Tags Guide Part IV: Windows 10/11 Restrictions
Restriction Overview
Windows restrictions are part of the Policy Configuration Service Provider and are grouped with the same naming in the Management Console. You can press All + to expand all available restriction or expand each group separately. The following groups are available and linked to the corresponding section with all available policy configurations:
Build your own policy setting with Create a Custom Profile for Windows 10/11
Restrcitions
Above Lock Screen
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Allow Cortana Above Lock Screen |
|
|
|
Specifies whether or not the user can interact with Cortana using speech while the system is locked. If enabled, the user can interact with Cortana using speech while the system is locked. If disabled, the system will need to be unlocked for the user to interact with Cortana using speech. |
| Allow Toasts |
|
|
Specifies whether to allow toast notifications above the device lock screen |
Accounts
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Allow User to Add Non-Microsoft Accounts Manually |
|
|
Specifies if the user is allowed to add non-MSA email accounts | |
| Allow Microsoft Account for Non Email Related Services |
|
|
|
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. |
| Allow Microsoft Account Sign In Assistant |
|
|
|
Disables the Microsoft Account Sign-In Assistant (wlidsvc) NT service. If disabled Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher |
Application Management
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Application Management | ||||
| Allow App Store Auto Update |
|
|
Configures if automatic app updates from Microsoft Store are allowed or not. | |
| Allow Windows Game Recording and Broadcasting |
|
|
Controls whether DVR and broadcasting is allowed. | |
| Allow Shared User AppData |
|
|
This settings configures if application data can be shared among multiple users on the system and with other instances of that app. Disabling this setting will not delete existing shared data in the SharedLocal folder. | |
| Disable All Apps From Microsoft Store |
|
|
|
Enabling this setting, will prevent the launch of all pre-installed or downloaded apps from the Microsoft Store |
| Allow User Control Over Installs |
|
|
|
Permits users to change installation options that typically are available only to system administrators. |
| Allow MSI Always Install With Elevated Privileges |
|
|
|
Directs Windows Installer to use elevated permissions when it installs any program on the system |
| Only Display the Private Store Within the Microsoft Store |
|
|
If disabled, both public and private store are allowed. If enabled only the private or corporate store is enabled. | |
| Prevent Users` App Data From Being Stored on Non-System Volumes |
|
|
Controls if application data is restricted to the system drive or not. | |
| Disable Installing Windows Apps on Non-System Volumes |
|
|
Controls whether the installation of applications is restricted to the system drive or not. | |
| Allow All Trusted Apps to Install |
|
|
Allows to control if non Microsoft Store apps are allowed | |
| Allow Developer Unlock |
|
|
Specifies whether developer unlock is allowed or not. | |
Audit
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Audit | ||||
| Audit Account Lockout |
|
|
|
Allows to control audit events generated by a failed attempt to log on to an account that is locked out. Depending on the configuration an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. |
| Audit Group Membership |
|
|
|
Configures audit setting for the group membership information in the user's logon token. Events are generated on the computer on which a logon session is created and for each successful logon. For an interactive logon, audit events are generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, audit event are generated on the hosting computer. You must also enable the Audit Logon setting |
| Audit IPsec Extended Mode |
|
|
|
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. |
| Audit IPsec Main Mode |
|
|
|
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. |
| Audit IPsec Quick Mode |
|
|
|
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. |
| Audit Logoff |
|
|
|
Allows to control audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. |
| Audit Logon |
|
|
|
Allows to control audit events generated by user account logon attempts on the device. |
| Audit Network Policy Server |
|
|
|
Configures audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be grant, deny, discard, quarantine, lock and unlock.
|
| Audit Other Logon Logoff Events |
|
|
|
Allows to configure audit other login or logoff related events. These includes:
|
| Audit Special Logon |
|
|
|
Configures audit events generated with special logons like:
|
| Audit User Device Claims |
|
|
|
Allows to configure audit events for user and device claims information in the user's logon token. Events are generated on the computer on which a logon session is created and for each successful logon. For an interactive logon, audit events are generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, audit event are generated on the hosting computer. You must also enable the Audit Logon setting |
| Audit Credential Validation |
|
|
|
Allows to control audit events generated by validation test on user account logon credentials. |
| Audit Kerberos Authentication Service |
|
|
|
Allows to control audit events generated by Kerberos authentication ticket-granting ticket (TGT) request. |
| Audit Kerberos Service Ticket Operations |
|
|
|
Allows to control audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. |
| Audit Other Account Logon Events |
|
|
|
Specifies to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. |
| Audit Application Group Management |
|
|
|
Allows to control audit events generated by changes to application groups like:
|
| Audit Computer Account Management |
|
|
|
Configures audit events generated by changes to computer accounts, e.g. when computer accounts are created, changed or deleted. |
| Audit Distribution Group Management |
|
|
|
This setting allows to control configure audit settings for changes to distribution groups like:
|
| Audit Other Account Management Events |
|
|
|
Specifies the audit events generated by other user account changes like:
|
| Audit Security Group Management |
|
|
|
Allows to audit events generated by changes to security groups, such as:
|
| Audit User Account Management |
|
|
|
This configuration allows to audit changes to user accounts. This events includes the following:
|
| Audit Detailed Directory Service Replication |
|
|
|
Controls audit settings to audit events generated by detailed AD DS replication between domain controllers. |
| Audit Directory Service Access |
|
|
|
Allows to audit events generated when an AD DS object is accessed. Only AD DS objects with a matching system access control list (SACL) are logged. |
| Audit Directory Service Changes |
|
|
|
Specifies the audit events generated by changes to objects in AD DS. Events will be logged when an object is created, deleted, modified, move or undeleted. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. |
| Audit Directory Service Replication |
|
|
|
This setting allows to audit replication between two AD DS domain controllers. Events in this subcategory are logged only on domain controllers. |
| Audit DPAPI Activity |
|
|
|
Controls audit settings generated when encryption or decryption requests are made to the Data Protection application interface. Fore more information about DPAPI please review the following article: Windows Data Protection |
| Audit PNP Activity |
|
|
|
Specifies the setting for audit events when plug and play detects and external device. |
| Audit Process Creation |
|
|
|
Allows to control audit events generated when a process created or starts. The name of the application or the user that created the process will be also audited. |
| Audit Process Termination |
|
|
|
Allows to control audit events generated when a process ends. |
| Audit RPC Events |
|
|
|
Specifies the setting for audit events for inbound remote procedure call connections. |
| Audit Token Right Adjusted |
|
|
|
Controls audit settings to audit events generated by adjusting the privileges of a token. |
| Audit Application Generated |
|
|
|
This setting allows to control audit applications that generate events by using the Windows Auditing application interfaces (APIs). |
| Audit Central Access Policy Staging |
|
|
|
Specifies audit access requests where permissions are granted or denied by a proposed policy that differs from the current central access policy on an object. |
| Audit Certification Services |
|
|
|
Allows to control audit events from Active Directory Certificate Services operations. |
| Audit Detailed File Share |
|
|
|
Controls audit settings for access files and folders attempts on a shared folder. This allows are more granular logging for File Shares than the Audit File Share setting. Detailed File Share logs an event every time a file or folder is accessed. There are no system access control lists (SACLs) for shared folders. If this setting is enabled, access to all shared files and folders on the system is audited. |
| Audit File Share |
|
|
|
With this setting it is possible to control audit attempts to access a shared folder. Audit File Share logs one event for any established connection between a client and file share. There are no system access control lists (SACLs) for shared folders. If this setting is enabled, access to all shared files and folders on the system is audited. |
| Audit File System |
|
|
|
Specifies audit settings for user attempts to access file system objects. Audit events are generated each time an account access a file system object with a matching SACL. |
| Audit Filtering Platform Connection |
|
|
|
Allows to control audit connections that are allowed or blocked by the Windows Filtering Platform. This includes the following events
|
| Audit Filtering Platform Packet Drop |
|
|
|
Specifies audit settings for audit packets that are dropped by the Windows Filtering Platform. |
| Audit Handle Manipulation |
|
|
|
Controls audit settings for events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. |
| Audit Kernel Object |
|
|
|
With this setting it is possible to control audit events for attempts to access the kernel. This includes mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. |
| Audit Other Object Access Events |
|
|
|
Allows to control audit events generated by the management of task scheduler jobs or COM+ objects. The following scheduler jobs are audited:
The following COM+ objects are audited:
|
| Audit Registry |
|
|
|
Controls audit settings for attempts to access registry objects. Audit events are generated only for objects that have the SACLs specified and only if the access type such as read, write or modify is requested and the account that makes the requests matches the settings in the SACL. |
| Audit Removable Storage |
|
|
|
Allows to define audit settings for attempts to access file system object on a removable storage device by a user. Security audit events are generated only for all objects and for all types of requested access. |
| Audit SAM |
|
|
|
Controls audit settings for events generated by attempts to access Security Account Manager objects. |
| Audit Authentication Policy Change |
|
|
|
Specifies audit settings for events generated by changes to the authentication policy. Please review authentication policy events here.
|
| Audit Authorization Policy Change |
|
|
|
Allows to control audit settings for events generated by changes to the authorization policy. Please review authorization policy events here. |
| Audit Filtering Platform Policy Change |
|
|
|
Allows to define audit settings for events generated by changes to the Windows Filtering Platform, like:
|
| Audit MPSSVC Rule Level Policy Change |
|
|
|
Specifies audit settings for events generated by changes in policy rules utilized by the Microsoft Protection Service, which is used by the the Windows Firewalls. MPSSVC includes the following events:
|
| Audit Other Policy Change Events |
|
|
|
Allows to define audit settings for events generated by other security policy changes that are not audited within the policy change category, like
|
| Audit Policy Change |
|
|
|
Controls audit settings for events generated by changes in the security audit policy settings. Please review included events here. |
| Audit Non Sensitive Privilege Use |
|
|
|
Controls audit settings for events generated by the use of non sensitive user rights (privileges). Please review nonsensitive privileges here. |
| Audit Other Privilege Use Events |
|
|
|
This setting is deprecated
|
| Audit Sensitive Privilege Use |
|
|
|
Allows to define audit settings for events generated when sensitive user rights are used. Please review audit events here. |
| Audit IPsec Driver |
|
|
|
Specifies audit settings for events generated by the IPsec filter driver, such as:
|
| Audit Other System Events |
|
|
|
This settings allow to control audit of any of the following events:
|
| Audit Security State Change |
|
|
|
Defines audit settings for events generated by changes in the security state of the customer, such as:
|
| Audit Security System Extension |
|
|
|
Controls audit settings for events related to security system extensions or services. |
| Audit System Integrity |
|
|
|
Allows to control audit events generated in case of integrity violation of the security subsystem. Please review audit events here.
|
Authentication
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Authentication | ||||
| Allow Azure AD Password Reset |
|
|
|
Defines whether password reset is enabled for Azure Active Directory accounts |
| Allow EAP Cert SSO |
|
|
Allows or disallows an EAP certificate based authentication for a single sign on (SSO) to access internal resources. | |
| Allow Fast Reconnect |
|
|
Allows or disallows EAP Fast Reconnect from being attempted for EAP Method TLS. | |
| Allow Companion Device for Secondary Authentication |
|
|
|
Allows or disallows secondary authentication devices to work with Windows |
| Allow Enable Fast First Sign In |
|
|
|
Configures quick first sign-in experience for a user on Shared PCs. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. |
| Allow Enable Web Sign In |
|
|
|
Web Sign-in is a way of signing into a Windows PC and enables Windows logon support for non-ADFS federated providers (e.g. SAML). Only supported for Azure AD Joined PCs |
BITS
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Bits | ||||
| Set Default Download Behavior for Background Jobs on Costed Networks |
|
|
|
Configures the default behavior that the Background Intelligent Transfer uses for background transfers when the device is connected to a costed network (3G, LTE etc.) |
| Set Default Download Behavior for Foreground Jobs on Costed Networks |
|
|
|
Configures the default behavior that the Background Intelligent Transfer uses for foreground transfers when the device is connected to a costed network (3G, LTE etc.) |
Bluetooth
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Bluetooth | ||||
| Allow Advertising |
|
|
Configures if the device can send out Bluetooth advertisement | |
| Allow Discoverable Mode |
|
|
Specifies whether other Bluetooth-enabled devices can discover the managed device | |
| Allow Prepairing |
|
|
|
Allows or disallows specific bundled Bluetooth peripherals to automatically pair with the host device. |
| Allow Prompted Proximal Connections |
|
|
|
Will allow or block users from using Swift Pair and other proximity based scenarios. |
Browser
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Browser | ||||
| Allow Address bar drop-down list suggestions |
|
|
|
Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. Disable this restriction for minimizing network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. If disabled Microsoft Edge also disables the Show search and site suggestions as I type toggle in Settings. |
| Allow Browser |
|
|||
| Allow Configuration Updates for the Books Library |
|
|
|
If enabled, Microsoft Edge updates configuration data for the Books Library automatically. If disabled Microsoft Edge will be prevented from updating the configuration data. |
| Allow Developer Tools |
|
|
Prevent users from using the F12 developer tools. | |
| Allow Extensions |
|
|
|
Prevent users from adding or personalizing extensions. |
| Allow Adobe Flash |
|
|
Configure Microsoft Edge to prevent Adobe Flash content from running. Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default |
|
| Configure the Adobe Flash Click-to-Run Setting |
|
|
|
By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the Click-to-Run button. Disabling this will load Adobe Flash content automatically |
| Allow FullScreen Mode |
|
|
|
Configures whether fullscreen mode is allowed or not. |
| Allow InPrivate Browsing |
|
|
InPrivate Browsing deletes after closing all tabs to browsing date from the device. This restrictions configures whether InPrivate Browsing is allowed or not. | |
| Allow Microsoft Compatibility List |
|
|
|
During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. |
| Allow Microsoft Edge to Pre-Launch at Windows Startup |
|
|
|
If enabled, the browser pre-launches as a background process during Windows startup for faster performance and faster launch time. |
| Allow Printing |
|
|
|
Disabling this setting will prevent user from printing web content. |
| Allow Saving History |
|
|
|
Disabling this settings prevents from saving the browsing history. If any history existed before disabling this setting, the previous browsing history remains in the History pane. Also disabling this setting does not stop roaming of existing browsing history or browsing history from other devices. |
| Allow Microsoft Edge to Pre-Launch at Windows Startup |
|
|
|
If enabled, the browser pre-launches as a background process during Windows startup for faster performance and faster launch time. |
| Allow Printing |
|
|
|
Disabling this setting will prevent user from printing web content. |
| Allow Saving History |
|
|
|
Disabling this settings prevents from saving the browsing history. If any history existed before disabling this setting, the previous browsing history remains in the History pane. Also disabling this setting does not stop roaming of existing browsing history or browsing history from other devices. |
| Allow Search Engine Customization |
|
|
|
Configures whether users are allowed from customizing the search engine. |
| Allow Sideloading of Extensions |
|
|
|
Sideloading allows to install and run unverified extensions. If disabled, extensions can only be installed through Microsoft Store or Store for Business and PowerShell by using Add-AppxPackage cmdlet. |
| Allow Microsoft Edge to Start and Load the Start and New Tab Pages |
|
|
|
If enabled, Microsoft Edge pre-loads the Start and New Tab pages during Windows Login and each time the browser closes by default for a faster start and new tab loading. |
| Allow Always Show the Books Library in Microsoft Edge |
|
|
|
If enabled, the Books Library is only shown in supported regions or countries. If disabled, the Books Library is shown regardless if the country or region is supported. |
| Allow Search Engine Customization |
|
|
|
Configures whether users are allowed from customizing the search engine. |
| Allow Sideloading of Extensions |
|
|
|
Sideloading allows to install and run unverified extensions. If disabled, extensions can only be installed through Microsoft Store or Store for Business and PowerShell by using Add-AppxPackage cmdlet. |
| Allow Microsoft Edge to Start and Load the Start and New Tab Pages |
|
|
|
If enabled, Microsoft Edge pre-loads the Start and New Tab pages during Windows Login and each time the browser closes by default for a faster start and new tab loading. |
| Allow Always Show the Books Library in Microsoft Edge |
|
|
|
If enabled, the Books Library is only shown in supported regions or countries. If disabled, the Books Library is shown regardless if the country or region is supported. |
| Allow Clearing Browsing Data on Exit |
|
|
|
Clearing Browsing Data does not take affect by default on the browser, but users can configure this option in the Settings. Browsing data might include sensitive information the user entered like forms, passwords and visited websites. This restriction allows to clear the browsing data automatically each time Microsoft Edge closes.
|
| Configure Additional Search Engines |
|
|
|
Users are allowed to set a default search engine but can't add, change or remove them. This setting allows to set the default engine and add up to five additional search engines. You must specify a link to the OpenSearch XML file. Please refer to Search provider discovery. |
| Allow Clearing Browsing Data on Exit |
|
|
|
Clearing Browsing Data does not take affect by default on the browser, but users can configure this option in the Settings. Browsing data might include sensitive information the user entered like forms, passwords and visited websites. This restriction allows to clear the browsing data automatically each time Microsoft Edge closes.
|
| Configure Additional Search Engines |
|
|
|
Users are allowed to set a default search engine but can't add, change or remove them. This setting allows to set the default engine and add up to five additional search engines. You must specify a link to the OpenSearch XML file. Please refer to Search provider discovery. |
Camera
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Camera | ||||
| Allow Camera |
|
|
Specifies whether the user is able to use the device camera or not. |
|
Cellular
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Cellular | ||||
| Let Apps Access Cellular Data |
|
|
|
Allows to control if Windows 10 apps can access cellular data.
|
Connectivity
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Connectivity | ||||
| Allow Bluetooth |
|
|
||
| Allow Connected Devices |
|
|
|
With this setting it is possible to disable the Connected Devices Platform (CDP) component. CDP is used to enable discovery and connections to other devices to support remote app launch, remote messages, remote app sessions and other cross-device experiences. |
| Allow Phone PC Linking |
|
|
|
Disables the ability to link a phone with a PC to continue tasks (e.g reading, emails and related tasks). If the PC is already linked, this setting will remove the device itself from the device list on any linked phone and will prevent from participating from the "Continue on PC" experience |
| Allow VPN Over Cellular |
|
|
Specifies if cellular is allowed to use for VPN connections. | |
| Allow VPN Roaming Over Cellular |
|
|
Controls whether the device is allowed or not to connect to VPN when the device is roaming over cellular networks. | |
| Allow Cellular Data |
|
|
Provides the ability to configure cellular data usage settings on the device.
|
|
| Allow Cellular Data Roaming |
|
|
Provides the ability to configure cellular data roaming settings on the device.
|
|
Control Policy Conflict
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Control Policy Conflict | ||||
| MDM Policy Is Used and the GP Policy Is Blocked |
|
|
|
This restrictions ensures that settings made via the Mobile Device Management protocol will win over Group Policies. |
Credential Provider
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Credential Provider | ||||
| Local Windows Autopilot Reset |
|
|
|
This option will configure the Credential Provider CSP and will allow to display the local Autopilot reset option in the Lock Screen. |
Cryptography
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Cryptography | ||||
| Allow Fips Algorithm Policy |
|
|
Specifies whether the Federal Information Processing Standard (FIPS) policy is allowed or disallowed. Please review for further information the explanation inside the Group Policy System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing under the following path: Windows Settings/Security Settings/Local Policies/Security Options | |
Data Protection
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Data Protection | ||||
| Allow Direct Memory Access |
|
|
This restrictions allows to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. Requires BitLocker Device Encryption |
|
Desktop
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Desktop | ||||
| Prevent User Redirection of Profile Folders |
|
|
Users can change by default the location of their individual profile folder like Pictures and Documents etc. by changing the path in the Locations section of the folders properties box. With this setting it is possible to prevent users from redirecting profile folders. | |
Device Guard
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Device Guard | ||||
| Configure the Launch of System Guard |
|
|
|
Allows to configure the launch of System Guard. For more information about System Guard, please refer to
Enabling Secure Launch requires are supported hardware. |
| Turn On Virtualization Based Security |
|
|
|
If enabled it turns on the virtualization based security (VBS) at the next reboot of the device. VBS uses the Windows Hypervisor to provide support for security devices. |
| Turn On Credential Guard With Virtualization-Based Security |
|
|
|
Configures the usage of Credential Guard and the option to change the setting for the user. Credential Guard with virtualization-based security helps to protect credentials and changes will be applied after the next reboot
|
| Configure Platform Security Features |
|
|
|
Allows to specify the platform security level beginning with the next reboot. DMA requires hardware support. |
Device Health Monitoring
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Device Health Monitoring | ||||
| Allow Device Health Monitoring |
|
|
|
Defines whether the Device Health Monitoring connection is enabled or disabled. Device Health Monitoring is an opt-in health monitoring connection between the device and Microsoft. Please enable this settings only if you a using a Microsoft device monitoring service which requires it. |
Device Lock
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Device Lock | ||||
| Prevent Lock Screen Slide Show |
|
|
Disables the lock screen slide show settings in the Settings App and prevents a slide show from playing on the lock screen. If disabled or not configured, users can enable and modify slide show settings. | |
Display
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Display | ||||
| Configure Per-Process System DPI Settings |
|
|
|
|
DMA Guard
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| DMA Guard | ||||
| Enumeration Policy for External Devices Incompatible With Kernel DMA Protection |
|
|
|
This setting provides additional security again external DMA capable devices.
|
Enrollment
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Enrollment | ||||
| Enable Agility Post Enrollment |
|
|
|
This option enables Windows Autopilot to be kept up-to-date during the out-of-box experience after the enrollment. Please refer to Windows Autopilot: What's new for additional information |
| Require Network In OOBE |
|
|
|
This settings allows to lock a device to a tenant, which ensures that the device remains bound if accidental or intentional resets or wipes occur. Please refer to Release Notes Silverback 22.0 for additional information |
Event Log Service
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Event Log Service | ||||
| Allow Adding Events When Log File Reaches Maximum Size |
|
|
This restriction controls the Event Log behavior when the log file(s) reaches the maximum size. In a not configured state log files will overwrite old events if the log file reaches the maximum size. In an enabled state, new events will not be written into the log and are lost. | |
| Max Application Log File Size (KB) |
|
|
Defines the maximum log file size in KB for Application Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB) | |
| Max Security Log File Size (KB) |
|
|
Defines the maximum log file size in KB for Security Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB) | |
| Max System Log File Size (KB) |
|
|
Defines the maximum log file size in KB for System Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB) | |
Experience
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Experience | ||||
| Allow Cortana |
|
|
Allows or disallows Cortana on the device. | |
| Allow Manual MDM Unenrollment |
|
|
Specifies if the user is able to delete the workplace account on the device or if it will be only possible to delete the profile remotely through the Management Console | |
| Allow Sync My Settings |
|
|
Controls whether Windows sync settings on the device are allowed or not. Please review the following article "About sync settings on Windows 10 devices" to get an overview what settings are synchronized. | |
File Explorer
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| File Explorer | ||||
| Turn Off Data Execution Prevention for Explorer |
|
|
If enabled, data execution prevention can allow certain legacy plug-in applications to function without terminating the Explorer. | |
| Turn Off Heap Termination on Corruption |
|
|
If enabled, heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. | |
Games
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Games | ||||
| Allow Advanced Gaming Services |
|
|
|
Specifies if advanced gaming services can be used on the device. Advanced gaming services may send data to Microsoft or games publishers that use these services. |
Handwriting
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Handwriting | ||||
| Handwriting Panel Default Mode |
|
|
|
Defines the default mode for the handwriting panel.
|
Lock Down
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Lock Down | ||||
| Allow Edge Swipe |
|
|
|
This setting controls if a user is able to invoke the system user interface by swiping in from any screen edge using touch. |
Maps
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Maps | ||||
| Allows Auto-Update Over Metered Connection |
|
|
|
Controls whether the download and update of map data over metered connection is forced to disabled or forced to enabled. |
| Turn Off Automatic Download and Update of Map Data |
|
|
|
Controls whether the automatic download and update of map data is forced off (disabled) or forced on (enabled). |
Messaging
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Messaging | ||||
| Allow Message Sync |
|
|
|
Allows or disallows users to backup and restore text messages and use Messaging Everywhere. Disabling this policies will avoid that information are stored on non-organization cloud servers. If disabled, message sync is not allowed and can't be changed by the user. |
Notifications
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Notifications | ||||
| Turn Off Notification Network Usage |
|
|
|
This restriction block applications from using the network to send tile, badge, toasts and raw notifications. We highly recommend to not enable this restriction. It might cause issue in the device communication with the backend server. |
| Turn Off Notification Mirroring |
|
|
|
If enabled, application and system notifications will not be mirrored to other user devices. |
| Turn Off Tile Notification |
|
|
|
If enabled, applications and system features will not be able to update their tiles and badges in the start screen. |
Security
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Security | ||||
| Allow Add Provisioning Package |
|
|
Configures if the runtime configuration agent is allowed to install provisioning packages. | |
| Allow Remove Provisioning Package |
|
|
Specifies if the runtime configuration agent is allowed to remove provisioning packages. | |
| Require Provisioning Package Signature |
|
|
Requires provisioning package are certificate signed by a device trusted authority. | |
| Configure The System To Clear The TPM If It Is Not In a Ready State |
|
|
|
This setting will either not force recovery from a non-ready TPM state or will prompt to clear the TPM if the TPM is i a not ready state which can be remediated with a cleared TPM. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. Admin access is required. |
| Recovery Environment Authentication |
|
|
|
This settings allows to control the Admin Authentication in the Recovery Environment. Please find here additional validation procedure information |
Settings
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Settings | ||||
| Allow Auto Play |
|
|
Allows or disallows the user to change Auto Play settings. Disabling does not affect the autoplay dialog box that appears when a device is connected | |
| Allow Data Sense |
|
|
Configure whether the user is allowed or not allowed to change Data Sense settings. | |
| Allow Date Time |
|
|
Allows or disallows the user to change date and time settings. | |
| Allow Language |
|
|
Configures whether the user is allowed or not allowed to change the language settings | |
| Allow Online Tips |
|
|
|
Allows or disallows retrieving online tips and help for the Settings app. If disabled, Settings App will stop contacting Microsoft content services. |
| Allow Power Sleep |
|
|
Configures whether the user is allowed to change power and sleep settings. | |
| Allow Region |
|
|
Allows or disallows the user to change region settings. | |
| Allow Sign In Options |
|
|
Prevents the user from changing Sign In options. | |
| Allow VPN |
|
|
Configures whether the user is allowed to change VPN settings. | |
| Allow Workplace |
|
|
Allows or disallows the user to change workplace settings. | |
| Allow Your Account |
|
|
Prevents the user from changing settings in the Your Info are in settings app | |
| Show additional Calendar |
|
|
|
Allows to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout |
Speech
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Speech | ||||
| Allow Automatic Update of Speech Data |
|
|
|
Specifies if devices will periodically check and receive updates to the speech recognition and synthesis models and download them from the Microsoft service using the Background Internet Transfer Service (BITS). |
Task Manager
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Task Manager | ||||
| Allow Use Task Manager to End Tasks |
|
|
|
Controls if non-administrators can utilize the Task Manager to end tasks. |
Troubleshooting
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Troubleshooting | ||||
| Troubleshooting Recommendations |
|
|
|
Allows to configure how to apply recommended troubleshooting for known problems on devices. |
WiFi
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Device Lock | ||||
| Allow Auto Connect to WiFi Sense Hotspots |
|
|
Configures whether the device is allowed or not to automatically connect to Wi-Fi hotspots | |
| Allow Manual WiFi Configuration |
|
|
|
Allows or disallows connecting to Wi-Fi outside of managed Wi-Fi Profiles. Disabling this setting will delete any previously installed user's profiles from the devices. |
| Allow WiFi |
|
|
|
Configures if WiFi connections are allowed or not. |
| Allow WiFi Direct |
|
|
|
Specifies if WiFi Direct connections are allowed or prohibited. |
| WLAN Scan Mode |
|
|
Allows to control the WLAN scanning bhehavior and how aggressively devices should be actively scanning for Wi-Fi networks.
|
|
Windows PowerShell
| Setting | Availability | Options | Requirement | Description |
|---|---|---|---|---|
| Windows PowerShell | ||||
| Allow PowerShell Script Logging |
|
|
Enables logging of all PowerShell script input in the Microsoft-Windows-Powershell/Operational event log. PowerShell will log, whether invoked interactively or through automation,the processing of commands, script blocks, functions and scripts. | |
| Log Script Block Invocation Start/Stop Events |
|
|
With enabled Log Script Block Invocation Start/Stop Events , PowerShell additionally logs when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. |
|