Settings Overview
The Settings page contains all platform configuration options. Access it from the sidebar footer by clicking the gear icon. Settings are organized into tabs, each covering a specific area of platform behavior.
Settings changes take effect on the next agent check-in. There is no need to restart agents after changing platform settings.
Settings Tabs
| Tab | Description |
|---|---|
| Timezone | Set the default timezone for scheduling maintenance windows and displaying timestamps. All scheduled operations and log entries use this timezone for display |
| Client | Control client-side behavior: manual update permissions, Windows update management, IT support information, tray icon visibility, reboot prompts, and policy visibility |
| Agent Installers | Download agent installers for Windows, macOS, and Linux. Generate enrollment tokens for new agent deployments |
| Agent Updates | Configure automatic agent updates: enable or disable auto-update, set the update schedule, and select the update channel |
| Agent Lifecycle | Define agent retention policies: how long to keep offline agents before automatic cleanup |
| Health Scoring | Configure how agent health scores are calculated: weights for update compliance, vulnerability count, and system health metrics |
| Diagnostic Logs | Trigger log collection from agents and download collected log archives for troubleshooting |
| API Keys | Generate and manage API keys for programmatic access to the TridentStack Control API. See API Keys for details |
| Notifications | Configure notification channels (Email, Slack, Teams, Discord, Webhooks) and control which platform events trigger alerts. See Notifications for details |
| Licensing | View license assignments and assign or unassign licenses across your free and paid endpoints. See Licensing for details |
| Privacy | Control whether TridentStack Control support staff can view your environment, create time-limited access grants, and review every staff access in the Vendor Access Log. See Support Access for details |
| Users | Manage platform users: invite new users, assign roles, and remove access. Admin only |
| Roles | Define custom roles with granular permissions for different platform modules. Admin only |
| Authentication | Configure OAuth providers, SAML single sign-on, SCIM provisioning, and Force-SSO for your organization. See Single sign-on (SAML) and SCIM provisioning. Admin only |
| Integrations | Connect Microsoft Entra to mirror device-group membership onto tags automatically. See Microsoft Entra Group Sync. Admin only |
Timezone
The timezone setting controls how timestamps are displayed throughout the platform and when scheduled operations execute. This includes:
- Maintenance window start and end times
- Dashboard timestamps and charts
- Report date filters and exported timestamps
- Audit log entry times
Select your organization's primary timezone from the dropdown. Individual users see all times converted to this timezone.
Client
The Client tab controls the behavior of the TridentStack Control agent on endpoints:
- Manual update installation - Control whether a person at an endpoint can start installing pending updates themselves from the TridentStack Control client app on that endpoint, with separate choices for system updates and application updates. Options: always allowed, only during deployment windows, or never allowed. This setting only affects what a user can do in the client app; it does not change what your policies and deployment rings install automatically, and it does not affect the endpoint's built-in Windows Update (that is Windows update management, below).
- IT support information - Display your organization's support contact details in the client application. Fields include company name, support team name, email, phone, URL, and a custom message.
- Policy visibility - Control whether policy names are visible to users, and whether the manual "Refresh Now" button is available in the client.
- Windows update management - Choose how the built-in Windows Update is controlled on your Windows endpoints, at the operating system level. This decides whether Windows itself may download, install, and restart for updates on its own, alongside the updates TridentStack Control deploys. Because a change reconfigures Windows Update on every Windows endpoint in your organization, saving a change to this setting asks for confirmation and spells out exactly what will happen before it is applied.
- Exclusive (recommended) - TridentStack Control is the single source of Windows updates. The endpoint's built-in Windows Update is turned off, so Windows will not download, install, or restart for quality (monthly), feature (version), or other updates on its own. Every Windows update is delivered through TridentStack Control's approval and deployment ring process, so nothing installs or restarts outside the schedule and controls you set. This is the right choice for almost all fleets.
- Hybrid - TridentStack Control stops taking over Windows Update, and the endpoint's built-in Windows Update returns to its normal behavior. Windows can then download and install updates on its own, on Microsoft's schedule, in addition to the updates TridentStack Control deploys. Choose this only if you specifically want native Windows Update to keep running. Important trade-offs in Hybrid: Windows may install the same update TridentStack Control is already deploying, and it may restart the device on its own schedule, outside your deployment ring maintenance windows and reboot controls. Switching back to Exclusive at any time re-establishes full TridentStack Control management. Note that Hybrid removes only what TridentStack Control itself configured: each Windows Update setting is returned to the value it had before TridentStack Control took over. Update restrictions from any other source (Active Directory or local Group Policy, Microsoft Intune or another MDM, another management tool, or manual configuration) stay in place. If an endpoint still shows "Some settings are managed by your organization" in Settings > Windows Update after switching to Hybrid, the remaining restriction comes from one of those sources, not from TridentStack Control. See What Hybrid mode removes for details.
- Hide tray icon - Hide the client tray icon on endpoints. The agent keeps running and managing the device in the background; only the icon (and the window users can open from it) is hidden. Applies to Windows and macOS.
- Show reboot prompts - Control whether endpoints show a restart prompt before a managed restart. When turned off, Windows endpoints still restart automatically after updates but show no prompt and no chance to postpone (the restart still happens; this only hides the prompt). To prevent automatic restarts entirely, use the deployment ring reboot controls or set the endpoint's reboot policy.
Client settings are pushed to connected endpoints within seconds of saving; there is no need to restart the agent. Endpoints that are offline receive the new settings the next time they reconnect.
Most settings apply right away: hiding or showing the tray icon, and switching Windows update management between Exclusive and Hybrid, both take effect immediately on connected endpoints. Show reboot prompts is the exception - it changes what happens at the next managed restart, so there is no visible change on the endpoint until a restart occurs. Note that hiding the tray icon removes the icon, which can be easy to miss; on Windows the icon may briefly linger in the notification area until it is refreshed.
Agent Installers
Download agent installers and copy ready-to-use install commands:
- Windows -- MSI installer with PowerShell quick install command
- macOS -- Universal
.pkginstaller with a one-line install command (macOS 14 Sonoma and later) - Linux -- Shell installer script (supports Ubuntu, Debian, and RHEL-family distributions)
Install commands include your enrollment token, which automatically registers the agent with your platform instance. Regenerate the token if it is compromised. Existing enrolled agents are not affected by token regeneration.
Agent Updates
Control how agents update themselves:
- Auto-update -- when enabled, agents automatically download and install new versions on their next check-in
- Update schedule -- restrict auto-updates to specific maintenance windows
- Update channel -- choose between stable (recommended) and preview channels
- Pilot group -- choose a small set of endpoints to receive a new agent version first, before the rest of your fleet. Add individual devices, one or more tags (every endpoint carrying a selected tag becomes a pilot), or a combination of both. Pilots are evaluated per operating system: a new Windows agent version is validated on your Windows pilots, a Linux version on your Linux pilots, and so on, so a pilot on one operating system never holds back an update for another. Each platform's broader rollout waits until that platform's pilots update successfully, or until a timeout you set elapses. If an operating system has endpoints but no pilots of its own, its updates roll out governed by your update delay only. The Agent Updates page shows a per-operating-system breakdown of your pilot coverage so you can see this at a glance.
Agent Lifecycle
Define retention policies for agents that go offline:
- Retention period -- how long an agent can remain offline before it is automatically marked for cleanup
- Cleanup behavior -- whether offline agents are archived (preserving history) or fully removed
Health Scoring
Configure the weights used to calculate each agent's health score. The health score is a composite metric reflecting the overall state of a managed endpoint. Adjustable weights include:
- Update compliance -- how heavily missing updates affect the score
- Vulnerability count -- impact of open vulnerabilities on the score
- System health metrics -- weight of hardware and OS health indicators
Diagnostic Logs
Trigger on-demand log collection from any online agent. Collected logs are packaged into a compressed archive and made available for download. Useful for troubleshooting agent connectivity issues, failed updates, or unexpected behavior.
Users, Roles, and Authentication
These tabs are restricted to administrators.
- User Management controls who can sign in and what they can do. See User Management.
- Authentication -> SAML Single Sign-On lets your team sign in with their corporate credentials. See Single sign-on (SAML).
- Authentication -> SCIM Provisioning keeps the user list in sync with your identity provider automatically. See SCIM provisioning.
- Authentication -> Force-SSO and Break-Glass Admins lets you require SAML for everyone, with named admins as the safety net for misconfigured SSO. See the Force-SSO section of the SSO guide.
Privacy
The Privacy tab controls whether TridentStack Control support staff can view your environment's data, lets you grant time-limited access for a specific support case, and shows the Vendor Access Log of every staff access. See Support Access for the full guide.