You can impose restrictions on the managed Windows devices by creating a profile and associating the profile to the devices or groups. Restrictions profile is applicable for devices running Windows 8.1 or later versions. Restrictions can also be applied on Surface Hubs running Windows 10 Team OS.
Note:To view a detailed comparison of various policies supported with respect to specific OS version, click here.
| Profile Specification | Description |
|---|---|
| Device Functionality | |
| Enforce Device Encryption | Allow/Restrict encrypting the data stored in the managed device |
| Disable SD Card | Allow/Restrict using SD Card (external memory) in the managed device |
| Camera | Allow/Restrict using camera in the managed device |
| Screen Capture | Allow/Restrict capturing the device screen as images |
| Telemetry | Allow/Restrict/Partially Allow posting anonymous data to Windows for fixing security issues and other bugs |
| Microsoft Store | Allow/Restrict access to Microsoft Windows App Store from the managed device |
| Data transfer through USB | Allow/Restrict transfer of data between the managed device to computers and laptops. In case of USB devices, only the storage drive cannot be used. You will still be able to use a mouse/keyboard connected via USB. |
| Microsoft feedback notifications | Allow/Restrict feedback notifications from Microsoft |
| Modify device date/time | Allow/Restrict modifying date/time in the managed device |
| Modify device name | Allow/Restrict modifying the device name |
| Network | |
| Sharing Internet | Allow/Restrict sharing Internet between the managed device and other devices |
| VPN | Allow/Restrict establishing connection via VPN from the managed device |
| Allow VPN usage while using Cellular Data | Allow/Restrict establishing connection via VPN, while using Cellular Data |
| Allow VPN Roaming while using Cellular Data | Allow/Restrict VPN Roaming while using Cellular Data |
| Cellular Network | This option lets the Cellular Network be on always or leaves it to user's control |
| Cellular Data usage while Roaming | Allow/Restrict using cellular data, while Roaming |
| Wi-Fi | Allow/Restrict using Wi-Fi in the managed device |
| Wi-Fi Configuration | Allow/Restrict manual addition of Wi-Fi connections in the managed device. |
| Automatically connect to Wi-Fi Sense Hotspots | Allow/Restrict automatic connection to Wi-Fi Hotspots |
| Security and Privacy | |
| Clipboard share | Allow/Restrict copy and pasting data in the managed device |
| Location Services | Allow/Restrict using Location Services in the managed device |
| Microsoft account Connection | Allow/Restrict addition of Microsoft accounts in the managed device. This profile is not applied if the device already has a Microsoft account added |
| Adding Non-Microsoft account manually | Allow/Restrict adding non-Microsoft accounts in the managed device |
| Install root certificates | Allow/Restrict installing root certificates in the managed device |
| Developer Unlock | Allow/Restrict Developer Unlock option in the managed device. Developer Unlock option provides advanced controls such as accessing the data/file in the device OS |
| Reset device | Allow/Restrict resetting the managed device |
| Action Center Notifications | Allow/Restrict receiving Action Center Notifications |
| Toast Notifications | Allow/Restrict Toast Notifications |
| FIPS Compliance | This option lets you secure device communications and data only using FIPS-compliant algorithms. It is recommended to read this before configuring the restriction |
| Add Provisioning package | Allow/Restrict adding Provisioning packages in the managed device |
| Remove existing Provisioning package | Allow/Restrict removing Provisioning packages already present in the managed device |
| Anti-Theft Mode | Allow/Restrict Anti-Theft mode in the device |
| Social and Search | |
| Cortana | Allow/Restrict Cortana in the managed device |
| Voice Recording | Allow/Restrict voice recording in the device |
| Save "Office files" | Allow/Restrict saving Microsoft Office files in the device |
| Share "Office Files" | Allow/Restrict sharing Microsoft Office files from the managed device |
| Sync My Settings | Allow/Restrict Sync My Settings feature in the device |
| Store images from Vision Search | Allow/Restrict storing images from Vision Search in the managed device. |
| Safe Search permissions | Allow/Restrict using Safe Search in the managed device |
| Allow "Search" to use Location Services | Allow/Restrict the usage of Location Services by the default search engine, Bing |
| Application | |
| Non-Store app installation | Allow/Restrict installation of non-Store apps in the managed device. It can also be user-controlled |
| Install apps in device memory | Allow/Restrict installation of apps in the device memory |
| Store app data in device memory | Allow/Restrict storage of data by apps in the device memory |
| Auto-update of Store apps | Allow/Restrict automatic update of Store apps present on the device |
| Allow access only to Private Store | Allow/Prevent downloading of apps not managed by the organization. |
| Browser | |
| Internet Explorer/Edge Browser | Allow/Restrict Internet Explorer(in case of Windows 8.1 devices) or Edge(in case of Windows 10) in the managed device. However, usage of other browsers installed in the device is possible. In case Laptops, Desktops, and Surface Pros, the users can still access the browser but with the below restrictions applied to the browser. |
| Windows 10 Restrictions(Common to all devices) | |
| Cookies | Allow/Restrict usage of cookies in the managed device |
| In-Private browsing | Allow/Restrict In-Private browsing in the managed device |
| Save passwords locally | Allow/Restrict passwords to be saved locally in the device memory |
| Search suggestions in address bar | Allow/Restrict search suggestions in the browser |
| Force fraudulent website warning | Allow/Restrict fraudulent website warning in the managed device |
| Override fraudulent website warning | Allow/Restrict overriding a fraudulent website warning |
| Override malicious file warning | Allow/Restrict overriding a malicious file warning |
| Allow "Do not track" request | Allow/Restrict do not track requests in browsers |
| Windows 10 Restrictions (Applicable only for Desktops, Laptops, and Surface Pro) | |
| Address bar dropdown | Allow/Restrict website suggestions, in the form of address bar dropdown on the browser |
| Browser Extensions | Allow/Restrict installation of extensions. Enabling this also restricts usage of existing installations |
| Delete browsing history on exiting browser | Allow/Restrict automatic removal of browser history, once user closes the browser |
| Access about:flags page on the browser | Allow/Restrict the user access to about:flags page. This page is used to configure basic developer settings. |
| Allow Flash to run on the browser | Allow/Restrict execution of Flash, present on the websites |
| Run Flash without user intervention | Allow/Restrict automatic execution of Flash. If restricted, user is prompted for permission to run Flash. |
| Autofill | Allow/Restrict automatic pre-filling of websites on the browser |
| Popups | Allow/Restrict display of browser popups |
| Developer Tools | Allow/Restrict access to Developer Tools |
| NFC and Bluetooth | |
| NFC | Allow/Restrict NFC functionality in the managed devices |
| Bluetooth | Allow/Restrict Bluetooth functionality in the managed device |
| Bluetooth discovery | Allow/Restrict Bluetooth discovery in the managed device |
| Bluetooth pre-pairing | Allow/Restrict Bluetooth pre-pairing in the managed device. Pre-pairing is a process by which the Bluetooth peripherals are automatically paired during the manufacturing process. User needn't manually pair these peripherals as they paired when setup for the first time. If the peripherals are unpaired and within range of the other paired device, they get paired automatically. For more details, refer to this. |
| Bluetooth services advertising | Allow/Restrict advertising Bluetooth services |
