Feature Control (Desktop)

The File Encryption profile configuration enables you to use file encryption to secure the data stored on a device or a storage card. You perform this configuration when:

Secured data will only be readable on the device while encrypted.

General

Application

Feature Control Option Description
Enable DVR and Broadcasting Enable use of DVR and broadcasting.
App Install Control Specify if device users are allowed to install apps from sources other than the Windows Store.
Enable Store Originated Apps Enable the launch of all apps from the Microsoft Store that came pre-installed or were downloaded.
Enable User Control Over Install Enable users to change installation options that typically are available only to system administrators.
Enable Elevated Privileges to Install Programs Enable elevated permissions to install programs that need special permissions. The system applies for the current user's permissions when it installs programs that a system administrator does not distribute or offer.
Enable Private Store Only Disable retail catalog and enable only the Private store.
Auto Update of Store Applications Specify if device users can control the update schedule of apps from the Windows Store.
Background Application Run Specify if device users can allow Windows apps to run in the background
Developer Model Unlock Select whether developer unlock is explicitly allowed, denied, or is not configured.
Enable Shared User App Data Enable multiple users of the same app to share data.
Limit App to Data System Volume Restrict application data to being stored only on the system drive.
Limit App to System Volume Restrict installation of applications to the system drive.

Device Account

Feature Control Option Description
Enable Microsoft Account Connection Enable users to connect their devices to a Microsoft account.
Enable Adding Non-Microsoft Accounts Manually Enable users to manually connect their devices to a non-Microsoft account.
Enable Adding Microsoft Account Sign-in Assistant. Enable users to enable the Microsoft Account Sign-in Assistant NT service. Requires device restart.
Domain Names for Email Sync Enter the list of domains that are allowed to sync email on the device.

Search

Feature Control Option Description
Enable Search to Use Location Enable Bing search to use location services on the device.
Enable Search Indexer Enable the search indexing service to run.

Settings

Feature Control Option Description
Enable AutoPlay Settings Enable the user to change AutoPlay settings.
Enable Language Settings Enable the user to change language settings.
Enable Online Tips Settings Enable the retrieval of online tips and help for the Settings app.
Enable Power Sleep Settings Enable the user to change power and sleep settings.
Enable Region Settings Enable the user to change the region settings.
Enable Sign-in Options Settings Enable the user to change sign-in options.
Enable Workplace Settings Enable the user to change workplace settings.
Enable Data Usage Settings Enable the user to change data usage settings.
Enable Date Time Settings Enable the user to change data and time settings.
Enable Edit Device Name Settings Enable editing of the device name.
Enable VPN Settings Enable the user to change VPN settings.
Enable Account Settings Enable the user to change account settings.

Text Input

Feature Control Option Description
Enable IME Logging For the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
Enable IME Network Access Allow the user to turn on Open Extended Dictionary, Internet Search Integration, online service to provide input suggestions that doesn’t exist in a PC's local dictionary.
Enable Japanese IME Surrogate Pair Characters Enable the Japanese IME surrogate pair characters.
Enable Japanese IVS Characters Enable Japanese Ideographic Variation Sequence (IVS) characters.
Enable Japanese Non-Publishing Standard Glyph Enable the Japanese non-publishing standard glyph.
Enable Japanese User Dictionary Enable the Japanese user dictionary.
Enable Korean Extended Hanja Enable the use of Korean Extended Hanja character set.
Exclude Japanese IME Except JISO208 Allow users to restrict the character code range of conversion by setting the character filter.
Exclude Japanese IME Except JISO208 and EUDC Allow users to restrict the character code range of conversion by setting the character filter.
Exclude Japanese IME Except Shift JIS Allow users to restrict the character code range of conversion by setting the character filter.

Windows Update

Feature Control Option Description
Enable Update Service Select this option to allow the device to use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
Note: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Custom Update WSUS server URL policy.
Auto Update Settings Allow the IT administrator to manage automatic update behavior to scan, download, and install updates.
  • Notify User: Notify the user before downloading the update. This policy is used by enterprises that want to enable end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
  • Install and Notify: Auto install the update and then notify the user to schedule a restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart is forced. Enabling the end-user to control the restart time reduces the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental app data loss caused by apps that do not shutdown properly on restart.
  • Install and Restart at Specific Time: Auto install and restart at a specified time. The IT administrator specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
  • Install and Restart Without User Control: Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. It sets the end-user control panel to read-only.
  • No Auto Updates: Turn off automatic updates.
Enable Non-Microsoft Signed Update Allow the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace.
Scheduled Install Time (0-23 hours) Enable the IT administrator to schedule the time of the update installation.
WSUS Server URL The URL of a custom update WSUS server. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Scheduled Install Day Enable the IT administrator to schedule the day of the update installation.

Start Menu

Feature Control Option Description
Show Change Account Settings Enables the Change Account settings to appear in the Start Menu.
Show Frequently Used Apps Enables Frequently Used Apps to appear in the Start Menu.
Note: Requires device restart.
Show Hibernate Enables Hibernate power option to appear in the Start Menu.
Show Lock Enables Lock to appear in the Start Menu.
Show Power Button Enables the Power button to appear in the Start Menu.
Note: Requires device restart.
Show Recent Jump lists Enables Recent Jump lists to appear in the Start Menu.
Note: Requires device restart.
Show Recently Added Apps Enables Recently Added Apps to appear in the Start Menu.
Note: Requires device restart.
Show Restart Enables Restart power option to appear in the Start Menu.
Show Shutdown Enables Shutdown power option to appear in the Start Menu.
Show Sign Out Enables Sign Out option to appear in the Start Menu.
Show Sleep Enables Sleep power option to appear in the Start Menu.
Show User Tile Enables user tiles to appear in the Start Menu.
Enable Pin to Taskbar Connectivity Allows the administrator to configure the taskbar by enabling pinning and unpinning apps on the taskbar.

Connectivity

Cellular Data and Roaming

Feature Control Option Description
VPN Roaming Over Cellular Allow users to enable VPN while the device is roaming.
VPN Over Cellular Allow users to enable VPN while the device is on a cellular data network.
Enable Device Cellular Data Enable the cellular data channel on the device.
Cellular Data Roaming Enable the user to use cellular data while the device is roaming.
Enable Enterprise APN User Control Enable the device user to change enterprise APN settings for the APN profile configuration.

Supported on desktop devices running Windows 10 version 1703 and later.

WiFi

Feature Control Option Description
Enable Auto Connect to WiFi Sense Hotspots Enable the device to auto connect to WiFi hotspots.

Bluetooth

Feature Control Option Description
Enable Bluetooth Allow the user to enable Bluetooth.
Enable Bluetooth Discoverable Mode Enable the Bluetooth discoverable mode.
Set Bluetooth Device Name Enter a string that specifies the local Bluetooth device name.
Enable Bluetooth Advertising Enable the device to act as a source for advertisements.
Enable Bluetooth Pre-pairing Enable specific bundled Bluetooth peripherals to automatically pair with the host devices.

Connectivity

Feature Control Option Description
Enable Printing Over HTTP Enable the user to print over HTTP from this client.
Enable Downloading of Print Drivers Over HTTP Enable the user to download print driver packages over HTTP.
Enable Download of Online Wizards Enable Windows to download providers, and only the service providers that are cached in the local registry are displayed.
Enable Network Connectivity Active Tests Enable the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.
Enable Configuration of Network Bridge Enable the user to install and configure the Network Bridge.
Enable Connected Devices Enable the user to enable the Connected Devices Platform (CDP) component.

Security and Privacy

Data Protection

Feature Control Option Description
Enable Internet Sharing Over WiFi Enable the device to share Internet and become a WiFi hotspot.
Enable Direct Memory Access Enable Direct Memory Access.

Experience

Feature Control Option Description
Enable Windows Consumer Features Enable experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install, and redirect tiles from being turned on.
Enable Windows Tips Enable Windows Tips / soft landing.
Enable Cortana Enable Cortana (personal digital assistant) on the device.
Allow Manual MDM Unenrollment Allow the user to unenroll the device.
Enable Device Discovery on Lock Screen Enable the device discovery user interface on the lock screen.
Enable Find My Device Enable the device and its location to be registered in the cloud so the Find My Device feature will work.
Enable Syncing of Settings Enable settings to be synced with other devices.
Enable Feedback Notifications Enable devices to show feedback questions from Microsoft.

System

Feature Control Option Description
Enable OneDrive File Sync Enable apps and features to work with files on OneDrive.
Note: This feature control option requires a device reboot.
Boot-Start Drivers If you disable or do not configure this policy setting, the boot start drivers are determined to be either Good, Unknown or Bad. Boot critical drivers are initialized while Bad start drivers are skipped.
Enable Enterprise Authentication Proxy Enable Connected User Experience and Telemetry service to automatically use an authenticated proxy to send data to Microsoft on Windows 10 or later.
Enable System Restore Enable device user to access System Restore and the System Restore Wizard. The options to configure System Restore or create restore points through System Protection are also enabled.
Require to Save Diagnostics Logs Locally Mandate that all diagnostics are saved locally for use in internal investigations.
Restrict Telemetry Data Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
  • Security: Sends only data required to keep Windows secure
  • Basic: Sends basic data such as device information, app compatibility and usage data and data from the Security level
  • Enhanced: Sends security and basic data plus additional insights such as how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data
  • Full: Sends all data necessary to identify and solve issues plus data from the Security, Basic and Enhanced data levels.

Levels are listed in order of least to most data sent.

Enable Location Service Determines the status of Location Services on the device. Choose an option from the dropdown list:
  • User Controlled: Device user can switch location services on or off.
  • Enable: Location services are enabled and device user cannot disable them.
  • Disable: All location services are disabled and no applications can access location information. Device user cannot enable them.
Enable SD Card Access Enable device user to access data on the SD card.
Enable Enhanced Diagnostic Data Enable device to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.

Restrict Telemetry Data must be set to Enhanced to use this feature.

Enable Windows Preview Builds Enable device user to download and install Windows preview software.
Enable Embedded Mode Enable device user to enter Embedded Mode.
Allow Microsoft Experimentation Allow Microsoft to conduct full experimentation to study user preferences or device behavior.
Enable Font Providers Enable device user to download fonts and font catalog data from online font providers.
Enable Factory Reset Enable the device user to factory reset the device.
Telemetry Proxy Specifies a proxy server through which to forward Connected User Experiences and Telemetry requests. Enter the fully qualified domain name (FQDN) or IP address of a proxy server. The format for this setting is server:port. The connection is made over a Secure Sockets Layer (SSL) connection.

If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.

Authentication

Feature Control Option Description
Enable Azure Active Directory Password Reset Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD Tenant administrators to enable self-service password reset feature on the Windows login screen.
Enable FIDO Device Sign-On Specifies whether the Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows login credential provider for FIDO 2.0 devices.
Enable EAP Fast Reconnect Allows EAP Fast Reconnect to be attempted for EAP Method TLS.
Enable Secondary Authentication Devices Allows secondary authentication devices to work with Windows.

Windows Defender

Feature Control Option Description
Cloud Protection Enable or disable Cloud Protection. If this option is enabled, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information in their cloud and learn more about problems affecting users. Microsoft can then respond with the best possible solution.
Average CPU Load Factor in Percent Show the average CPU load factor for the scan (as a percent).
Days to Retain Cleaned Malware Time period (in days) that quarantined items will be stored on the system.
Enable Archive Scanning Enable scanning of archives.
Enable Behavior Monitoring Enable Defender's Behavior Monitoring functionality.
Enable Email Scanning Enable scanning of email.
Enable Full Scan On Network Drives Enable a full scan of mapped network drives.
Enable Full Scan On Removable Drives Enable a full scan of removable drives.
Enable Intrusion Prevention System Enable Defender's Intrusion Prevention functionality.
Enable IOAVP Protection Enable Defender's IOAVP Protection functionality.
Enable On Access Protection Enable Defender's On Access Protection functionality.
Enable Realtime Monitoring Enable Defender's Realtime Monitoring functionality.
Enable Scanning Network Files Enable scanning of network files.
Enable Script Scanning Enable Defender's Script Scanning functionality.
Enable User UI Access Allow user access to the Defender UI. If disallowed, all Defender notifications will also be suppressed.
Excluded Extensions Allow an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by |. For example, "lib|obj".
Excluded Paths Allow an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by |. For example, "C:\Example|C:\Example1".
Excluded Processes Allow an administrator to specify a list of files opened by processes to ignore during a scan.
Real Time Scan Direction Control which sets of files should be monitored.

Bidirectional – Monitor all files.

Incoming – Monitor incoming files.

Outgoing – Monitor outgoing files.

Scan Type Select whether to perform a quick scan or a full scan.

Quick Scan – Perform a quick Defender scan.

Full Scan – Perform a full Defender scan.

Quick Scan Schedule in Minutes Specify the time of day that the Defender quick scan should run. The time must be specified as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380

Schedule Scan Day Select the day on which the Defender scan should run.
Schedule Scan Time in Minutes Specify the time of day that the Defender scan should run. The time must be specified as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380

Signature Update Interval in Hours Specify the interval (in hours) that will be used to check for signatures; so instead of using the ScheduleDay and ScheduleTime, Windows will just check for new signatures as set per the interval. Interval is set in hours, so at most Windows will check for signatures every hour.
Submit Samples Consent Check for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when opt-in for when Defender/AllowCloudProtection is allowed) before sending data.

Always Prompt – Always prompt the user.

Send Safe Samples – Send safe samples automatically.

Never Send – Never send samples.

Send All Samples – Send all samples automatically.

User-Controlled – Allow the device user to configure this setting.

Enable SmartScreen in Shell Specify who can configure the SmartScreen for Windows.
Ignore SmartScreen Warning Allows device user to ignore warnings in SmartScreen.
Note: SmartScreen must be enabled.

Security

Feature Control Option Description
Clear TPM If the Device Is Not Ready Admin access is required. The prompt will appear on first admin login after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin login after the restart.
Configure Windows Passwords Configure the use of passwords for Windows features.
Enable Automatic Device Encryption for Azure AD Joined Devices Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
Enable Adding Provisioning Package Specifies whether to allow the runtime configuration agent to install provisioning packages.
Enable Removing Provisioning Package Specifies whether to allow the runtime configuration agent to remove provisioning packages.
Require Provisioning Package Signature Specifies whether provisioning packages must have a certificate signed by a device trusted authority.

Hardware

Feature Control Option Description
Enable Device Location Switch Enable/disable the Location Service's device switch.
Enable Camera Enable/disable the device's camera.
Enable USB Access Enable/disable access to the device's USB port for the following:
  • mouse
  • disk drives
  • CD ROM
  • portable devices
  • floppy disks
  • Bluetooth devices
  • imaging devices
  • printers
  • modems
  • USB devices
  • smart card readers
  • IRDA devices
Enable USB Media Storage Enable/disable the use of external storage devices, such as USB drives or SD cards with the device.
Enable Serial Connection Access Enable/disable the device's serial port.