Feature Control (Desktop)
The File Encryption profile configuration enables you to use file encryption to secure the data stored on a device or a storage card. You perform this configuration when:
Secured data will only be readable on the device while encrypted.
General
Application
Feature Control Option | Description |
---|---|
Enable DVR and Broadcasting | Enable use of DVR and broadcasting. |
App Install Control | Specify if device users are allowed to install apps from sources other than the Windows Store. |
Enable Store Originated Apps | Enable the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. |
Enable User Control Over Install | Enable users to change installation options that typically are available only to system administrators. |
Enable Elevated Privileges to Install Programs | Enable elevated permissions to install programs that need special permissions. The system applies for the current user's permissions when it installs programs that a system administrator does not distribute or offer. |
Enable Private Store Only | Disable retail catalog and enable only the Private store. |
Auto Update of Store Applications | Specify if device users can control the update schedule of apps from the Windows Store. |
Background Application Run | Specify if device users can allow Windows apps to run in the background |
Developer Model Unlock | Select whether developer unlock is explicitly allowed, denied, or is not configured. |
Enable Shared User App Data | Enable multiple users of the same app to share data. |
Limit App to Data System Volume | Restrict application data to being stored only on the system drive. |
Limit App to System Volume | Restrict installation of applications to the system drive. |
Device Account
Feature Control Option | Description |
---|---|
Enable Microsoft Account Connection | Enable users to connect their devices to a Microsoft account. |
Enable Adding Non-Microsoft Accounts Manually | Enable users to manually connect their devices to a non-Microsoft account. |
Enable Adding Microsoft Account Sign-in Assistant. | Enable users to enable the Microsoft Account Sign-in Assistant NT service. Requires device restart. |
Domain Names for Email Sync | Enter the list of domains that are allowed to sync email on the device. |
Search
Feature Control Option | Description |
---|---|
Enable Search to Use Location | Enable Bing search to use location services on the device. |
Enable Search Indexer | Enable the search indexing service to run. |
Settings
Feature Control Option | Description |
---|---|
Enable AutoPlay Settings | Enable the user to change AutoPlay settings. |
Enable Language Settings | Enable the user to change language settings. |
Enable Online Tips Settings | Enable the retrieval of online tips and help for the Settings app. |
Enable Power Sleep Settings | Enable the user to change power and sleep settings. |
Enable Region Settings | Enable the user to change the region settings. |
Enable Sign-in Options Settings | Enable the user to change sign-in options. |
Enable Workplace Settings | Enable the user to change workplace settings. |
Enable Data Usage Settings | Enable the user to change data usage settings. |
Enable Date Time Settings | Enable the user to change data and time settings. |
Enable Edit Device Name Settings | Enable editing of the device name. |
Enable VPN Settings | Enable the user to change VPN settings. |
Enable Account Settings | Enable the user to change account settings. |
Text Input
Feature Control Option | Description |
---|---|
Enable IME Logging | For the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. |
Enable IME Network Access | Allow the user to turn on Open Extended Dictionary, Internet Search Integration, online service to provide input suggestions that doesn’t exist in a PC's local dictionary. |
Enable Japanese IME Surrogate Pair Characters | Enable the Japanese IME surrogate pair characters. |
Enable Japanese IVS Characters | Enable Japanese Ideographic Variation Sequence (IVS) characters. |
Enable Japanese Non-Publishing Standard Glyph | Enable the Japanese non-publishing standard glyph. |
Enable Japanese User Dictionary | Enable the Japanese user dictionary. |
Enable Korean Extended Hanja | Enable the use of Korean Extended Hanja character set. |
Exclude Japanese IME Except JISO208 | Allow users to restrict the character code range of conversion by setting the character filter. |
Exclude Japanese IME Except JISO208 and EUDC | Allow users to restrict the character code range of conversion by setting the character filter. |
Exclude Japanese IME Except Shift JIS | Allow users to restrict the character code range of conversion by setting the character filter. |
Windows Update
Feature Control Option | Description |
---|---|
Enable Update Service | Select this option to allow the device to use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working. Note: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Custom Update WSUS server URL policy. |
Auto Update Settings | Allow the IT administrator to manage automatic update behavior to scan, download, and install updates.
|
Enable Non-Microsoft Signed Update | Allow the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace. |
Scheduled Install Time (0-23 hours) | Enable the IT administrator to schedule the time of the update installation. |
WSUS Server URL | The URL of a custom update WSUS server. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. |
Scheduled Install Day | Enable the IT administrator to schedule the day of the update installation. |
Start Menu
Feature Control Option | Description |
---|---|
Show Change Account Settings | Enables the Change Account settings to appear in the Start Menu. |
Show Frequently Used Apps | Enables Frequently Used Apps to appear in the Start Menu.
Note: Requires device restart.
|
Show Hibernate | Enables Hibernate power option to appear in the Start Menu. |
Show Lock | Enables Lock to appear in the Start Menu. |
Show Power Button | Enables the Power button to appear in the Start Menu.
Note: Requires device restart.
|
Show Recent Jump lists | Enables Recent Jump lists to appear in the Start Menu.
Note: Requires device restart.
|
Show Recently Added Apps | Enables Recently Added Apps to appear in the Start Menu.
Note: Requires device restart.
|
Show Restart | Enables Restart power option to appear in the Start Menu. |
Show Shutdown | Enables Shutdown power option to appear in the Start Menu. |
Show Sign Out | Enables Sign Out option to appear in the Start Menu. |
Show Sleep | Enables Sleep power option to appear in the Start Menu. |
Show User Tile | Enables user tiles to appear in the Start Menu. |
Enable Pin to Taskbar Connectivity | Allows the administrator to configure the taskbar by enabling pinning and unpinning apps on the taskbar. |
Connectivity
Cellular Data and Roaming
Feature Control Option | Description |
---|---|
VPN Roaming Over Cellular | Allow users to enable VPN while the device is roaming. |
VPN Over Cellular | Allow users to enable VPN while the device is on a cellular data network. |
Enable Device Cellular Data | Enable the cellular data channel on the device. |
Cellular Data Roaming | Enable the user to use cellular data while the device is roaming. |
Enable Enterprise APN User Control | Enable the device user to change enterprise APN settings for the APN profile configuration.
Supported on desktop devices running Windows 10 version 1703 and later. |
WiFi
Feature Control Option | Description |
---|---|
Enable Auto Connect to WiFi Sense Hotspots | Enable the device to auto connect to WiFi hotspots. |
Bluetooth
Feature Control Option | Description |
---|---|
Enable Bluetooth | Allow the user to enable Bluetooth. |
Enable Bluetooth Discoverable Mode | Enable the Bluetooth discoverable mode. |
Set Bluetooth Device Name | Enter a string that specifies the local Bluetooth device name. |
Enable Bluetooth Advertising | Enable the device to act as a source for advertisements. |
Enable Bluetooth Pre-pairing | Enable specific bundled Bluetooth peripherals to automatically pair with the host devices. |
Connectivity
Feature Control Option | Description |
---|---|
Enable Printing Over HTTP | Enable the user to print over HTTP from this client. |
Enable Downloading of Print Drivers Over HTTP | Enable the user to download print driver packages over HTTP. |
Enable Download of Online Wizards | Enable Windows to download providers, and only the service providers that are cached in the local registry are displayed. |
Enable Network Connectivity Active Tests | Enable the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. |
Enable Configuration of Network Bridge | Enable the user to install and configure the Network Bridge. |
Enable Connected Devices | Enable the user to enable the Connected Devices Platform (CDP) component. |
Security and Privacy
Data Protection
Feature Control Option | Description |
---|---|
Enable Internet Sharing Over WiFi | Enable the device to share Internet and become a WiFi hotspot. |
Enable Direct Memory Access | Enable Direct Memory Access. |
Experience
Feature Control Option | Description |
---|---|
Enable Windows Consumer Features | Enable experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install, and redirect tiles from being turned on. |
Enable Windows Tips | Enable Windows Tips / soft landing. |
Enable Cortana | Enable Cortana (personal digital assistant) on the device. |
Allow Manual MDM Unenrollment | Allow the user to unenroll the device. |
Enable Device Discovery on Lock Screen | Enable the device discovery user interface on the lock screen. |
Enable Find My Device | Enable the device and its location to be registered in the cloud so the Find My Device feature will work. |
Enable Syncing of Settings | Enable settings to be synced with other devices. |
Enable Feedback Notifications | Enable devices to show feedback questions from Microsoft. |
System
Feature Control Option | Description |
---|---|
Enable OneDrive File Sync | Enable apps and features to work with files on OneDrive.
Note: This feature control option requires a device reboot.
|
Boot-Start Drivers | If you disable or do not configure this policy setting, the boot start drivers are determined to be either Good, Unknown or Bad. Boot critical drivers are initialized while Bad start drivers are skipped. |
Enable Enterprise Authentication Proxy | Enable Connected User Experience and Telemetry service to automatically use an authenticated proxy to send data to Microsoft on Windows 10 or later. |
Enable System Restore | Enable device user to access System Restore and the System Restore Wizard. The options to configure System Restore or create restore points through System Protection are also enabled. |
Require to Save Diagnostics Logs Locally | Mandate that all diagnostics are saved locally for use in internal investigations. |
Restrict Telemetry Data | Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
Levels are listed in order of least to most data sent. |
Enable Location Service | Determines the status of Location Services on the device. Choose an option from the dropdown list:
|
Enable SD Card Access | Enable device user to access data on the SD card. |
Enable Enhanced Diagnostic Data | Enable device to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
Restrict Telemetry Data must be set to Enhanced to use this feature. |
Enable Windows Preview Builds | Enable device user to download and install Windows preview software. |
Enable Embedded Mode | Enable device user to enter Embedded Mode. |
Allow Microsoft Experimentation | Allow Microsoft to conduct full experimentation to study user preferences or device behavior. |
Enable Font Providers | Enable device user to download fonts and font catalog data from online font providers. |
Enable Factory Reset | Enable the device user to factory reset the device. |
Telemetry Proxy | Specifies a proxy server through which to forward Connected User Experiences and Telemetry requests. Enter the fully qualified domain name (FQDN) or IP address of a proxy server. The format for this setting is server:port . The connection is made over a Secure Sockets Layer (SSL) connection.
If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. |
Authentication
Feature Control Option | Description |
---|---|
Enable Azure Active Directory Password Reset | Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD Tenant administrators to enable self-service password reset feature on the Windows login screen. |
Enable FIDO Device Sign-On | Specifies whether the Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows login credential provider for FIDO 2.0 devices. |
Enable EAP Fast Reconnect | Allows EAP Fast Reconnect to be attempted for EAP Method TLS. |
Enable Secondary Authentication Devices | Allows secondary authentication devices to work with Windows. |
Windows Defender
Feature Control Option | Description |
---|---|
Cloud Protection | Enable or disable Cloud Protection. If this option is enabled, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information in their cloud and learn more about problems affecting users. Microsoft can then respond with the best possible solution. |
Average CPU Load Factor in Percent | Show the average CPU load factor for the scan (as a percent). |
Days to Retain Cleaned Malware | Time period (in days) that quarantined items will be stored on the system. |
Enable Archive Scanning | Enable scanning of archives. |
Enable Behavior Monitoring | Enable Defender's Behavior Monitoring functionality. |
Enable Email Scanning | Enable scanning of email. |
Enable Full Scan On Network Drives | Enable a full scan of mapped network drives. |
Enable Full Scan On Removable Drives | Enable a full scan of removable drives. |
Enable Intrusion Prevention System | Enable Defender's Intrusion Prevention functionality. |
Enable IOAVP Protection | Enable Defender's IOAVP Protection functionality. |
Enable On Access Protection | Enable Defender's On Access Protection functionality. |
Enable Realtime Monitoring | Enable Defender's Realtime Monitoring functionality. |
Enable Scanning Network Files | Enable scanning of network files. |
Enable Script Scanning | Enable Defender's Script Scanning functionality. |
Enable User UI Access | Allow user access to the Defender UI. If disallowed, all Defender notifications will also be suppressed. |
Excluded Extensions | Allow an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by |. For example, "lib|obj". |
Excluded Paths | Allow an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by |. For example, "C:\Example|C:\Example1". |
Excluded Processes | Allow an administrator to specify a list of files opened by processes to ignore during a scan. |
Real Time Scan Direction | Control which sets of files should be monitored.
Bidirectional – Monitor all files. Incoming – Monitor incoming files. Outgoing – Monitor outgoing files. |
Scan Type | Select whether to perform a quick scan or a full scan.
Quick Scan – Perform a quick Defender scan. Full Scan – Perform a full Defender scan. |
Quick Scan Schedule in Minutes | Specify the time of day that the Defender quick scan should run. The time must be specified as the number of minutes past midnight (local time).
Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380 |
Schedule Scan Day | Select the day on which the Defender scan should run. |
Schedule Scan Time in Minutes | Specify the time of day that the Defender scan should run. The time must be specified as the number of minutes past midnight (local time).
Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380 |
Signature Update Interval in Hours | Specify the interval (in hours) that will be used to check for signatures; so instead of using the ScheduleDay and ScheduleTime, Windows will just check for new signatures as set per the interval. Interval is set in hours, so at most Windows will check for signatures every hour. |
Submit Samples Consent | Check for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when opt-in for when Defender/AllowCloudProtection is allowed) before sending data.
Always Prompt – Always prompt the user. Send Safe Samples – Send safe samples automatically. Never Send – Never send samples. Send All Samples – Send all samples automatically. User-Controlled – Allow the device user to configure this setting. |
Enable SmartScreen in Shell | Specify who can configure the SmartScreen for Windows. |
Ignore SmartScreen Warning | Allows device user to ignore warnings in SmartScreen.
Note: SmartScreen must be enabled.
|
Security
Feature Control Option | Description |
---|---|
Clear TPM If the Device Is Not Ready | Admin access is required. The prompt will appear on first admin login after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin login after the restart. |
Configure Windows Passwords | Configure the use of passwords for Windows features. |
Enable Automatic Device Encryption for Azure AD Joined Devices | Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. |
Enable Adding Provisioning Package | Specifies whether to allow the runtime configuration agent to install provisioning packages. |
Enable Removing Provisioning Package | Specifies whether to allow the runtime configuration agent to remove provisioning packages. |
Require Provisioning Package Signature | Specifies whether provisioning packages must have a certificate signed by a device trusted authority. |
Hardware
Feature Control Option | Description |
---|---|
Enable Device Location Switch | Enable/disable the Location Service's device switch. |
Enable Camera | Enable/disable the device's camera. |
Enable USB Access | Enable/disable access to the device's USB port for the following:
|
Enable USB Media Storage | Enable/disable the use of external storage devices, such as USB drives or SD cards with the device. |
Enable Serial Connection Access | Enable/disable the device's serial port. |