Windows Restrictions
Windows restrictions determine which features are enabled on Windows desktops and mobile devices.
Windows Restrictions settings
Category |
Setting |
What To Do |
---|---|---|
Name |
Enter a name that identifies this configuration. |
|
|
Description |
Enter a description that clarifies the purpose of this configuration. |
Device Capabilities |
All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) | |
Disable WiFi offloading | Select to prevent the device from accessing compatible networks to carry data intended for authorized wireless networks. | |
|
Disable internet sharing | Select to prevent the device from accessing the internet by means of another wireless device. |
|
Disable location | Select to disable location services. |
|
Disable cellular data roaming | Select to disable data roaming when the device is in cellular mode. |
|
Disable bluetooth | Select to prevent the device from establishing bluetooth connections. |
Disable VPN when roaming or on a cellular network | Select to prevent the device from establishing VPN connections when not on WiFi. | |
8.1 Windows Phone 8.1 only | ||
Disable WiFi Hotspot reporting | Select to prevent the device from automatically reporting HotSpot information to Microsoft. | |
8.1+ Windows Phone 8.1 & Windows 10 Mobile | ||
Disable WiFi | Select to prevent the device from accessing wireless networks. | |
Disable manual configuration of WiFi | Select to prevent the device from accessing wireless networks outside of those defined by Ivanti Neurons for MDM. | |
Disable NFC | Select to prevent the device from establishing radio communication with another device by getting close to or touching another device. | |
|
Disable manual root certificate installation | Select to prevent the end user from manually installing root and intermediate certificates. |
Telemetry |
Windows 10 only | |
|
Telemetry level | Select one of the following telemetry levels of data reporting:
|
Data Loss Prevention (DLP) |
All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) | |
|
Disable camera | Select to prevent the end user from using the camera app. |
|
Disable access to storage (SD) card | Select to prevent the device from accessing a storage card. |
|
8.1 Windows Phone 8.1 only | |
|
Disable offline "Save As" | Select to prevent the end user from using the Save As command with Office Hub files. |
|
Disable offline sharing | Select to prevent the end user from sharing Office Hub files. |
|
8.1+ Windows Phone 8.1 & Windows 10 Mobile | |
Disable copy and paste | Select to prevent the end user from copying and pasting data between apps. | |
Disable screen capture | Select to prevent the end user from using the screen capture feature on the device. | |
Disable voice recording | Select to prevent the end user from using the voice recording feature. | |
Disable USB mass storage | Select to prevent the end user from accessing device storage from a desktop by means of a USB. | |
Data Usage | Windows 10+ | |
Cost of 3G Connections |
Select one of the following options:
|
|
Cost of 4G Connections | ||
Defender | Windows 10+ | |
Disable Defender RealTime Monitoring functionality | Select to disable Windows Defender Realtime Monitoring functionality | |
DeviceGuard | Windows 10+ | |
Disable virtualization based security(VBS) | Select to prevent virtualization based security from providing support for security services. | |
Credential Guard with virtualization-based security |
Select one of the following options:
|
|
Platform Security Level (Require Platform Security Features) |
Select one of the following options:
|
|
Privacy | Windows 10+ | |
Disable the Advertising ID | Select to disable Advertising ID. | |
Disable to publish the activity feed by Apps/OS | Select to prevent Apps/OS to publish to the activity feed. | |
Windows and Application | All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) | |
|
Disable Microsoft accounts for service other than email | Select to prevent the end user from using Microsoft accounts for authenticating to non-email services. |
Disable non-Microsoft accounts | Select to prevent the end user from configuring email using non-Microsoft accounts. | |
Disable Cortana personal assistant | Select to prevent the end user from accessing Microsoft's personal assistant. | |
Disable location-based search | Select to prevent searches from leveraging the device location. | |
Disable developer unlock | Select to prevent the end user from enabling sideloading of apps. The default mode when a device is enrolled in MDM is SideLoad enabled. | |
11+ Enterprise Edition | ||
Configuration of the Teams Chat Icon on the taskbar |
Select one of the following options:
|
|
Windows Phone 10+ | ||
Disable automatic update of apps from Microsoft Store | Select to prevent automatic update of apps from the Microsoft Store. | |
Disable the launch of all apps from Microsoft Store that came preinstalled or were downloaded |
Select to prevent the end user from launching all pre-installed or downloaded apps from Microsoft Store. Supports only Enterprise and Education Windows editions. |
|
Let apps run in the background |
Select one of the following options:
|
|
Windows Phone 8.1 only | ||
Disable storing images from Visual Search feature | Select to prevent the end user from saving images Bing Vision searches. | |
8.1+ Windows Phone 8.1 & Windows 10 Mobile | ||
Disable Microsoft Store | Select to prevent the end user from accessing the Microsoft app store. | |
Disable Internet Explorer | Select to prevent the end user from accessing Internet Explorer. | |
Disable alerts from Actions Center | Select to prevent display of Action Center alerts above the lock screen. | |
Secure Browser Settings | 10+ Windows 10 Desktop and Mobile | |
Disable Browser Pop-ups on desktops | (Desktop devices only) Select to disable pop-up browser windows in Microsoft Edge browser. | |
Disable Password Manager | Select to disable saving and managing passwords locally on the devices. | |
Other Restrictions | All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) | |
Disable ability to unenroll from UEM and delete the workplace account. | Select to prevent the end user from unenrolling from UEM and deleting company account image. | |
Windows Phone 10+ | ||
Disable user to factory reset the device by using control panel and hardware key combination | Select to prevent the end user from setting the device lock grace period. | |
Require users to connect to network during device set up (Autopilot profile is required) | Select this option to enable TenantLockdown to lock all the Windows devices that are enrolled using the Autopilot feature. | |
8.1+ Windows Phone 8.1 & Windows 10 Mobile | ||
Require device encryption | Select to turn on internal storage encryption. Once turned on, this option cannot be changed by the UEM server. | |
Disable user from setting the device lock grace period | Select to pevent user from setting the device lock grace period. |
Windows 8.1 devices do not report their serial number.