pdf icon
Category Filter

Restrictions

You can impose restrictions on the managed Windows devices by creating a profile and associating the profile to the devices or groups. Restrictions profile is applicable for devices running Windows 8.1 or later versions. Restrictions can also be applied on Surface Hubs running Windows 10 Team OS.

Note:To view a detailed comparison of various policies supported with respect to specific OS version, click here.

Profile Description

Profile Specification Description
Device Functionality
Enforce Device Encryption Allow/Restrict encrypting the data stored in the managed device
Disable SD Card Allow/Restrict using SD Card (external memory) in the managed device
Camera Allow/Restrict using camera in the managed device
Screen Capture Allow/Restrict capturing the device screen as images
Telemetry Allow/Restrict/Partially Allow posting anonymous data to Windows for fixing security issues and other bugs
Microsoft Store Allow/Restrict access to Microsoft Windows App Store from the managed device
Data transfer through USB Allow/Restrict transfer of data between the managed device to computers and laptops. In case of USB devices, only the storage drive cannot be used. You will still be able to use a mouse/keyboard connected via USB.
Microsoft feedback notifications Allow/Restrict feedback notifications from Microsoft
Modify device date/time Allow/Restrict modifying date/time in the managed device
Modify device name Allow/Restrict modifying the device name
Network
Sharing Internet Allow/Restrict sharing Internet between the managed device and other devices
VPN Allow/Restrict establishing connection via VPN from the managed device
Allow VPN usage while using Cellular Data Allow/Restrict establishing connection via VPN, while using Cellular Data
Allow VPN Roaming while using Cellular Data Allow/Restrict VPN Roaming while using Cellular Data
Cellular Network This option lets the Cellular Network be on always or leaves it to user's control
Cellular Data usage while Roaming Allow/Restrict using cellular data, while Roaming
Wi-Fi Allow/Restrict using Wi-Fi in the managed device
Wi-Fi Configuration Allow/Restrict manual addition of Wi-Fi connections in the managed device.
Automatically connect to Wi-Fi Sense Hotspots Allow/Restrict automatic connection to Wi-Fi Hotspots
Security and Privacy
Clipboard share Allow/Restrict copy and pasting data in the managed device
Location Services Allow/Restrict using Location Services in the managed device
Microsoft account Connection Allow/Restrict addition of Microsoft accounts in the managed device. This profile is not applied if the device already has a Microsoft account added
Adding Non-Microsoft account manually Allow/Restrict adding non-Microsoft accounts in the managed device
Install root certificates Allow/Restrict installing root certificates in the managed device
Developer Unlock Allow/Restrict Developer Unlock option in the managed device. Developer Unlock option provides advanced controls such as accessing the data/file in the device OS
Reset device Allow/Restrict resetting the managed device
Action Center Notifications Allow/Restrict receiving Action Center Notifications
Toast Notifications Allow/Restrict Toast Notifications
FIPS Compliance This option lets you secure device communications and data only using FIPS-compliant algorithms. It is recommended to read this before configuring the restriction
Add Provisioning package Allow/Restrict adding Provisioning packages in the managed device
Remove existing Provisioning package Allow/Restrict removing Provisioning packages already present in the managed device
Anti-Theft Mode Allow/Restrict Anti-Theft mode in the device
Social and Search
Cortana Allow/Restrict Cortana in the managed device
Voice Recording Allow/Restrict voice recording in the device
Save "Office files" Allow/Restrict saving Microsoft Office files in the device
Share "Office Files" Allow/Restrict sharing Microsoft Office files from the managed device
Sync My Settings Allow/Restrict Sync My Settings feature in the device
Store images from Vision Search Allow/Restrict storing images from Vision Search in the managed device.
Safe Search permissions Allow/Restrict using Safe Search in the managed device
Allow "Search" to use Location Services Allow/Restrict the usage of Location Services by the default search engine, Bing
Application
Non-Store app installation Allow/Restrict installation of non-Store apps in the managed device. It can also be user-controlled
Install apps in device memory Allow/Restrict installation of apps in the device memory
Store app data in device memory Allow/Restrict storage of data by apps in the device memory
Auto-update of Store apps Allow/Restrict automatic update of Store apps present on the device
Allow access only to Private Store Allow/Prevent downloading of apps not managed by the organization.
NFC and Bluetooth
NFC Allow/Restrict NFC functionality in the managed devices
Bluetooth Allow/Restrict Bluetooth functionality in the managed device
Bluetooth discovery Allow/Restrict Bluetooth discovery in the managed device
Bluetooth pre-pairing Allow/Restrict Bluetooth pre-pairing in the managed device. Pre-pairing is a process by which the Bluetooth peripherals are automatically paired during the manufacturing process. User needn't manually pair these peripherals as they paired when setup for the first time. If the peripherals are unpaired and within range of the other paired device, they get paired automatically. For more details, refer to this.
Bluetooth services advertising Allow/Restrict advertising Bluetooth services
Jump To