Windows Restrictions

Windows restrictions determine which features are enabled on Windows desktops and mobile devices.

Windows Restrictions settings

Category

Setting

What To Do

 

Name

Enter a name that identifies this configuration.

 

Description

Enter a description that clarifies the purpose of this configuration.

Device Capabilities

 All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)
 

Disable Wi-Fi offloading

Select to prevent the device from accessing compatible networks to carry data intended for authorized wireless networks.

 

Disable internet sharing

Select to prevent the device from accessing the internet by means of another wireless device.

 

Disable location

Select to disable location services.

 

Disable cellular data roaming

Select to disable data roaming when the device is in cellular mode.

 

Disable bluetooth

Select to prevent the device from establishing bluetooth connections.
 

Disable VPN when roaming or on a cellular network

Select to prevent the device from establishing VPN connections when not on WiFi.
  8.1 Windows Phone 8.1 only
 

Disable Wi-Fi Hotspot reporting

Select to prevent the device from automatically reporting HotSpot information to Microsoft.
  8.1+ Windows Phone 8.1 & Windows 10 Mobile
 

Disable Wi-Fi

Select to prevent the device from accessing wireless networks.
 

Disable manual configuration of Wi-Fi

Select to prevent the device from accessing wireless networks outside of those defined by Ivanti Neurons for MDM.
 

Disable NFC

Select to prevent the device from establishing radio communication with another device by getting close to or touching another device.

 

Disable manual root certificate installation

Select to prevent the end user from manually installing root and intermediate certificates.

Telemetry

- Allow device to send diagnostic and usage telemetry data.

 Windows 10 only

 

Telemetry level

 Select one of the following telemetry levels of data reporting:
  • Security - Send information about the Connected User Experience, Telemetry Component Settings, the Malicious Software Removal Tool, and Windows Defender.
  • Basic - Send basic device information that includes quality-related data, app compatibility, app usage data, and data from the Security level.
  • Enhanced - Send more information that includes usage and performance of Windows, Windows Server, System Center, and apps. Also includes advanced reliability data, and data from both the Basic and the Security levels.
  • Full (Default) - Send all data to identify and help fix the problems, plus data from the Security, Basic, and Enhanced levels.

Data Loss Prevention (DLP)

 All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)

 

Disable camera

Select to prevent the end user from using the camera app.

 

Disable access to storage (SD) card

Select to prevent the device from accessing a storage card.

 

 8.1 Windows Phone 8.1 only

 

Disable offline "Save As"

Select to prevent the end user from using the Save As command with Office Hub files.

 

Disable offline sharing

Select to prevent the end user from sharing Office Hub files.

 

 8.1+ Windows Phone 8.1 & Windows 10 Mobile
 

Disable copy and paste

Select to prevent the end user from copying and pasting data between apps.
 

Disable screen capture

Select to prevent the end user from using the screen capture feature on the device.
 

Disable voice recording

Select to prevent the end user from using the voice recording feature.
 

Disable USB mass storage

Select to prevent the end user from accessing device storage from a desktop by means of a USB.

Data Usage

 Windows 10+
 

Cost of 3G Connections

Select one of the following options:

  • Unrestricted - Connection is unlimited and not restricted by usage charges and capacity constraints.
  • Fixed - Connection is restricted by usage charges and capacity constraints after a certain data limit.
  • Variable - Connection is charged on a per byte basis.
 

Cost of 4G Connections

Defender

 Windows 10+
 

Disable Defender RealTime Monitoring functionality

Select to disable Windows Defender Realtime Monitoring functionality

DeviceGuard

 Windows 10+
 

Disable virtualization based security(VBS)

Select to prevent virtualization based security from providing support for security services.
 

Credential Guard with virtualization-based security

Select one of the following options:

  • Disabled - Disable Credential Guard with virtualization-based security.
  • Enabled with UEFI lock - Enable Credential Guard with virtualization-based security with Unified Extensible Firmware Interface (UEFI) lock.
  • Enabled without lock - Enable Credential Guard with virtualization-based security without UEFI)lock.
 

Platform Security Level (Require Platform Security Features)

Select one of the following options:

  • VBS with Secure Boot - Select this option to enable virtualization-based security with secure boot.

  • VBS with Secure Boot and Direct memory Access - Select this option to enable virtualization-based security with secure boot and direct memory access(DMA).

Privacy

 Windows 10+
 

Disable the Advertising ID

Select to disable Advertising ID.
 

Disable to publish the activity feed by Apps/OS

Select to prevent Apps/OS to publish to the activity feed.

Windows and Application

 All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)

 

Disable Microsoft accounts for service other than email

Select to prevent the end user from using Microsoft accounts for authenticating to non-email services.
 

Disable non-Microsoft accounts

Select to prevent the end user from configuring email using non-Microsoft accounts.
 

Disable Cortana personal assistant

Select to prevent the end user from accessing Microsoft's personal assistant.
 

Disable location-based search

Select to prevent searches from leveraging the device location.
 

Disable developer unlock

Select to prevent the end user from enabling sideloading of apps. The default mode when a device is enrolled in MDM is SideLoad enabled.
  11+ Enterprise Edition  
 

Configuration of the Teams Chat Icon on the taskbar

Select one of the following options:

  • Show: Chat icon appears on the taskbar by default. Users can show or hide it in Settings.

  • Hide: Chat icon hidden by default. Users can show or hide it in Settings.

  • Disabled: Chat icon not displayed, and users cannot show or hide it in Settings.

  • Not Configured: Chat icon behaves according to the defaults for your Windows edition.

    Changes do not take effect until restart of the Windows device.

  Windows Phone 10+
 

Disable automatic update of apps from Microsoft Store

Select to prevent automatic update of apps from the Microsoft Store.
 

Disable the launch of all apps from Microsoft Store that came preinstalled or were downloaded

Select to prevent the end user from launching all pre-installed or downloaded apps from Microsoft Store.

Supports only Enterprise and Education Windows editions.
 

Let apps run in the background

Select one of the following options:

  • User in control: allows the user to control the running of apps in the background.
  • Force allow: allows running apps in the background.
  • Force deny: prevents running of apps in the background.
  Windows Phone 8.1 only
 

Disable storing images from Visual Search feature

Select to prevent the end user from saving images Bing Vision searches.
  8.1+  Windows Phone 8.1 & Windows 10 Mobile
 

Disable Microsoft Store

Select to prevent the end user from accessing the Microsoft app store.
 

Disable Internet Explorer

Select to prevent the end user from accessing Internet Explorer.
 

Disable alerts from Actions Center

Select to prevent display of Action Center alerts above the lock screen.

Secure Browser Settings

 10+ Windows 10 Desktop and Mobile
 

Disable Browser Pop-ups on desktops

(Desktop devices only) Select to disable pop-up browser windows in Microsoft Edge browser.
 

Disable Password Manager

Select to disable saving and managing passwords locally on the devices.

Other Restrictions

 All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile)
 

Disable ability to unenroll from  UEM and delete the workplace account.

Select to prevent the end user from unenrolling from UEM and deleting company account image.
  Windows Phone 10+
 

Disable user to factory reset the device by using control panel and hardware key combination

Select to prevent the end user from setting the device lock grace period.
 

Require users to connect to network during device set up (Autopilot profile is required)

Select this option to enable TenantLockdown to lock all the Windows devices that are enrolled using the Autopilot feature.
  8.1+  Windows Phone 8.1 & Windows 10 Mobile
 

Require device encryption

Select to turn on internal storage encryption. Once turned on, this option cannot be changed by the UEM server.
 

Disable user from setting the device lock grace period

Select to pevent user from setting the device lock grace period.

Windows 8.1 devices do not report their serial number.