Windows Restrictions

Windows restrictions determine which features are enabled on Windows 10+ devices.

Windows Restrictions settings

Category

Setting

What To Do

 

Name

Enter a name that identifies this configuration.

 

Description

Enter a description that clarifies the purpose of this configuration.

Device Capabilities

All Versions (Windows 10+)
 

Disable Wi-Fi offloading

Select to prevent the device from accessing compatible networks to carry data intended for authorized wireless networks.

 

Disable internet sharing

Select to prevent the device from accessing the internet by means of another wireless device.

 

Disable location

Select to disable location services.

 

Disable cellular data roaming

Select to disable data roaming when the device is in cellular mode.

 

Disable bluetooth

Select to prevent the device from establishing bluetooth connections.

 

Disable VPN when roaming or on a cellular network

Select to prevent the device from establishing VPN connections when not on WiFi.

Telemetry

- Allow device to send diagnostic and usage telemetry data.

Windows 10 only

 

Telemetry level

Select one of the following telemetry levels of data reporting:
  • Security - Send information about the Connected User Experience, Telemetry Component Settings, the Malicious Software Removal Tool, and Windows Defender.
  • Basic - Send basic device information that includes quality-related data, app compatibility, app usage data, and data from the Security level.
  • Enhanced - Send more information that includes usage and performance of Windows, Windows Server, System Center, and apps. Also includes advanced reliability data, and data from both the Basic and the Security levels.
  • Full (Default) - Send all data to identify and help fix the problems, plus data from the Security, Basic, and Enhanced levels.

Data Loss Prevention (DLP)

All Versions (Windows 10+)

 

Disable camera

Select to prevent the end user from using the camera app.

 

Disable access to storage (SD) card

Select to prevent the device from accessing a storage card.

Data Usage

Windows 10+
 

Cost of 3G Connections

Select one of the following options:

  • Unrestricted - Connection is unlimited and not restricted by usage charges and capacity constraints.
  • Fixed - Connection is restricted by usage charges and capacity constraints after a certain data limit.
  • Variable - Connection is charged on a per byte basis.
 

Cost of 4G Connections

Defender

Windows 10+
 

Disable Defender RealTime Monitoring functionality

Select to disable Windows Defender Realtime Monitoring functionality

DeviceGuard

Windows 10+
 

Disable virtualization based security(VBS)

Select to prevent virtualization based security from providing support for security services.

 

Credential Guard with virtualization-based security

Select one of the following options:

  • Disabled - Disable Credential Guard with virtualization-based security.
  • Enabled with UEFI lock - Enable Credential Guard with virtualization-based security with Unified Extensible Firmware Interface (UEFI) lock.
  • Enabled without lock - Enable Credential Guard with virtualization-based security without UEFI)lock.
 

Platform Security Level (Require Platform Security Features)

Select one of the following options:

  • VBS with Secure Boot - Select this option to enable virtualization-based security with secure boot.

  • VBS with Secure Boot and Direct memory Access - Select this option to enable virtualization-based security with secure boot and direct memory access(DMA).

Privacy

Windows 10+
 

Disable the Advertising ID

Select to disable Advertising ID.

 

Disable to publish the activity feed by Apps/OS

Select to prevent Apps/OS to publish to the activity feed.

Windows and Application

All Versions (Windows 10+)

 

Disable Microsoft accounts for service other than email

Select to prevent the end user from using Microsoft accounts for authenticating to non-email services.

 

Disable non-Microsoft accounts

Select to prevent the end user from configuring email using non-Microsoft accounts.

 

Disable Cortana personal assistant

Select to prevent the end user from accessing Microsoft's personal assistant.

 

Disable location-based search

Select to prevent searches from leveraging the device location.

 

Disable developer unlock

Select to prevent the end user from enabling sideloading of apps. The default mode when a device is enrolled in MDM is SideLoad enabled.

  11+ Supported Editions only  
 

Configuration of the Teams Chat Icon on the taskbar

Select one of the following options:

  • Show: Chat icon appears on the taskbar by default. Users can show or hide it in Settings.

  • Hide: Chat icon hidden by default. Users can show or hide it in Settings.

  • Disabled: Chat icon not displayed, and users cannot show or hide it in Settings.

  • Not Configured: Chat icon behaves according to the defaults for your Windows edition.

    Changes do not take effect until restart of the Windows device.

  Windows 10+ Supported Versions only
 

Disable automatic update of apps from Microsoft Store

Select to prevent automatic update of apps from the Microsoft Store.

 

Disable the launch of all apps from Microsoft Store that came preinstalled or were downloaded

Select to prevent the end user from launching all pre-installed or downloaded apps from Microsoft Store.

Supports only Enterprise and Education Windows editions.

 

Let apps run in the background

Select one of the following options:

  • User in control: allows the user to control the running of apps in the background.
  • Force allow: allows running apps in the background.
  • Force deny: prevents running of apps in the background.

Other Restrictions

All Versions (Windows 10+)
 

Disable ability to unenroll from  UEM and delete the workplace account.

Select to prevent the end user from unenrolling from UEM and deleting company account image.

  Windows 10+ Supported Versions only
 

Disable user to factory reset the device by using control panel and hardware key combination

Select to prevent the end user from setting the device lock grace period.

 

Require users to connect to network during device set up (Autopilot profile is required)

Select this option to enable TenantLockdown to lock all the Windows devices that are enrolled using the Autopilot feature.