility that this will be my choice of MDM for Windows 10.


Has anyone else tried this tool yet? Let me know what you think about it…

Review: Hexnode MDM

I am on the hunt for a mobile device management solution (MDM) that can manage Windows 10 devices for free or for a low cost with little or no minimums.

If I can find this type of MDM solution, then I will use it to improve our ability to support client hardware for our small businesses customers.


The basic features that I’m most interested are pretty simplistic:

  • Profiles – allow for custom XML policies
  • Applications – inventory including version and the ability to remotely install an MSI (because I want to be able to remotely install teamviewer)
  • Updates – ability to view which OS updates have been installed
  • Antivirus – ability to view antivirus status
  • Encryption – ability to view encryption status
  • Organizational Groups – ability to establish a hierarchy for managing multiple customers

Nice to have would be:

  • Scripting – ability to run a powershell script
  • Encryption – ability to enforce encryption and harvest keys

Today, I signed up for a free trial of Hexnode. Hexnode has a low per device fee, fairly low minimums (15 devices per month), and allows for a 30 day free trial.

First Impressions

My device enrolled into Hexnode MDM

The UI is not my favorite, but that really wouldn’t make or break my opinion of a tool. My real complaint is that there isn’t as much device information available as I would have liked. On the good side, I could see the version of the build that is on the device including monthly patch. On the bad side, I couldn’t see simple things like drive space and importantly I couldn’t see whether or not the Defender AV was up to date.

I don’t need a fabulous UI, but I do need to see a minimal amount of information about the device in order to provide adequate management.

Can it do what I need it to do?

Here are the results for each task that I attempted:

Policies – There are quite a few Windows 10 policies available but unfortunately this didn’t include Windows Update or Microsoft Defender Settings. That is a non-starter.

Applications – This tool was great for deploying a simple MSI but the inventory didn’t show everything that was installed on the device which is a big issue.

Updates – I was not able to push any update settings. I could see the build version, but without the ability to force the clients to install updates automatically it would be difficult to manage a fleet.

Antivirus – I was not able to see the antivirus or definitions status for Defender and I couldn’t push any settings so it would be difficult to manage a fleet with this tool.

Encryption – I could see the encryption status which is great. I could also push encryption policies, however I could not escrow the key.

Scripting – There was no scripting option so I would have to find another way to do troubleshooting (for example – renaming the software distribution folder)

Organizational Groups – There wasn’t a way to establish an organizational hierarchy, but you could use dynamic groups to allow for management of multiple organizations within the same environment.

In Summary

My favorite thing about this solution is how quickly you can spin up a new environment. However, the minimum of 15 devices along with the missing management capabilities for Windows 10 makes this tool not a very good fit for managing small business. As always, my suggestion to MDM providers is that they should provide the ability to use Custom XML for robust policies management without the need for policy UI development.


Has anyone else tried this tool yet? Let me know what you think about it…

Review: Miradore MDM

I am on the hunt for a mobile device management solution (MDM) that can manage Windows 10 devices for free or for a low cost with little or no minimums.

If I can find this type of MDM solution, then I will use it to improve our ability to support client hardware for our small businesses customers.


The basic features that I’m most interested are pretty simplistic:

  • Profiles – manage Windows Updates settings you force auto installation of updates
  • Applications – inventory including version and the ability to remotely install an MSI (because I want to be able to remotely install teamviewer)
  • Updates – ability to view which OS updates have been installed
  • Antivirus – ability to view antivirus status
  • Encryption – ability to view encryption status
  • Organizational Groups – ability to establish a hierarchy for managing multiple customers

Nice to have would be:

  • Profiles – ability to push Custom XML settings (to configure any available CSP)
  • Scripting – ability to run a powershell script
  • Encryption – ability to enforce encryption and harvest keys

Today, I signed up for a free trial of Miradore. Miradore has a low per device fee, extremely low minimums ($10 per month), and allows for a 14 day free trial.

First Impressions

My device enrolled in Miradore MDM

I really like the simple, easy to navigate and understand UI. I was really excited at how easy it was to create a profile, deploy an MSI, and view detailed information about my device.

There is a LOT of information about the device in this system which I really fell in love with immediately. Everything that I could possibly want to know was at my fingertips with this solution.

Can it do what I need it to do?

Here are the results for each task that I attempted:

Policies – There are only 3 Windows 10 policies available – Windows Update, Exchange Email, and Passcode. This works as a bare minimum but would need to be built out to allow for more advanced configurations.

Applications – This tool was great for deploying a simple MSI and the inventory showed everything that was installed except for Universal Windows Platform applications. It can’t do more complicated application deployments and it can’t do UWP application deployments.

Updates – I was able to push the settings that I needed to configure updates though there was one thing broken in the UI (a drop-down list selection that showed Semi-Annual as an option for Branch Readiness which no longer exists so the policy failed to deploy until I changed it to Semi-Annual Targeted).

Antivirus – I was able to see the antivirus status and definitions status for Defender which is exactly what I need to see.

Encryption – I could see the encryption status. I could not enforce encryption or escrow the key.

Scripting – There was no scripting option so I would have to find another way to do troubleshooting (for example – renaming the software distribution folder)

Organizational Groups – There is a way to establish an organizational hierarchy which would allow management of multiple organizations within the same environment.

In Summary

I loved navigating this solution and the ideal pricing. This will likely be my choice of MDM for Windows 10. If Mirador adds the ability to use Custom XML for robust policies this tool will be unstoppable in the small business MDM space.


Has anyone else tried this tool yet? Let me know what you think about it…

My CSP Playlist

Photo by Pixabay on Pexels.com

I worked really, really hard to learn to play the piano accompaniment at mass. It took me a whole year to be able to play the entire mass. I started by playing just 1 song for each mass because 1 song was all that I was comfortable learning and then playing within a single week. Thankfully, the music director was extremely supportive; she would play the rest of the songs each week to make this scenario possible. I doubt that there are very many music directors out there that would be willing to do that.

Over time, I became comfortable learning and playing 2 songs in a week; then finally 3 songs. Eventually, I was able to play 4 songs in a week not because I could learn 4 songs in a week, but rather it was because I already knew 1 of the songs. Over time, I knew so many songs that I could play the whole mass each week!

That same music director suggested to me that I could earn extra money playing wedding and funeral masses if I had a playlist that I could provide to people of songs that I could play. I never did monetize my piano skills, but I did create the playlist that she suggested. By the time that I stopped playing at mass, I had more than 100 songs in my playlist 🙂

This is a long-winded way of telling you where this playlist concept came from and how it applies to Microsoft CSPs. I’m not sure what people out there want to know about how to successfully apply the policies, so I figured that if I posted my playlist, then people could send me a note or comment and tell me which policies they are having issues with so that I can share my experience on how to successfully apply them.

It is probably obvious from my posts so far that I strongly perfer using custom XML to configure Windows 10 devices because of the level of control that you have over the application and removal of each individual setting.

That said, here is my Playlist – please do let me know which ones you are having trouble with!! I will include links to any posts that I have written on these topics.

Every CSP I Have Ever Used

Custom ADMX Policies

AboveLock\AllowCortanaAboveLock

AboveLock\AllowToasts

Accounts\AllowAddingNonMicrosoftAccountsManually

Accounts\AllowMicrosoftAccountConnection

Accounts\Domain

Accounts\Users

ApplicationManagement\AllowAllTrustedApps

ApplicationManagement\AllowDeveloperUnlock

ApplicationManagement\AllowGameDVR

ApplicationManagement\MSIAllowUserControlOverInstall

Applocker\ApplicationLaunchRestrictions

AppRuntime\AllowMicrosoftAccountsToBeOptional

Autoplay\DisallowAutoplayForNonVolumeDevices

Autoplay\SetDefaultAutoRunBehavior

Autoplay\TurnOffAutoPlay

Bitlocker\EncryptionMethodByDriveType

Browser\AllowPasswordManager

Browser\AllowPopups

Browser\ConfigureHomeButton

Browser\ConfigureOpenMicrosoftEdgeWith

Browser\DisableLockdownOfStartPages

Browser\EnterpriseModeSiteList

Browser\HomePages

Browser\PreventCertErrorOverrides

Browser\PreventFirstRunPage

Browser\SetHomeButtonURL

Browser\SyncFavoritesBetweenIEAndMicrosoftEdge

Connectivity\DisableDownloadingOfPrintDriversOverHTTP

Connectivity\DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards

Connectivity\HardenedUNCPaths

ControlPolicyConflict\MDMWinsOverGP

CredentialProviders\BlockPicturePassword

CredentialsDelegation\RemoteHostAllowsDelegationOfNonExportableCredentials

CredentialsUI\EnumerateAdministrators

DataProtection\AllowAzureRMSForEDP

DataProtection\AllowDirectMemoryAccess

DataProtection\EDPShowIcons

DataProtection\RevokeOnMDMHandoff

DataProtection\RevokeOnUnenroll

DeliveryOptimization\DODownloadMode

DeviceGuard\ConfigureSystemGuardLaunch

DeviceGuard\EnableVirtualizationBasedSecurity

DeviceGuard\LsaCfgFlags

DeviceGuard\RequirePlatformSecurityFeatures

DeviceLock\AllowSimpleDevicePassword

DeviceLock\AlphanumericDevicePasswordRequired

DeviceLock\DevicePasswordEnabled

DeviceLock\DevicePasswordExpiration

DeviceLock\DevicePasswordHistory

DeviceLock\MaxDevicePasswordFailedAttempts

DeviceLock\MaxInactivityTimeDeviceLock

DeviceLock\MinDevicePasswordComplexCharacters

DeviceLock\MinDevicePasswordLength

DeviceLock\MinimumPasswordAge

DeviceLock\PreventLockScreenSlideShow

EventLogService\SpecifyMaximumFileSizeApplicationLog

EventLogService\SpecifyMaximumFileSizeSecurityLog

EventLogService\SpecifyMaximumFileSizeSystemLog

Experience\AllowManualMDMUnenrollment

Experience\AllowWindowsConsumerFeatures

Experience\AllowThirdPartySuggestionsInWindowsSpotlight

FileExplorer\TurnOffDataExecutionPreventionForExplorer

FileExplorer\TurnOffHeapTerminationOnCorruption

Firewall

InternetExplorer\AllowAddonlist

InternetExplorer\AllowAutoComplete

InternetExplorer\AllowEnterpriseModeSiteList

InternetExplorer\AllowSiteToZoneAssignmentList

InternetExplorer\CheckServerCertificateRevocation

InternetExplorer\DisableFirstRunWizard

InternetExplorer\DisableHomePageChange

InternetExplorer\DisableSecondaryHomePageChange

InternetExplorer\DoNotAllowUsersToAddSites

InternetExplorer\DoNotAllowUsersToChangePolicies

InternetExplorer\DoNotBlockOutdatedActiveXControls

InternetExplorer\IncludeAllLocalSites

InternetExplorer\IncludeAllNetworkPaths

InternetExplorer\InternetZoneAllowAccessToDataSources

InternetExplorer\InternetZoneAllowAutomaticPromptingForActiveXControls

InternetExplorer\InternetZoneAllowAutomaticPromptingForFileDownloads

InternetExplorer\InternetZoneAllowCopyPasteViaScript

InternetExplorer\InternetZoneAllowDragAndDropCopyAndPasteFiles

InternetExplorer\InternetZoneAllowFontDownloads

InternetExplorer\InternetZoneAllowLessPrivilegedSites

InternetExplorer\InternetZoneAllowScriptInitiatedWindows

InternetExplorer\InternetZoneAllowUserDataPersistence

InternetExplorer\InternetZoneDownloadSignedActiveXControls

InternetExplorer\InternetZoneDownloadUnsignedActiveXControls

InternetExplorer\InternetZoneEnableMIMESniffing

InternetExplorer\InternetZoneInitializeAndScriptActiveXControls

InternetExplorer\InternetZoneJavaPermissions

InternetExplorer\InternetZoneLaunchingApplicationsAndFilesInIFRAME

InternetExplorer\InternetZoneLogonOptions

InternetExplorer\InternetZoneNavigateWindowsAndFrames

InternetExplorer\InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

InternetExplorer\InternetZoneUsePopupBlocker

InternetExplorer\IntranetZoneJavaPermissions

InternetExplorer\TrustedSitesZoneAllowAccessToDataSources

InternetExplorer\TrustedSitesZoneAllowAutomaticPromptingForActiveXControls

InternetExplorer\TrustedSitesZoneAllowFontDownloads

InternetExplorer\TrustedSitesZoneAllowNETFrameworkReliantComponents

InternetExplorer\TrustedSitesZoneJavaPermissions

InternetExplorer\TrustedSitesZoneNavigateWindowsAndFrames

LanmanWorkstation\EnableInsecureGuestLogons

LocalPoliciesSecurityOptions\Accounts_BlockMicrosoftAccounts

LocalPoliciesSecurityOptions\Accounts_EnableAdministratorAccountStatus

LocalPoliciesSecurityOptions\Accounts_EnableGuestAccountStatus

LocalPoliciesSecurityOptions\Accounts\LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly

LocalPoliciesSecurityOptions\Accounts_RenameAdministratorAccount

LocalPoliciesSecurityOptions\InteractiveLogon_DoNotDisplayLastSignedIn

LocalPoliciesSecurityOptions\InteractiveLogon_DoNotRequireCTRLALTDEL

LocalPoliciesSecurityOptions\InteractiveLogon_MachineInactivityLimit

LocalPoliciesSecurityOptions\InteractiveLogon_MessageTextForUsersAttemptingToLogOn

LocalPoliciesSecurityOptions\InteractiveLogon_MessageTitleForUsersAttemptingToLogOn

LocalPoliciesSecurityOptions\MicrosoftNetworkClient_DigitallySignCommunicationsAlways

LocalPoliciesSecurityOptions\MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers

LocalPoliciesSecurityOptions\MicrosoftNetworkServer_DigitallySignCommunicationsAlways

LocalPoliciesSecurityOptions\NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts

LocalPoliciesSecurityOptions\NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares

LocalPoliciesSecurityOptions\NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares

LocalPoliciesSecurityOptions\NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM

LocalPoliciesSecurityOptions\NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange

LocalPoliciesSecurityOptions\NetworkSecurity_LANManagerAuthenticationLevel

LocalPoliciesSecurityOptions\NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients

LocalPoliciesSecurityOptions\NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers

LocalPoliciesSecurityOptions\UserAccountControl_BehaviorOfTheElevationPromptForAdministrators

LocalPoliciesSecurityOptions\UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers

LocalPoliciesSecurityOptions\UserAccountControl_RunAllAdministratorsInAdminApprovalMode

LocalPoliciesSecurityOptions\UserAccountControl_UseAdminApprovalMode

LocalPoliciesSecurityOptions\UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations

MSSecurityGuide\ApplyUACRestrictionsToLocalAccountsOnNetworkLogon

MSSecurityGuide\ConfigureSMBV1ClientDriver

MSSecurityGuide\ConfigureSMBV1Server

MSSecurityGuide\EnableStructuredExceptionHandlingOverwriteProtection

MSSecurityGuide\WDigestAuthentication

MSLegacy\AllowICMPRedirectsToOverrideOSPFGeneratedRoutes

MSLegacy\AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers

MSLegacy\IPSourceRoutingProtectionLevel

MSLegacy\IPv6SourceRoutingProtectionLevel

NetworkProxy

Office

PassportForWork

Personalization\DesktopImageUrl

Power\AllowStandbyStatesWhenSleepingOnBattery

Power\RequirePasswordWhenComputerWakesOnBattery

Power\RequirePasswordWhenComputerWakesPluggedIn

Power\StandbyTimeoutOnBattery

Power\StandbyTimeoutPluggedIn

Printers\PublishPrinters

Reboot\Schedule

RemoteAssitance\SolicitedRemoteAssistance

RemoteDesktopServices\ClientConnectionEncryptionLevel

RemoteDesktopServices\DoNotAllowDriveRedirection

RemoteDesktopServices\DoNotAllowPasswordSaving

RemoteDesktopServices\PromptForPasswordUponConnection

RemoteDesktopServices\RequireSecureRPCCommunication

RemoteManagement\AllowBasicAuthentication_Client

RemoteManagement\AllowBasicAuthentication_Service

RemoteManagement\AllowUnencryptedTraffic_Client

RemoteManagement\AllowUnencryptedTraffic_Service

RemoteManagement\DisallowDigestAuthentication

RemoteManagement\DisallowStoringOfRunAsCredentials

RemoteProcedureCall\RestrictUnauthenticatedRPCClients

Restricted Groups

Search\AllowIndexingEncryptedStoresOrItems

Security\AllowAutomaticDeviceEncryptionForAzureADJoinedDevices

Settings\AllowAutoPlay

Settings\PageVisibilityList

Start\ImportEdgeAssets

Start\StartLayout

Storage\RemovableDiskDenyWriteAccess

System\AllowStorageCard

System\AllowTelemetry

Update\AllowAutoUpdate

Update\AllowMUUpdateService

Update\AutoRestartDeadlinePeriodInDays

Update\AutoRestartNotificationSchedule

Update\AutoRestartRequiredNotificationDismissal

Update\BranchReadinessLevel

Update\DeferFeatureUpdatesPeriodInDays

Update\DeferQualityUpdatesPeriodInDays

Update\EngagedRestartDeadline

Update\EngagedRestartSnoozeSchedule

Update\EngagedRestartTransitionSchedule

Update\PauseFeatureUpdates

Update\PauseQualityUpdates

Wifi\AllowAutoConnectToWiFiSenseHotspots

Wifi\AllowInternetSharin

WiFi\Profile

WindowsConnectionManager\PohitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork

WindowsDefenderSecurityCenter\DisableEnhancedNotifications

WindowsDefenderSecurityCenter\DisableNotifications

WindowsInkWorkspace\AllowWindowsInkWorkspace

WindowsLogon\HideFastUserSwitching

WindowsLogon\SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart

WindowsPowerShell\TurnOnPowerShellScriptBlockLogging

WiredNetwork\LanXML

Creating WlanXML

Assuming that you are using a Custom Policy, there are two steps to creating the XML to place within the <Data></Data> for the WiFi CSP WlanXML node:

  1. Export XML from an existing profile
  2. Encode the XML so that it can be processed by the OMA-DM client

Export XML from an existing profile

If you are migrating from Group Policy management to MDM management, then you probably already have a device configured with the needed WiFi profile that you can use to export the XML.

To export XML from an existing profile, perform the following steps from an existing GPO-managed device:

  1. Open Command Prompt
  2. Type netsh wlan export profile name=enter the name of the interface here

Encode the XML so that it can be processed by the OMA-DM client

  1. Open the exported XML with Notepad++ or the XML editor of your choice
  2. While there are a lot of fancier ways to handle the encoding, the simplest way is to do a replace all for the following three items –
    1. < is replaced with <
    2. > is replaced with >
    3. is replaced with

If you are using Custom XML, paste the resultant XML between the <Data></Data> and push the policy via the MDM of your choice.

In a separate post, I will share information about where to confirm that your policies have been applied.