Feature Control (Desktop)

Use this dialog box to configure individual device features.

Note: Some feature control policies are not supported on desktop devices running Windows 10 Home Edition.

Hardware

Feature Control Option Description Supported on Home Edition
Disable Device Location Switch Prevents device user from switching the Location Service's Device Switch on or off. No
Disable Camera Prevent the user from using the camera on the device. No
Disable Location Service Disable any Location Services on the device. This will also block various applications on the device from using Location Services. No

Application

Feature Control Option Description Supported on Home Edition
Disable DVR and Broadcasting Prevents use of DVR and broadcasting. No
Disable App Install Control Specify if device users are allowed to install apps from sources other than the Windows Store. No
Disable Store Application Automatic Update Specify if device users can control the update schedule of apps from the Windows Store. No
Let Apps Run in the Background Specify if device users can allow Windows apps to run in the background No

Cellular Data and Roaming

Feature Control Option Description Supported on Home Edition
Disable Cellular Data Roaming Prevent the user from using cellular data while the device is roaming. No
Disable Enterprise APN User Control Prevents the device user from changing enterprise APN settings for the APN profile configuration.

Supported on desktop devices running Windows 10 version 1703 and later.

Yes

WiFi

Feature Control Option Description Supported on Home Edition
Disable WiFi Hotspot Reporting Disable WiFi hotspot information from being reported to Microsoft. No
Disable Auto Connect to WiFi Sense Hotspots Prevent the device from auto connecting to WiFi hotspots. No

Bluetooth

Feature Control Option Description Supported on Home Edition
Disable Bluetooth Advertising Disable the device from acting as a source for advertisements. No
Disable Bluetooth Discoverable Mode Disable the Bluetooth discoverable mode. No
Set Bluetooth Device Name Enter a string that specifies the local Bluetooth device name. No
Disable Bluetooth Prevent the user from enabling Bluetooth. No

Data Protection

Feature Control Option Description Supported on Home Edition
Disable SD Card Access Disable access to the SD card directory. No
Disable Internet Sharing Over WiFi Disables the device from being able to share Internet and becoming a WiFi hotspot. No
Disable Direct Memory Access Disable Direct Memory Access. No

Experience

Feature Control Option Description Supported on Home Edition
Disable Cortana Disable Cortana (personal digital assistant) on the device. No
Allow Manual MDM Unenrollment Allow the user to unenroll the device. No
Disable Device Discovery on Lock Screen Disable the device discovery user interface on the lock screen. No

System

Feature Control Option Description Supported on Home Edition
Disable OneDrive File Sync prevents apps and features from working with files on OneDrive.
Note: This feature control option requires a device reboot.
No
Disable Boot-Start Drivers If you disable or do not configure this policy setting, the boot start drivers are determined to be either Good, Unknown or Bad. Boot critical drivers are initialized while Bad start drivers are skipped. No
Disable Enterprise Authentication Proxy Prevents Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data to Microsoft on Windows 10. No
Disable System Restore Prevents device user from accessing System Restore and the System Restore Wizard. The options to configure System Restore or create restore points through System Protection are also disabled. No
Require to Save Diagnostics Logs Locally Mandate that all diagnostics are saved locally for use in internal investigations. Yes
Restrict Telemetry Data Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
  • Security: Sends only data required to keep Windows secure
  • Basic: Sends basic data such as device information, app compatibility and usage data and data from the Security level
  • Enhanced: Sends security and basic data plus additional insights such as how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data
  • Full: Sends all data necessary to identify and solve issues plus data from the Security, Basic and Enhanced data levels.

Levels are listed in order of least to most data sent.

No
Disable Enhanced Diagnostic Data Prevents device from sending Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.

Restrict Telemetry Data must be set to Enhanced to use this feature.

No
Disable Location Service Determines the status of Location Services on the device. Applications on the device will be blocked from using Location Services. Choose an option from the dropdown list:
  • User Controlled: Device user can switch location services on or off.
  • Enabled: Location services are enabled and device user cannot disable them.
  • Disabled: All location services are disabled and no applications can access location information. Device user cannot enable them.
No
Disable SD Card Access Prevents device user from accessing data on SD card. No
Disable Windows Preview Builds Prevents device user from downloading and installing Windows preview software. No
Disable Embedded Mode Prevents device user from entering Embedded Mode. No
Allow Microsoft Experimentation Allows Microsoft to conduct full experimentation to study user preferences or device behavior. No
Disable Font Providers Prevents device user from downloading fonts and font catalog data from online font providers. No
Disable Factory Reset Removes the ability to factory reset the device from the device user. No
Telemetry Proxy Specifies a proxy server through which to forward Connected User Experiences and Telemetry requests. Enter the fully qualified domain name (FQDN) or IP address of a proxy server. The format for this setting is server:port. The connection is made over a Secure Sockets Layer (SSL) connection.

If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.

No

Defender

Feature Control Option Description Supported on Home Edition
Disable Cloud Protection Disables Cloud Protection. If this option is not selected, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information in their cloud and learn more about problems affecting users. Microsoft can then respond with the best possible solution. Yes
Average CPU Load Factor in Percent Show the average CPU load factor for the scan (as a percent). Yes
Days to Retain Cleaned Malware Time period (in days) that quarantined items will be stored on the system. Yes
Disable Archive Scanning Disable scanning of archives. Yes
Disable Behavior Monitoring Disable Defender's Behavior Monitoring functionality. Yes
Disable Email Scanning Disable scanning of email. Yes
Disable Full Scan On Network Drives Disable a full scan of mapped network drives. Yes
Disable Full Scan On Removable Drives Disable a full scan of removable drives. Yes
Disable Intrusion Prevention System Disable Defender's Intrusion Prevention functionality. Yes
Disable IOAVP Protection Disable Defender's IOAVP Protection functionality. Yes
Disable On Access Protection Disable Defender's On Access Protection functionality. Yes
Disable Realtime Monitoring Disable Defender's Realtime Monitoring functionality. Yes
Disable Scanning Network Files Disable scanning of network files. Yes
Disable Script Scanning Disable Defender's Script Scanning functionality. Yes
Disable User UI Access Disallow user access to the Defender UI. If disallowed, all Defender notifications will also be suppressed. Yes
Excluded Extensions Allow an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by |. For example, "lib|obj". Yes
Excluded Paths Allow an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by |. For example, "C:\Example|C:\Example1". Yes
Excluded Processes Allow an administrator to specify a list of files opened by processes to ignore during a scan. Yes
Real Time Scan Direction Control which sets of files should be monitored.

Bidirectional – Monitor all files.

Incoming – Monitor incoming files.

Outgoing – Monitor outgoing files.

Yes
Scan Type Select whether to perform a quick scan or a full scan.

Quick Scan – Perform a quick Defender scan.

Full Scan – Perform a full Defender scan.

Yes
Quick Scan Schedule in Minutes Specify the time of day that the Defender quick scan should run. The time must be specified as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380

Yes
Schedule Scan Day Select the day on which the Defender scan should run. Yes
Schedule Scan Time in Minutes Specify the time of day that the Defender scan should run. The time must be specified as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380

Yes
Signature Update Interval in Hours Specify the interval (in hours) that will be used to check for signatures; so instead of using the ScheduleDay and ScheduleTime, Windows will just check for new signatures as set per the interval. Interval is set in hours, so at most Windows will check for signatures every hour. Yes
Submit Samples Consent Check for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when opt-in for when Defender/AllowCloudProtection is allowed) before sending data.

Always Prompt – Always prompt the user.

Send Safe Samples – Send safe samples automatically.

Never Send – Never send samples.

Send All Samples – Send all samples automatically.

Yes
Disable SmartScreen in Shell Specify who can configure the SmartScreen for Windows. No
User Can Ignore SmartScreen Warning Allows device user to ignore warnings in SmartScreen.
Note: SmartScreen must be enabled.
No

Text Input

Feature Control Option Description Supported on Home Edition
Disable IME Logging For the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. No
Disable IME Network Access Disallow the user to turn on Open Extended Dictionary, Internet Search Integration, online service to provide input suggestions that doesn’t exist in a PC's local dictionary. No
Disable Japanese IME Surrogate Pair Characters Disable the Japanese IME surrogate pair characters. No
Disable Japanese IVS Characters Disable Japanese Ideographic Variation Sequence (IVS) characters. No
Disable Japanese Non-Publishing Standard Glyph Disable the Japanese non-publishing standard glyph. No
Disable Japanese User Dictionary Disable the Japanese user dictionary. No
Disable Korean Extended Hanja Disable the use of Korean Extended Hanja character set. Yes
Exclude Japanese IME Except JISO208 Disallow the users to restrict character code range of conversion by setting the character filter. No
Exclude Japanese IME Except JISO208 and EUDC Disallow the users to restrict character code range of conversion by setting the character filter. No
Exclude Japanese IME Except Shift JIS Disallow the users to restrict character code range of conversion by setting the character filter. No

Update

Feature Control Option Description Supported on Home Edition
Auto Update Settings Allow the IT administrator to manage automatic update behavior to scan, download, and install updates.
  • Notify User: Notify the user before downloading the update. This policy is used by enterprises that want to enable end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
  • Install and Notify: Auto install the update and then notify the user to schedule a restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart is forced. Enabling the end-user to control the restart time reduces the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart at Specific Time: Auto install and restart at a specified time. The IT administrator specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
  • Install and Restart Without User Control: Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. It sets the end-user control panel to read-only.
  • No Auto Updates: Turn off automatic updates.
No
Disable Non-Microsoft Signed Update Disallow the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace. No
Disable Update Service Specify whether the device can se Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
Note: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Custom Update WSUS server URL policy.
No
Scheduled Install Time (0-23 hours) Enable the IT administrator to schedule the time of the update installation. No
Custom Update WSUS Server URL The URL of a custom update WSUS server. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. No
Scheduled Install Day Enable the IT administrator to schedule the day of the update installation. No

Security

Feature Control Option Description Supported on Home Edition
Disable Adding Provisioning Package Specifies whether to allow the runtime configuration agent to install provisioning packages. No
Disable Removing Provisioning Package Specifies whether to allow the runtime configuration agent to remove provisioning packages. No
Require Provisioning Package Signature Specifies whether provisioning packages must have a certificate signed by a device trusted authority. No

Start Menu

Feature Control Option Description Supported on Home Edition
Hide Change Account Settings Prevents the Change Account settings from appearing in Start Menu. No
Hide Frequently Used Apps Prevents Frequently Used Apps from appearing in Start Menu.
Note: Requires device restart.
No
Hide Hibernate Prevents Hibernate power option from appearing in Start Menu. No
Hide Lock Prevents Lock from appearing in Start Menu. No
Hide Power Button Prevents Power button from appearing in Start Menu.
Note: Requires device restart.
No
Hide Recent Jumplists Prevents Recent Jumplists from appearing in Start Menu.
Note: Requires device restart.
No
Hide Recently Added Apps Prevents Recently Added Apps from appearing in Start Menu.
Note: Requires device restart.
No
Hide Restart Prevents Restart power option from appearing in Start Menu. No
Hide Shutdown Prevents Shutdown power option from appearing in Start Menu. No
Hide Sign Out Prevents Sign Out option from appearing in Start Menu. No
Hide Sleep Prevents Sleep power option from appearing in Start Menu. No
Hide User Tile Prevents user tiles from appearing in Start Menu. No
No Pinning to Taskbar Prevents ability to pin apps to the taskbar. No