Feature Control (Phone)

The File Encryption profile configuration enables you to use file encryption to secure the data stored on a device or a storage card. You perform this configuration when:

Secured data will only be readable on the device while encrypted.

Some feature control options are available only on certain operating systems.

Windows Phone 8.0: WP 8.0

Windows Phone 8.1: WP 8.1

Windows 10 Mobile: WP 10 or later

General

Application

Feature Control Option Description Compatible OS
Enable Windows Store Enable users to install or update applications through the Windows Store. WP 8.1, WP 10 or later
Auto Update of Store Applications Enable automatic update of apps from Windows Store. WP 10 or later
Background Application Run Specify if device users can allow Windows apps to run in the background WP 10 or later
Developer Model Unlock Select whether developer unlock is explicitly allowed, denied, or is not configured. WP 8.1, WP 10 or later
Enable Shared User App Data Enable multiple users of the same app to share data. WP 10 or later
Limit App to Data System Volume Restrict application data to being stored only on the system drive. WP 10 or later
Limit App to System Volume Restrict installation of applications to the system drive. WP 10 or later

Device Account

Feature Control Option Description Compatible OS
Enable Microsoft Account Connection Enable users to connect their devices to a Microsoft account. WP 8.1, WP 10 or later
Enable Adding Non-Microsoft Accounts Manually Enable users to manually connect their devices to a non-Microsoft account. WP 8.1, WP 10 or later
Enable Adding Microsoft Account Sign-in Assistant. Enable users to enable the Microsoft Account Sign-in Assistant NT service. Requires device restart. WP 10 or later
Domain Names for Email Sync Enter the list of domains that are allowed to sync email on the device. WP 10 or later

Search

Feature Control Option Description Compatible OS
Enable Search to Use Location Enable Bing search to use location services on the device. WP 8.1, WP 10 or later
Enable Search Indexer Enable the search indexing service to run. WP 10 or later
Safe Search Type Enable safe search on the device. This setting prevents adult content from appearing in search results.

Allow User to Configure – Allow the user to select safe search restrictions.

Strict – Highest filtering against adult content.

Moderate – Moderate filtering against adult content (valid search results will not be filtered).

 WP 8.1, WP 10 or later

Settings

Feature Control Option Description Compatible OS
Enable Data Usage Settings Enable the user to change data usage settings. WP 10 or later
Enable Date Time Settings Enable the user to change data and time settings. WP 10 or later
Enable Edit Device Name Settings Enable editing of the device name. WP 10 or later
Enable VPN Settings Enable the user to change VPN settings. WP 10 or later
Enable Account Settings Enable the user to change account settings. WP 10 or later

Windows Update

Feature Control Option Description Compatible OS
Enable Update Service Select this option to allow the device to use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
Note: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Custom Update WSUS server URL policy.
 WP 10 or later
Auto Update Settings Allow the IT administrator to manage automatic update behavior to scan, download, and install updates.
  • Notify User: Notify the user before downloading the update. This policy is used by enterprises that want to enable end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
  • Install and Notify: Auto install the update and then notify the user to schedule a restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart is forced. Enabling the end-user to control the restart time reduces the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart at Specific Time: Auto install and restart at a specified time. The IT administrator specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
  • Install and Restart Without User Control: Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. It sets the end-user control panel to read-only.
  • No Auto Updates: Turn off automatic updates.
 WP 10 or later
Enable Non-Microsoft Signed Update Allow the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace. WP 10 or later
Scheduled Install Time (0-23 hours) Enable the IT administrator to schedule the time of the update installation. WP 10 or later
WSUS Server URL The URL of a custom update WSUS server. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. WP 10 or later
Scheduled Install Day Enable the IT administrator to schedule the day of the update installation. WP 10 or later
Embedded Handheld Phone Update Options Configure update restrictions for Windows 8.1 Embedded Handheld Phones.
  • User-Controlled: enables the device user to configure the update restrictions
  • Never Check: updates are not checked
  • Automatic Install: installs updates automatically
  • Check Updates: checks for updates but lets user choose when to download and install them
  • Download Updates: downloads updates but lets user choose when to install them
 WP 8.1

Connectivity

Cellular Data and Roaming

Feature Control Option Description Compatible OS
Enable VPN Roaming Over Cellular Allow users to enable VPN while the device is roaming. WP 8.1, WP 10 or later
VPN Over Cellular Allow users to enable VPN while the device is on a cellular data network. WP 8.1, WP 10 or later
Enable Device Cellular Data Enable the cellular data channel on the device. WP 10 or later
Cellular Data Roaming Enable the user to use cellular data while the device is roaming. WP 8.1, WP 10 or later
Enable Enterprise APN User Control Enable the device user to change enterprise APN settings for the APN profile configuration. WP 10 or later

WiFi

Feature Control Option Description Compatible OS
Enable WiFi Enable the device to connect to a WiFi network. WP 8.1, WP 10 or later
Enable Manual WiFi Configurations Enable users to manually configure WiFi settings on their devices. WP 8.1, WP 10 or later
Enable WiFi Hotspot Reporting Enable WiFi hotspot information to be reported to Microsoft. WP 8.1
Enable Auto Connect to WiFi Sense Hotspots Enable the device to auto connect to WiFi hotspots. WP 8.1, WP 10 or later

Bluetooth

Feature Control Option Description Compatible OS
Enable Bluetooth Allow the user to enable Bluetooth. WP 8.1, WP 10 or later
Enable Bluetooth Discoverable Mode Enable the Bluetooth discoverable mode. WP 10 or later
Set Bluetooth Device Name Enter a string that specifies the local Bluetooth device name. WP 10 or later
Enable Bluetooth Advertising Enable the device to act as a source for advertisements. WP 10 or later
Enable Bluetooth Pre-pairing Enable specific bundled Bluetooth peripherals to automatically pair with the host devices. WP 10 or later

Connectivity

Feature Control Option Description Compatible OS
Enable Connected Devices Allow the user to enable the Connected Devices Platform (CDP) component. WP 10 or later

Security and Privacy

Data Protection

Feature Control Option Description Compatible OS
Enable Copy/Paste Enable copy/paste functionality on the device. WP 8.1, WP 10 or later
Enable Browser Enable the default browser on the device. WP 8.1, WP 10 or later
Enable Screen Capture Enable screen capture functionality on the device. WP 8.1, WP 10 or later
Enable Internet Sharing Over WiFi Enable the device to share Internet and become a WiFi hotspot. WP 8.1, WP 10 or later
Enable Direct Memory Access Enable Direct Memory Access. WP 10 or later

Device Lock

Feature Control Option Description Compatible OS
Enable Idle Return Without Password Do not require the user to input the password every time the device is returning from idle state. (Requires the device password to be enabled.) WP 8.1, WP 10 or later
Enable Action Center Notifications Enable Windows Action Center to display notifications on the device. WP 8.1, WP 10 or later

Experience

Feature Control Option Description Compatible OS
Enable Voice Recording Enable access to the voice recorder on the phone. WP 8.1, WP 10 or later
Enable SIM Error Dialog Prompt Enable the dialog prompt when no SIM card is detected. WP 10 or later
Enable Task Switcher Enable task switching on the device. WP 10 or later
Enable Cortana Enable Cortana (personal digital assistant) on the device. WP 8.1, WP 10 or later
Allow Manual MDM Unenrollment Allow the user to unenroll the device. WP 8.1, WP 10 or later
Enable Device Discovery on Lock Screen Enable the device discovery user interface on the lock screen. WP 10 or later
Enable Find My Device Enable the device and its location to be registered in the cloud so the Find My Device feature will work. WP 10 or later
Enable Syncing of Settings Enable the syncing of settings between this device and other devices. WP 8.1, WP 10 or later
Enable Feedback Notifications Enable devices to show feedback questions from Microsoft. WP 10 or later

System

Feature Control Option Description Compatible OS
Restrict Telemetry Data Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
  • Security: Sends only data required to keep Windows secure
  • Basic: Sends basic data such as device information, app compatibility and usage data and data from the Security level
  • Enhanced: Sends security and basic data plus additional insights such as how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data
  • Full: Sends all data necessary to identify and solve issues plus data from the Security, Basic and Enhanced data levels.

Levels are listed in order of least to most data sent.

 WP 10 or later
Restrict Telemetry Data (WP 8.1) Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
  • Allow: Allows telemetry
  • Disable: Does not allow telemetry
  • Disable Secondary Requests: Allows telemetry except from secondary data request
 WP 8.1
Enable Location Service Determines the status of Location Services on the device. Applications on the device will be blocked from using Location Services. Choose an option from the dropdown list:
  • Allow User to Configure: Device user can switch location services on or off.
  • Enable: Location services are enabled and device user cannot disable them.
  • Disable: All location services are disabled and no applications can access location information. Device user cannot enable them.
 WP 8.1, WP 10 or later
Enable SD Card Access Allow the device user to access data on SD card. WP 8.0, WP 8.1, WP 10 or later
Enable Windows Preview Builds Allow the device user to download and install Windows preview software. WP 10 or later
Enable Embedded Mode Allow the device user to enter Embedded Mode. WP 10 or later
Allow Microsoft Experimentation Allow Microsoft to conduct full experimentation to study user preferences or device behavior. WP 10 or later (version 1703 or later)
Enable Font Providers Allow the device user to download fonts and font catalog data from online font providers. WP 10 or later (version 1703 or later)
Enable Factory Reset Allow the device user to perform a hard reset (factory reset) on the device. WP 8.1, WP 10 or later
Telemetry Proxy Hostname Specifies a proxy server through which Connected User Experiences and Telemetry requests are to be forwarded. Enter the fully qualified domain name (FQDN) or IP address of a proxy server. The format for this setting is server:port. The connection is made over a Secure Sockets Layer (SSL) connection.

If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.

 WP 10 or later

Authentication

Feature Control Option Description Compatible OS
Enable EAP Fast Reconnect Allows EAP Fast Reconnect to be attempted for EAP Method TLS. WP 10 or later
Enable Secondary Authentication Devices Allows secondary authentication devices to work with Windows. WP 10 or later

Security

Feature Control Option Description Compatible OS
Enable Manual Root Certificate Installation Allow users to manually install root certificates on the device. WP 8.1, WP 10 or later
Require Internal Storage Encryption Require internal storage encryption to be enabled on the device.
Note: Once encryption is enabled, it cannot be disabled via policy. It can only be removed through a factory reset of the device.
 WP 8.0, WP 8.1, WP 10 or later
Enable Anti Theft Mode Enable Anti Theft Mode on the device. WP 10 or later
Enable Adding Provisioning Package Allow the runtime configuration agent to install provisioning packages. WP 10 or later
Enable Removing Provisioning Package Allow the runtime configuration agent to remove provisioning packages. WP 10 or later
Require Provisioning Package Signature Require that provisioning packages must have a certificate signed by a device trusted authority. WP 10 or later

Hardware

Feature Control Option Description Compatible OS
Enable NFC Allow the device user to use Near Field Communication. WP 8.1, WP 10 or later
Enable USB Connection (MTP/IPoUSB) Allow the device to be connected as a Media Transfer Protocol client or IP over USB device through USB. This will allow users to transfer files from the device to a computer using USB. WP 8.1, WP 10 or later
Enable Camera Allow the user to use the camera on the device. WP 8.1, WP 10 or later