Windows Restrictions

Windows restrictions determine which features are enabled on Windows 10+ devices.

Windows Restrictions settings

Category	Setting	What To Do
	Name	Enter a name that identifies this configuration.
	Description	Enter a description that clarifies the purpose of this configuration.
Device Capabilities	All Versions (Windows 10+)
	Disable Wi-Fi offloading	Select to prevent the device from accessing compatible networks to carry data intended for authorized wireless networks.
	Disable internet sharing	Select to prevent the device from accessing the internet by means of another wireless device.
	Disable location	Select to disable location services.
	Disable cellular data roaming	Select to disable data roaming when the device is in cellular mode.
	Disable bluetooth	Select to prevent the device from establishing bluetooth connections.
	Disable VPN when roaming or on a cellular network	Select to prevent the device from establishing VPN connections when not on WiFi.
	Disable manual configuration of Wi-Fi	Select to prevent the user from manually configuring the Wi-Fi settings on the device.
	Disable Wi-Fi	Select to allow or deny WiFi connection.
Telemetry - Allow device to send diagnostic and usage telemetry data.	Windows 10 only
	Telemetry level	Select one of the following telemetry levels of data reporting: Security - Send information about the Connected User Experience, Telemetry Component Settings, the Malicious Software Removal Tool, and Windows Defender. Basic - Send basic device information that includes quality-related data, app compatibility, app usage data, and data from the Security level. Enhanced - Send more information that includes usage and performance of Windows, Windows Server, System Center, and apps. Also includes advanced reliability data, and data from both the Basic and the Security levels. Full (Default) - Send all data to identify and help fix the problems, plus data from the Security, Basic, and Enhanced levels.
Data Loss Prevention (DLP)	All Versions (Windows 10+)
	Disable camera	Select to prevent the end user from using the camera app.
	Disable access to storage (SD) card	Select to prevent the device from accessing a storage card.
	Disable screen capture (Desktop only)	Select to prevent from capturing the screen using screen capture apps within the device.
	Disable USB mass storage (HoloLens only)	Select to prevent HoloLens from accessing mass storage devices.
Data Usage	Windows 10+
	Cost of 3G Connections	Select one of the following options: Unrestricted - Connection is unlimited and not restricted by usage charges and capacity constraints. Fixed - Connection is restricted by usage charges and capacity constraints after a certain data limit. Variable - Connection is charged on a per byte basis.
	Cost of 4G Connections
Defender	Windows 10+
	Disable Defender RealTime Monitoring functionality	Select to disable Windows Defender Realtime Monitoring functionality
DeviceGuard	Windows 10+
	Disable virtualization based security(VBS)	Select to prevent virtualization based security from providing support for security services.
	Credential Guard with virtualization-based security	Select one of the following options: Disabled - Disable Credential Guard with virtualization-based security. Enabled with UEFI lock - Enable Credential Guard with virtualization-based security with Unified Extensible Firmware Interface (UEFI) lock. Enabled without lock - Enable Credential Guard with virtualization-based security without UEFI)lock.
	Platform Security Level (Require Platform Security Features)	Select one of the following options: VBS with Secure Boot - Select this option to enable virtualization-based security with secure boot. VBS with Secure Boot and Direct memory Access - Select this option to enable virtualization-based security with secure boot and direct memory access(DMA).
Privacy	Windows 10+
	Disable the Advertising ID	Select to disable Advertising ID.
	Disable to publish the activity feed by Apps/OS	Select to prevent Apps/OS to publish to the activity feed.
Windows and Application	All Versions (Windows 10+)
	Disable Microsoft accounts for service other than email	Select to prevent the end user from using Microsoft accounts for authenticating to non-email services.
	Disable non-Microsoft accounts	Select to prevent the end user from configuring email using non-Microsoft accounts.
	Disable Cortana personal assistant	Select to prevent the end user from accessing Microsoft's personal assistant.
	Disable location-based search	Select to prevent searches from leveraging the device location.
	Disable developer unlock	Select to prevent the end user from enabling sideloading of apps. The default mode when a device is enrolled in MDM is SideLoad enabled.
	11+ Supported Editions only
	Configuration of the Teams Chat Icon on the taskbar	Select one of the following options: Show: Chat icon appears on the taskbar by default. Users can show or hide it in Settings. Hide: Chat icon hidden by default. Users can show or hide it in Settings. Disabled: Chat icon not displayed, and users cannot show or hide it in Settings. Not Configured: Chat icon behaves according to the defaults for your Windows edition. Changes do not take effect until restart of the Windows device.
	Windows 10+ Supported Versions only
	Disable automatic update of apps from Microsoft Store	Select to prevent automatic update of apps from the Microsoft Store.
	Disable the launch of all apps from Microsoft Store that came preinstalled or were downloaded	Select to prevent the end user from launching all pre-installed or downloaded apps from Microsoft Store. Supports only Enterprise and Education Windows editions.
	Let apps run in the background	Select one of the following options: User in control: allows the user to control the running of apps in the background. Force allow: allows running apps in the background. Force deny: prevents running of apps in the background.
Other Restrictions	All Versions (Windows 10+)
	Disable ability to unenroll from UEM and delete the workplace account.	Select to prevent the end user from unenrolling from UEM and deleting company account image.
	Disable user from setting the device lock grace period (HoloLens only).	Select to prevent the user from setting the device lock grace period.
	Windows 10+ Supported Versions only
	Disable user to factory reset the device by using control panel and hardware key combination	Select to prevent the end user from setting the device lock grace period.
	Require users to connect to network during device set up (Autopilot profile is required)	Select this option to enable TenantLockdown to lock all the Windows devices that are enrolled using the Autopilot feature.