Restrictions
You can impose restrictions on the managed Windows devices by creating a profile and associating the profile to the devices or groups. Restrictions profile is applicable for devices running Windows 8.1 or later versions. Restrictions can also be applied on Surface Hubs running Windows 10 Team OS.
Note:To view a detailed comparison of various policies supported with respect to specific OS version, click here.
Profile Description
| Profile Specification | Description |
|---|---|
| Device Functionality | |
| Disable Storage Devices | Allows you to disable the use of external storage devices such as USB drives or SD cards on the device. This helps prevent unauthorized data transfer and enhances security. |
| Camera | Controls access to the device's camera. You can either allow or restrict camera usage. |
| Screen Capture | This setting governs the ability to take screenshots or screen recordings on the device. Restricting screen capture can prevent sensitive information from being shared. |
| Telemetry | Manages the amount of diagnostic data that the device sends to Microsoft. Options include allowing all data, sending only partial data, or disabling telemetry entirely. This helps to control privacy and security compliance. |
| Microsoft feedback notifications | Allows you to restrict or allow notifications prompting users to provide feedback to Microsoft. |
| Modify device date & time | Controls whether users are allowed to manually change the device’s date and time settings. |
| Modify device name | Determines whether users are permitted to change the name of the device. |
| Network | |
| Internet sharing | Controls whether users can share the device's internet connection with other devices (e.g., through tethering or hotspot). Disabling this can prevent unauthorized use of network resources. |
| VPN | Determines whether users are allowed to establish a VPN connection on the device. Restricting VPN usage may be necessary for security and compliance policies. |
| VPN usage while using cellular data | Allows or restricts VPN usage when the device is connected to a cellular data network. You can also set this to "User Controlled" for flexibility based on user or network preferences. |
| VPN roaming while using cellular data | Controls VPN usage when the device is roaming on cellular networks. Setting this option to "User Controlled" allows the user to decide, while restricting it can help avoid additional data charges. |
| Cellular Network | Manages the cellular data connection of the device. You can turn the cellular network on or off to control data usage and mobile connectivity. |
| Wi-Fi | Enables or restricts the device's ability to connect to Wi-Fi networks. Disabling Wi-Fi may be useful in secure environments where only wired connections are allowed. |
| Allow Wi-Fi Configuration | Controls whether users are allowed to configure Wi-Fi settings on the device. Restricting this ensures that only authorized Wi-Fi networks can be connected. |
| Automatically connect to Wi-Fi Sense hotspots | Wi-Fi Sense is a feature that allows devices to automatically connect to trusted open Wi-Fi networks. Disabling this can prevent the device from automatically joining unsecured networks. |
| Security and Privacy | |
| Location services | Controls whether location services are enabled or disabled on the device. Allowing this grants apps and services access to the device's location, while restricting it enhances privacy by preventing location tracking. You can also set this to be User Controlled. |
| Sync settings across all devices | Determines whether users can sync settings (such as themes, passwords, and language preferences) across multiple devices using their Microsoft account. Restricting this can help keep settings isolated to specific devices. |
| Microsoft account connection | Manages whether users are allowed to connect their Microsoft account to the device. Restricting this can prevent access to Microsoft services and apps tied to personal accounts, promoting stricter control over data sharing. |
| Adding non-Microsoft accounts manually | Controls whether users can add accounts from non-Microsoft services (e.g., Google, Yahoo) to the device. Restricting this can help limit external account integration and improve data security. |
| Developer unlock | Governs whether the device can be unlocked for developer mode, which allows sideloading of apps and advanced settings. Setting this to "User Controlled" can allow flexible usage while maintaining security. |
| Reset device | Allows or restricts the option for users to reset the device to factory settings. Restricting this can prevent accidental or unauthorized device resets. |
| Toast notifications | Controls whether users can receive toast notifications on the device (pop-up alerts from apps). Restricting this can reduce distractions or improve focus in a work environment. |
| FIPS compliance | Ensures the device uses FIPS-compliant encryption algorithms. Enabling this enhances security by adhering to government-level encryption standards. |
| Add provisioning package | Manages whether users can add provisioning packages, which are used to configure device settings and policies. Restricting this can prevent unauthorized changes to device configurations. |
| Remove existing provisioning package | Controls whether users can remove provisioning packages that are already applied to the device. Restricting this ensures that applied configurations remain intact. |
| Applications | |
| Install Non-Store apps | Controls whether users can install apps from sources other than the Microsoft Store. Allowing this gives flexibility to install third-party apps, while restricting it ensures that only vetted apps from the store can be installed, enhancing security. |
| Install apps only in device memory | Determines whether apps can only be installed in the internal storage of the device. Restricting apps to internal memory can ensure better performance and prevent external storage usage, which may be less secure. |
| Store app data only in device memory | Ensures that app-related data (e.g., settings, cache) is stored only on the device’s internal memory. |
| Auto-Update Store apps | Governs whether apps downloaded from the Microsoft Store automatically update. Setting this to "User Controlled" allows users to decide, while automatic updates can ensure apps are always up-to-date with security patches and features. |
| Bluetooth | |
| Bluetooth | Enables or restricts the device from connecting to other devices via Bluetooth. |
| Bluetooth discovery | Controls whether the device can be discoverable by other Bluetooth-enabled devices. Allowing discovery makes the device visible for pairing, while restricting it prevents unauthorized pairing. |
| Bluetooth pre-pairing | Determines whether the device can be pre-paired with specific Bluetooth devices before deployment. Allowing this simplifies the setup process for certain peripherals (e.g., keyboards, mice), while restricting it may require users to pair devices manually. For details, refer here. |
| Bluetooth services advertising | Governs whether the device can advertise its Bluetooth services to nearby devices. Allowing advertising enables other devices to detect services offered by the device (e.g., file transfer, audio streaming), while restricting it limits Bluetooth functionality and enhances privacy. |
Jump To