Feature Control (Desktop)
Use this dialog box to configure individual device features.
Hardware
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable Device Location Switch | Prevents device user from switching the Location Service's Device Switch on or off. | No |
Disable Camera | Prevent the user from using the camera on the device. | No |
Disable Location Service | Disable any Location Services on the device. This will also block various applications on the device from using Location Services. | No |
Application
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable DVR and Broadcasting | Prevents use of DVR and broadcasting. | No |
Disable App Install Control | Specify if device users are allowed to install apps from sources other than the Windows Store. | No |
Disable Store Application Automatic Update | Specify if device users can control the update schedule of apps from the Windows Store. | No |
Let Apps Run in the Background | Specify if device users can allow Windows apps to run in the background | No |
Cellular Data and Roaming
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable Cellular Data Roaming | Prevent the user from using cellular data while the device is roaming. | No |
Disable Enterprise APN User Control | Prevents the device user from changing enterprise APN settings for the APN profile configuration.
Supported on desktop devices running Windows 10 version 1703 and later. |
Yes |
WiFi
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable WiFi Hotspot Reporting | Disable WiFi hotspot information from being reported to Microsoft. | No |
Disable Auto Connect to WiFi Sense Hotspots | Prevent the device from auto connecting to WiFi hotspots. | No |
Bluetooth
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable Bluetooth Advertising | Disable the device from acting as a source for advertisements. | No |
Disable Bluetooth Discoverable Mode | Disable the Bluetooth discoverable mode. | No |
Set Bluetooth Device Name | Enter a string that specifies the local Bluetooth device name. | No |
Disable Bluetooth | Prevent the user from enabling Bluetooth. | No |
Data Protection
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable SD Card Access | Disable access to the SD card directory. | No |
Disable Internet Sharing Over WiFi | Disables the device from being able to share Internet and becoming a WiFi hotspot. | No |
Disable Direct Memory Access | Disable Direct Memory Access. | No |
Experience
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable Cortana | Disable Cortana (personal digital assistant) on the device. | No |
Allow Manual MDM Unenrollment | Allow the user to unenroll the device. | No |
Disable Device Discovery on Lock Screen | Disable the device discovery user interface on the lock screen. | No |
System
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable OneDrive File Sync | prevents apps and features from working with files on OneDrive.
Note: This feature control option requires a device reboot.
|
No |
Disable Boot-Start Drivers | If you disable or do not configure this policy setting, the boot start drivers are determined to be either Good, Unknown or Bad. Boot critical drivers are initialized while Bad start drivers are skipped. | No |
Disable Enterprise Authentication Proxy | Prevents Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data to Microsoft on Windows 10. | No |
Disable System Restore | Prevents device user from accessing System Restore and the System Restore Wizard. The options to configure System Restore or create restore points through System Protection are also disabled. | No |
Require to Save Diagnostics Logs Locally | Mandate that all diagnostics are saved locally for use in internal investigations. | Yes |
Restrict Telemetry Data | Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
Levels are listed in order of least to most data sent. |
No |
Disable Enhanced Diagnostic Data | Prevents device from sending Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
Restrict Telemetry Data must be set to Enhanced to use this feature. |
No |
Disable Location Service | Determines the status of Location Services on the device. Applications on the device will be blocked from using Location Services. Choose an option from the dropdown list:
|
No |
Disable SD Card Access | Prevents device user from accessing data on SD card. | No |
Disable Windows Preview Builds | Prevents device user from downloading and installing Windows preview software. | No |
Disable Embedded Mode | Prevents device user from entering Embedded Mode. | No |
Allow Microsoft Experimentation | Allows Microsoft to conduct full experimentation to study user preferences or device behavior. | No |
Disable Font Providers | Prevents device user from downloading fonts and font catalog data from online font providers. | No |
Disable Factory Reset | Removes the ability to factory reset the device from the device user. | No |
Telemetry Proxy | Specifies a proxy server through which to forward Connected User Experiences and Telemetry requests. Enter the fully qualified domain name (FQDN) or IP address of a proxy server. The format for this setting is server:port . The connection is made over a Secure Sockets Layer (SSL) connection.
If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. |
No |
Defender
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable Cloud Protection | Disables Cloud Protection. If this option is not selected, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information in their cloud and learn more about problems affecting users. Microsoft can then respond with the best possible solution. | Yes |
Average CPU Load Factor in Percent | Show the average CPU load factor for the scan (as a percent). | Yes |
Days to Retain Cleaned Malware | Time period (in days) that quarantined items will be stored on the system. | Yes |
Disable Archive Scanning | Disable scanning of archives. | Yes |
Disable Behavior Monitoring | Disable Defender's Behavior Monitoring functionality. | Yes |
Disable Email Scanning | Disable scanning of email. | Yes |
Disable Full Scan On Network Drives | Disable a full scan of mapped network drives. | Yes |
Disable Full Scan On Removable Drives | Disable a full scan of removable drives. | Yes |
Disable Intrusion Prevention System | Disable Defender's Intrusion Prevention functionality. | Yes |
Disable IOAVP Protection | Disable Defender's IOAVP Protection functionality. | Yes |
Disable On Access Protection | Disable Defender's On Access Protection functionality. | Yes |
Disable Realtime Monitoring | Disable Defender's Realtime Monitoring functionality. | Yes |
Disable Scanning Network Files | Disable scanning of network files. | Yes |
Disable Script Scanning | Disable Defender's Script Scanning functionality. | Yes |
Disable User UI Access | Disallow user access to the Defender UI. If disallowed, all Defender notifications will also be suppressed. | Yes |
Excluded Extensions | Allow an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by |. For example, "lib|obj". | Yes |
Excluded Paths | Allow an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by |. For example, "C:\Example|C:\Example1". | Yes |
Excluded Processes | Allow an administrator to specify a list of files opened by processes to ignore during a scan. | Yes |
Real Time Scan Direction | Control which sets of files should be monitored.
Bidirectional – Monitor all files. Incoming – Monitor incoming files. Outgoing – Monitor outgoing files. |
Yes |
Scan Type | Select whether to perform a quick scan or a full scan.
Quick Scan – Perform a quick Defender scan. Full Scan – Perform a full Defender scan. |
Yes |
Quick Scan Schedule in Minutes | Specify the time of day that the Defender quick scan should run. The time must be specified as the number of minutes past midnight (local time).
Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380 |
Yes |
Schedule Scan Day | Select the day on which the Defender scan should run. | Yes |
Schedule Scan Time in Minutes | Specify the time of day that the Defender scan should run. The time must be specified as the number of minutes past midnight (local time).
Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380 |
Yes |
Signature Update Interval in Hours | Specify the interval (in hours) that will be used to check for signatures; so instead of using the ScheduleDay and ScheduleTime, Windows will just check for new signatures as set per the interval. Interval is set in hours, so at most Windows will check for signatures every hour. | Yes |
Submit Samples Consent | Check for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when opt-in for when Defender/AllowCloudProtection is allowed) before sending data.
Always Prompt – Always prompt the user. Send Safe Samples – Send safe samples automatically. Never Send – Never send samples. Send All Samples – Send all samples automatically. |
Yes |
Disable SmartScreen in Shell | Specify who can configure the SmartScreen for Windows. | No |
User Can Ignore SmartScreen Warning | Allows device user to ignore warnings in SmartScreen.
Note: SmartScreen must be enabled.
|
No |
Text Input
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable IME Logging | For the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | No |
Disable IME Network Access | Disallow the user to turn on Open Extended Dictionary, Internet Search Integration, online service to provide input suggestions that doesn’t exist in a PC's local dictionary. | No |
Disable Japanese IME Surrogate Pair Characters | Disable the Japanese IME surrogate pair characters. | No |
Disable Japanese IVS Characters | Disable Japanese Ideographic Variation Sequence (IVS) characters. | No |
Disable Japanese Non-Publishing Standard Glyph | Disable the Japanese non-publishing standard glyph. | No |
Disable Japanese User Dictionary | Disable the Japanese user dictionary. | No |
Disable Korean Extended Hanja | Disable the use of Korean Extended Hanja character set. | Yes |
Exclude Japanese IME Except JISO208 | Disallow the users to restrict character code range of conversion by setting the character filter. | No |
Exclude Japanese IME Except JISO208 and EUDC | Disallow the users to restrict character code range of conversion by setting the character filter. | No |
Exclude Japanese IME Except Shift JIS | Disallow the users to restrict character code range of conversion by setting the character filter. | No |
Update
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Auto Update Settings | Allow the IT administrator to manage automatic update behavior to scan, download, and install updates.
|
No |
Disable Non-Microsoft Signed Update | Disallow the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace. | No |
Disable Update Service | Specify whether the device can se Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working. Note: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Custom Update WSUS server URL policy. |
No |
Scheduled Install Time (0-23 hours) | Enable the IT administrator to schedule the time of the update installation. | No |
Custom Update WSUS Server URL | The URL of a custom update WSUS server. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. | No |
Scheduled Install Day | Enable the IT administrator to schedule the day of the update installation. | No |
Security
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Disable Adding Provisioning Package | Specifies whether to allow the runtime configuration agent to install provisioning packages. | No |
Disable Removing Provisioning Package | Specifies whether to allow the runtime configuration agent to remove provisioning packages. | No |
Require Provisioning Package Signature | Specifies whether provisioning packages must have a certificate signed by a device trusted authority. | No |
Start Menu
Feature Control Option | Description | Supported on Home Edition |
---|---|---|
Hide Change Account Settings | Prevents the Change Account settings from appearing in Start Menu. | No |
Hide Frequently Used Apps | Prevents Frequently Used Apps from appearing in Start Menu.
Note: Requires device restart.
|
No |
Hide Hibernate | Prevents Hibernate power option from appearing in Start Menu. | No |
Hide Lock | Prevents Lock from appearing in Start Menu. | No |
Hide Power Button | Prevents Power button from appearing in Start Menu.
Note: Requires device restart.
|
No |
Hide Recent Jumplists | Prevents Recent Jumplists from appearing in Start Menu.
Note: Requires device restart.
|
No |
Hide Recently Added Apps | Prevents Recently Added Apps from appearing in Start Menu.
Note: Requires device restart.
|
No |
Hide Restart | Prevents Restart power option from appearing in Start Menu. | No |
Hide Shutdown | Prevents Shutdown power option from appearing in Start Menu. | No |
Hide Sign Out | Prevents Sign Out option from appearing in Start Menu. | No |
Hide Sleep | Prevents Sleep power option from appearing in Start Menu. | No |
Hide User Tile | Prevents user tiles from appearing in Start Menu. | No |
No Pinning to Taskbar | Prevents ability to pin apps to the taskbar. | No |