Feature Control (Phone)

The File Encryption profile configuration enables you to use file encryption to secure the data stored on a device or a storage card. You perform this configuration when:

Secured data will only be readable on the device while encrypted.

Some feature control options are available only on certain operating systems.

Windows Phone 8.0: WP 8.0

Windows Phone 8.1: WP 8.1

Windows 10 Mobile: WP 10

General

Application

Feature Control Option Description Compatible OS
Enable Windows Store Enable users to install or update applications through the Windows Store. WP 8.1, WP 10
Auto Update of Store Applications Enable automatic update of apps from Windows Store. WP 10
Background Application Run Specify if device users can allow Windows apps to run in the background WP 10
Developer Model Unlock Select whether developer unlock is explicitly allowed, denied, or is not configured. WP 8.1, WP 10
Enable Shared User App Data Enable multiple users of the same app to share data. WP 10
Limit App to Data System Volume Restrict application data to being stored only on the system drive. WP 10
Limit App to System Volume Restrict installation of applications to the system drive. WP 10

Device Account

Feature Control Option Description Compatible OS
Enable Microsoft Account Connection Enable users to connect their devices to a Microsoft account. WP 8.1, WP 10
Enable Adding Non-Microsoft Accounts Manually Enable users to manually connect their devices to a non-Microsoft account. WP 8.1, WP 10
Enable Adding Microsoft Account Sign-in Assistant. Enable users to enable the Microsoft Account Sign-in Assistant NT service. Requires device restart. WP 10
Domain Names for Email Sync Enter the list of domains that are allowed to sync email on the device. WP 10

Search

Feature Control Option Description Compatible OS
Enable Search to Use Location Enable Bing search to use location services on the device. WP 8.1, WP 10
Enable Search Indexer Enable the search indexing service to run. WP 10
Safe Search Type Enable safe search on the device. This setting prevents adult content from appearing in search results.

Allow User to Configure – Allow the user to select safe search restrictions.

Strict – Highest filtering against adult content.

Moderate – Moderate filtering against adult content (valid search results will not be filtered).

 WP 8.1, WP 10

Settings

Feature Control Option Description Compatible OS
Enable Data Usage Settings Enable the user to change data usage settings. WP 10
Enable Date Time Settings Enable the user to change data and time settings. WP 10
Enable Edit Device Name Settings Enable editing of the device name. WP 10
Enable VPN Settings Enable the user to change VPN settings. WP 10
Enable Account Settings Enable the user to change account settings. WP 10

Windows Update

Feature Control Option Description Compatible OS
Enable Update Service Select this option to allow the device to use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
Note: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Custom Update WSUS server URL policy.
 WP 10
Auto Update Settings Allow the IT administrator to manage automatic update behavior to scan, download, and install updates.
  • Notify User: Notify the user before downloading the update. This policy is used by enterprises that want to enable end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
  • Install and Notify: Auto install the update and then notify the user to schedule a restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart is forced. Enabling the end-user to control the restart time reduces the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart at Specific Time: Auto install and restart at a specified time. The IT administrator specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
  • Install and Restart Without User Control: Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. It sets the end-user control panel to read-only.
  • No Auto Updates: Turn off automatic updates.
 WP 10
Enable Non-Microsoft Signed Update Allow the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace. WP 10
Scheduled Install Time (0-23 hours) Enable the IT administrator to schedule the time of the update installation. WP 10
WSUS Server URL The URL of a custom update WSUS server. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. WP 10
Scheduled Install Day Enable the IT administrator to schedule the day of the update installation. WP 10
Embedded Handheld Phone Update Options Configure update restrictions for Windows 8.1 Embedded Handheld Phones.
  • User-Controlled: enables the device user to configure the update restrictions
  • Never Check: updates are not checked
  • Automatic Install: installs updates automatically
  • Check Updates: checks for updates but lets user choose when to download and install them
  • Download Updates: downloads updates but lets user choose when to install them
 WP 8.1

Connectivity

Cellular Data and Roaming

Feature Control Option Description Compatible OS
Enable VPN Roaming Over Cellular Allow users to enable VPN while the device is roaming. WP 8.1, WP 10
VPN Over Cellular Allow users to enable VPN while the device is on a cellular data network. WP 8.1, WP 10
Enable Device Cellular Data Enable the cellular data channel on the device. WP 10
Cellular Data Roaming Enable the user to use cellular data while the device is roaming. WP 8.1, WP 10
Enable Enterprise APN User Control Enable the device user to change enterprise APN settings for the APN profile configuration. WP 10

WiFi

Feature Control Option Description Compatible OS
Enable WiFi Enable the device to connect to a WiFi network. WP 8.1, WP 10
Enable Manual WiFi Configurations Enable users to manually configure WiFi settings on their devices. WP 8.1, WP 10
Enable WiFi Hotspot Reporting Enable WiFi hotspot information to be reported to Microsoft. WP 8.1
Enable Auto Connect to WiFi Sense Hotspots Enable the device to auto connect to WiFi hotspots. WP 8.1, WP 10

Bluetooth

Feature Control Option Description Compatible OS
Enable Bluetooth Allow the user to enable Bluetooth. WP 8.1, WP 10
Enable Bluetooth Discoverable Mode Enable the Bluetooth discoverable mode. WP 10
Set Bluetooth Device Name Enter a string that specifies the local Bluetooth device name. WP 10
Enable Bluetooth Advertising Enable the device to act as a source for advertisements. WP 10
Enable Bluetooth Pre-pairing Enable specific bundled Bluetooth peripherals to automatically pair with the host devices. WP 10

Connectivity

Feature Control Option Description Compatible OS
Enable Connected Devices Allow the user to enable the Connected Devices Platform (CDP) component. WP 10

Security and Privacy

Data Protection

Feature Control Option Description Compatible OS
Enable Copy/Paste Enable copy/paste functionality on the device. WP 8.1, WP 10
Enable Browser Enable the default browser on the device. WP 8.1, WP 10
Enable Screen Capture Enable screen capture functionality on the device. WP 8.1, WP 10
Enable Internet Sharing Over WiFi Enable the device to share Internet and become a WiFi hotspot. WP 8.1, WP 10
Enable Direct Memory Access Enable Direct Memory Access. WP 10

Device Lock

Feature Control Option Description Compatible OS
Enable Idle Return Without Password Do not require the user to input the password every time the device is returning from idle state. (Requires the device password to be enabled.) WP 8.1, WP 10
Enable Action Center Notifications Enable Windows Action Center to display notifications on the device. WP 8.1, WP 10

Experience

Feature Control Option Description Compatible OS
Enable Voice Recording Enable access to the voice recorder on the phone. WP 8.1, WP 10
Enable SIM Error Dialog Prompt Enable the dialog prompt when no SIM card is detected. WP 10
Enable Task Switcher Enable task switching on the device. WP 10
Enable Cortana Enable Cortana (personal digital assistant) on the device. WP 8.1, WP 10
Allow Manual MDM Unenrollment Allow the user to unenroll the device. WP 8.1, WP 10
Enable Device Discovery on Lock Screen Enable the device discovery user interface on the lock screen. WP 10
Enable Find My Device Enable the device and its location to be registered in the cloud so the Find My Device feature will work. WP 10
Enable Syncing of Settings Enable the syncing of settings between this device and other devices. WP 8.1, WP 10
Enable Feedback Notifications Enable devices to show feedback questions from Microsoft. WP 10

System

Feature Control Option Description Compatible OS
Restrict Telemetry Data Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
  • Security: Sends only data required to keep Windows secure
  • Basic: Sends basic data such as device information, app compatibility and usage data and data from the Security level
  • Enhanced: Sends security and basic data plus additional insights such as how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data
  • Full: Sends all data necessary to identify and solve issues plus data from the Security, Basic and Enhanced data levels.

Levels are listed in order of least to most data sent.

 WP 10
Restrict Telemetry Data (WP 8.1) Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
  • Allow: Allows telemetry
  • Disable: Does not allow telemetry
  • Disable Secondary Requests: Allows telemetry except from secondary data request
 WP 8.1
Enable Location Service Determines the status of Location Services on the device. Applications on the device will be blocked from using Location Services. Choose an option from the dropdown list:
  • Allow User to Configure: Device user can switch location services on or off.
  • Enable: Location services are enabled and device user cannot disable them.
  • Disable: All location services are disabled and no applications can access location information. Device user cannot enable them.
 WP 8.1, WP 10
Enable SD Card Access Allow the device user to access data on SD card. WP 8.0, WP 8.1, WP 10
Enable Windows Preview Builds Allow the device user to download and install Windows preview software. WP 10
Enable Embedded Mode Allow the device user to enter Embedded Mode. WP 10
Allow Microsoft Experimentation Allow Microsoft to conduct full experimentation to study user preferences or device behavior. WP 10 (version 1703 or later)
Enable Font Providers Allow the device user to download fonts and font catalog data from online font providers. WP 10 (version 1703 or later)
Enable Factory Reset Allow the device user to perform a hard reset (factory reset) on the device. WP 8.1, WP 10
Telemetry Proxy Hostname Specifies a proxy server through which Connected User Experiences and Telemetry requests are to be forwarded. Enter the fully qualified domain name (FQDN) or IP address of a proxy server. The format for this setting is server:port. The connection is made over a Secure Sockets Layer (SSL) connection.

If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.

 WP 10

Authentication

Feature Control Option Description Compatible OS
Enable EAP Fast Reconnect Allows EAP Fast Reconnect to be attempted for EAP Method TLS. WP 10
Enable Secondary Authentication Devices Allows secondary authentication devices to work with Windows. WP 10

Security

Feature Control Option Description Compatible OS
Enable Manual Root Certificate Installation Allow users to manually install root certificates on the device. WP 8.1, WP 10
Require Internal Storage Encryption Require internal storage encryption to be enabled on the device.
Note: Once encryption is enabled, it cannot be disabled via policy. It can only be removed through a factory reset of the device.
 WP 8.0, WP 8.1, WP 10
Enable Anti Theft Mode Enable Anti Theft Mode on the device. WP 10
Enable Adding Provisioning Package Allow the runtime configuration agent to install provisioning packages. WP 10
Enable Removing Provisioning Package Allow the runtime configuration agent to remove provisioning packages. WP 10
Require Provisioning Package Signature Require that provisioning packages must have a certificate signed by a device trusted authority. WP 10

Hardware

Feature Control Option Description Compatible OS
Enable NFC Allow the device user to use Near Field Communication. WP 8.1, WP 10
Enable USB Connection (MTP/IPoUSB) Allow the device to be connected as a Media Transfer Protocol client or IP over USB device through USB. This will allow users to transfer files from the device to a computer using USB. WP 8.1, WP 10
Enable Camera Allow the user to use the camera on the device. WP 8.1, WP 10