Windows Restrictions

Windows restrictions determine which features are enabled on Windows desktops and mobile devices.

Windows Restrictions settings

Category

Setting

What To Do
 

Name

Enter a name that identifies this configuration.

 

Description

Enter a description that clarifies the purpose of this configuration.

Device Capabilities

 All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)
  Disable WiFi offloading Select to prevent the device from accessing compatible networks to carry data intended for authorized wireless networks.

 

 Disable internet sharing Select to prevent the device from accessing the internet by means of another wireless device.

 

 Disable location Select to disable location services.

 

 Disable cellular data roaming Select to disable data roaming when the device is in cellular mode.

 

 Disable bluetooth Select to prevent the device from establishing bluetooth connections.
  Disable VPN when roaming or on a cellular network Select to prevent the device from establishing VPN connections when not on WiFi.
  8.1 Windows Phone 8.1 only
  Disable WiFi Hotspot reporting Select to prevent the device from automatically reporting HotSpot information to Microsoft.
  8.1+ Windows Phone 8.1 & Windows 10 Mobile
  Disable WiFi Select to prevent the device from accessing wireless networks.
  Disable manual configuration of WiFi Select to prevent the device from accessing wireless networks outside of those defined by Ivanti Neurons for MDM.
  Disable NFC Select to prevent the device from establishing radio communication with another device by getting close to or touching another device.

 

 Disable manual root certificate installation Select to prevent the end user from manually installing root and intermediate certificates.

Telemetry

- Allow device to send diagnostic and usage telemetry data.

Windows 10 only

 

 Telemetry level Select one of the following telemetry levels of data reporting:
  • Security - Send information about the Connected User Experience, Telemetry Component Settings, the Malicious Software Removal Tool, and Windows Defender.
  • Basic - Send basic device information that includes quality-related data, app compatibility, app usage data, and data from the Security level.
  • Enhanced - Send more information that includes usage and performance of Windows, Windows Server, System Center, and apps. Also includes advanced reliability data, and data from both the Basic and the Security levels.
  • Full (Default) - Send all data to identify and help fix the problems, plus data from the Security, Basic, and Enhanced levels.

Data Loss Prevention (DLP)

 All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)

 

 Disable camera Select to prevent the end user from using the camera app.

 

 Disable access to storage (SD) card Select to prevent the device from accessing a storage card.

 

 8.1 Windows Phone 8.1 only

 

 Disable offline "Save As" Select to prevent the end user from using the Save As command with Office Hub files.

 

 Disable offline sharing Select to prevent the end user from sharing Office Hub files.

 

 8.1+ Windows Phone 8.1 & Windows 10 Mobile
  Disable copy and paste Select to prevent the end user from copying and pasting data between apps.
  Disable screen capture Select to prevent the end user from using the screen capture feature on the device.
  Disable voice recording Select to prevent the end user from using the voice recording feature.
  Disable USB mass storage Select to prevent the end user from accessing device storage from a desktop by means of a USB.
Data Usage Windows 10+
  Cost of 3G Connections

Select one of the following options:

  • Unrestricted - Connection is unlimited and not restricted by usage charges and capacity constraints.
  • Fixed - Connection is restricted by usage charges and capacity constraints after a certain data limit.
  • Variable - Connection is charged on a per byte basis.
  Cost of 4G Connections
Defender Windows 10+
  Disable Defender RealTime Monitoring functionality Select to disable Windows Defender Realtime Monitoring functionality
DeviceGuard Windows 10+
  Disable virtualization based security(VBS) Select to prevent virtualization based security from providing support for security services.
  Credential Guard with virtualization-based security

Select one of the following options:

  • Disabled - Disable Credential Guard with virtualization-based security.
  • Enabled with UEFI lock - Enable Credential Guard with virtualization-based security with Unified Extensible Firmware Interface (UEFI) lock.
  • Enabled without lock - Enable Credential Guard with virtualization-based security without UEFI)lock.
  Platform Security Level (Require Platform Security Features)

Select one of the following options:

  • VBS with Secure Boot - Select this option to enable virtualization-based security with secure boot.

  • VBS with Secure Boot and Direct memory Access - Select this option to enable virtualization-based security with secure boot and direct memory access(DMA).
Privacy Windows 10+
  Disable the Advertising ID Select to disable Advertising ID.
  Disable to publish the activity feed by Apps/OS Select to prevent Apps/OS to publish to the activity feed.
Windows and Application All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)

 

 Disable Microsoft accounts for service other than email Select to prevent the end user from using Microsoft accounts for authenticating to non-email services.
  Disable non-Microsoft accounts Select to prevent the end user from configuring email using non-Microsoft accounts.
  Disable Cortana personal assistant Select to prevent the end user from accessing Microsoft's personal assistant.
  Disable location-based search Select to prevent searches from leveraging the device location.
  Disable developer unlock Select to prevent the end user from enabling sideloading of apps. The default mode when a device is enrolled in MDM is SideLoad enabled.
  11+ Enterprise Edition  
  Configuration of the Teams Chat Icon on the taskbar

Select one of the following options:

  • Show: Chat icon appears on the taskbar by default. Users can show or hide it in Settings.

  • Hide: Chat icon hidden by default. Users can show or hide it in Settings.

  • Disabled: Chat icon not displayed, and users cannot show or hide it in Settings.

  • Not Configured: Chat icon behaves according to the defaults for your Windows edition.

    Changes do not take effect until restart of the Windows device.

  Windows Phone 10+
  Disable automatic update of apps from Microsoft Store Select to prevent automatic update of apps from the Microsoft Store.
  Disable the launch of all apps from Microsoft Store that came preinstalled or were downloaded

Select to prevent the end user from launching all pre-installed or downloaded apps from Microsoft Store.

Supports only Enterprise and Education Windows editions.
  Let apps run in the background

Select one of the following options:

  • User in control: allows the user to control the running of apps in the background.
  • Force allow: allows running apps in the background.
  • Force deny: prevents running of apps in the background.
  Windows Phone 8.1 only
  Disable storing images from Visual Search feature Select to prevent the end user from saving images Bing Vision searches.
  8.1+  Windows Phone 8.1 & Windows 10 Mobile
  Disable Microsoft Store Select to prevent the end user from accessing the Microsoft app store.
  Disable Internet Explorer Select to prevent the end user from accessing Internet Explorer.
  Disable alerts from Actions Center Select to prevent display of Action Center alerts above the lock screen.
Secure Browser Settings 10+ Windows 10 Desktop and Mobile
  Disable Browser Pop-ups on desktops (Desktop devices only) Select to disable pop-up browser windows in Microsoft Edge browser.
  Disable Password Manager Select to disable saving and managing passwords locally on the devices.
Other Restrictions All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)
  Disable ability to unenroll from  UEM and delete the workplace account. Select to prevent the end user from unenrolling from UEM and deleting company account image.
  Windows Phone 10+
  Disable user to factory reset the device by using control panel and hardware key combination Select to prevent the end user from setting the device lock grace period.
  Require users to connect to network during device set up (Autopilot profile is required) Select this option to enable TenantLockdown to lock all the Windows devices that are enrolled using the Autopilot feature.
  8.1+  Windows Phone 8.1 & Windows 10 Mobile
  Require device encryption Select to turn on internal storage encryption. Once turned on, this option cannot be changed by the UEM server.
  Disable user from setting the device lock grace period Select to pevent user from setting the device lock grace period.

Windows 8.1 devices do not report their serial number.