Feature Control (Windows Desktop)

The File Encryption profile configuration enables you to use file encryption to secure the data stored on a device or a storage card. You perform this configuration when:

Secured data will only be readable on the device while encrypted.

General

Application

Feature Control Option Description
Enable DVR and Broadcasting Enable the use of DVR and broadcasting.
App Install Control Specify if device users can install apps from sources other than the Windows Store.
Enable Store Originated Apps Enable the launch of all apps from the Microsoft Store that came pre-installed or were already downloaded.
Enable User Control Over Install Enable users to change installation options that typically are available only to system administrators.
Enable Elevated Privileges to Install Programs Enable elevated permissions to install programs that need special permissions. The system applies for the current user's permissions when it installs programs that a system administrator does not distribute or offer.
Enable Private Store Only Disable the retail catalog and enable only the Private store.
Auto Update of Store Applications Specify if device users can control the update schedule of apps from the Windows Store.
Background Application Run Specify if device users can enable Windows apps to run in the background.
Developer Model Unlock Select whether developer unlock is explicitly allowed, denied, or not configured.
Enable Shared User App Data Enable multiple users of the same app to share data.
Limit App to Data System Volume Store application data to only on the system drive.
Limit App to System Volume Restrict installation of applications to the system drive.

Device Account

Feature Control Option Description
Enable Microsoft Account Connection Enable users to connect their devices to a Microsoft account.
Enable Adding Non-Microsoft Accounts Manually Enable users to manually connect their devices to a non-Microsoft account.
Enable Adding Microsoft Account Sign-in Assistant. Enable users to enable the Microsoft Account Sign-in Assistant NT service. Requires device restart.
Domain Names for Email Sync Enter the list of domains that can sync email on the device.

Search

Feature Control Option Description
Enable Search to Use Location Enable Bing search to use location services on the device.
Enable Search Indexer Enable the search indexing service to run.

Settings

Feature Control Option Description
Enable AutoPlay Settings Enable the user to change AutoPlay settings.
Enable Language Settings Enable the user to change language settings.
Enable Online Tips Settings Enable the retrieval of online tips and help for the Settings app.
Enable Power Sleep Settings Enable the user to change power and sleep settings.
Enable Region Settings Enable the user to change the region settings.
Enable Sign-in Options Settings Enable the user to change sign-in options.
Enable Workplace Settings Enable the user to change workplace settings.
Enable Data Usage Settings Enable the user to change data usage settings.
Enable Date Time Settings Enable the user to change date and time settings.
Enable Edit Device Name Settings Enable editing of the device name.
Enable VPN Settings Enable the user to change VPN settings.
Enable Account Settings Enable the user to change account settings.

Text Input

Feature Control Option Description
Enable IME Logging For the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
Enable IME Network Access Enable the user to turn on Open Extended Dictionary, Internet Search Integration, and online service to offer input suggestions that don’t exist in a PC's local dictionary.
Enable Japanese IME Surrogate Pair Characters Enable the Japanese IME surrogate pair characters.
Enable Japanese IVS Characters Enable Japanese Ideographic Variation Sequence (IVS) characters.
Enable Japanese Non-Publishing Standard Glyph Enable the Japanese non-publishing standard glyph.
Enable Japanese User Dictionary Enable the Japanese user dictionary.
Enable Korean Extended Hanja Enable the use of Korean Extended Hanja character set.
Exclude Japanese IME Except JISO208 Enable users to restrict the character code range of conversion by setting the character filter.
Exclude Japanese IME Except JISO208 and EUDC Enable users to restrict the character code range of conversion by setting the character filter.
Exclude Japanese IME Except Shift JIS Enable users to restrict the character code range of conversion by setting the character filter.

Windows Update

Feature Control Option Description
Enable Update Service Select this option to enable the device to use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when you configure Windows Update to receive updates from an intranet update service, it still periodically retrieve information from the public Windows Update service. The information enables future connections to Windows Update and other services like Microsoft Update or the Windows Store. Enabling this policy disables this functionality and may cause connection to public services such as the Windows Store to stop working.
Note: This policy applies only when you configure the desktop or device to connect to an intranet update service using the Custom Update WSUS server URL policy.
Auto Update Settings Enable the IT administrator to manage automatic update behavior to scan, download, and install updates.
  • Notify User: Inform the user before downloading the update. Enterprises use this policy to enable end-users to manage data usage. With this option, the device inform users when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
  • Install and Notify: Auto install the update and then inform the user to schedule a restart. Download updates automatically on non-metered networks and have them install during Automatic Maintenance when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If the installation requires a restart, the end-user receives a prompt to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a forced restart occurs. Enabling the end-user to control the restart time reduces the risk of accidental app data loss caused by apps that do not shutdown correctly on restart.
  • Install and Restart: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during Automatic Maintenance when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If end users require a restart, then the device is automatically restarted when the device is not in use . This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental app data loss caused by apps that do not shutdown correctly on restart.
  • Install and Restart at Specific Time: Auto install and restart at a specified time. The IT administrator specifies the installation day and time. If you do not specify a day and time, the default is 3 AM daily. Automatic installation happens at this time and restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
  • Install and Restart Without User Control: Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during Automatic Maintenance when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs the updates right away. If you require restart then the device is automatically restarted when the device is not actively being used. It sets the end-user control panel to read-only.
  • No Auto Updates: Turn off automatic updates.
Enable Non-Microsoft Signed Update Enable the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace.
Scheduled Install Time (0-23 hours) Enable the IT administrator to schedule the time of the update installation.
WSUS Server URL The URL of a custom update WSUS server. Enables the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Scheduled Install Day Enable the IT administrator to schedule the day of the update installation.

Start Menu

Feature Control Option Description
Show Change Account Settings Enables the Change Account settings to appear in the Start Menu.
Show Frequently Used Apps Enables Frequently Used Apps to appear in the Start Menu.
Note: Requires device restart.
Show Hibernate Enables Hibernate power option to appear in the Start Menu.
Show Lock Enables Lock to appear in the Start Menu.
Show Power Button Enables the Power button to appear in the Start Menu.
Note: Requires device restart.
Show Recent Jump lists Enables Recent Jump lists to appear in the Start Menu.
Note: Requires device restart.
Show Recently Added Apps Enables Recently Added Apps to appear in the Start Menu.
Note: Requires device restart.
Show Restart Enables Restart power option to appear in the Start Menu.
Show Shutdown Enables Shutdown power option to appear in the Start Menu.
Show Sign Out Enables Sign Out option to appear in the Start Menu.
Show Sleep Enables Sleep power option to appear in the Start Menu.
Show User Tile Enables user tiles to appear in the Start Menu.
Enable Pin to Taskbar Connectivity Enables the administrator to configure the taskbar by enabling pinning and unpinning apps on the taskbar.

Connectivity

Cellular Data and Roaming

Feature Control Option Description
VPN Roaming Over Cellular Enables users to enable VPN while the device is roaming.
VPN Over Cellular Enables users to enable VPN while the device is on a cellular data network.
Enable Device Cellular Data Enable the cellular data channel on the device.
Cellular Data Roaming Enable the user to use cellular data while the device is roaming.
Enable Enterprise APN User Control Enable the device user to change enterprise APN settings for the APN profile configuration.

Supported on desktop devices running Windows 10 version 1703 and later.

WiFi

Feature Control Option Description
Enable Auto Connect to WiFi Sense Hotspots Enable the device to auto connect to WiFi hotspots.

Bluetooth

Feature Control Option Description
Enable Bluetooth Enable the user to enable Bluetooth.
Enable Bluetooth Discoverable Mode Enable the Bluetooth discoverable mode.
Set Bluetooth Device Name Enter a string that specifies the local Bluetooth device name.
Enable Bluetooth Advertising Enable the device to act as a source for advertisements.
Enable Bluetooth Pre-pairing Enable specific bundled Bluetooth peripherals to automatically pair with the host devices.

Connectivity

Feature Control Option Description
Enable Printing Over HTTP Enable the user to print over HTTP from this client.
Enable Downloading of Print Drivers Over HTTP Enable the user to download print driver packages over HTTP.
Enable Download of Online Wizards Enable Windows to download providers. A service providers displays only if local registry caches it.
Enable Network Connectivity Active Tests Enable the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.
Enable Configuration of Network Bridge Enable the user to install and configure the Network Bridge.
Enable Connected Devices Enable the user to enable the Connected Devices Platform (CDP) component.

Security and Privacy

Data Protection

Feature Control Option Description
Enable Internet Sharing Over WiFi Enable the device to share Internet and become a WiFi hotspot.
Enable Direct Memory Access Enable Direct Memory Access.

Experience

Feature Control Option Description
Enable Windows Consumer Features Enable experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install, and redirect tiles from being turned on.
Enable Windows Tips Enable Windows Tips / soft landing.
Enable Cortana Enable Cortana (personal digital assistant) on the device.
Allow Manual MDM Unenrollment Enable the user to unenroll the device.
Enable Device Discovery on Lock Screen Enable the device discovery user interface on the lock screen.
Enable Find My Device Enable the device and register its location on t the Cloud so the Find My Device feature can work.
Enable Syncing of Settings Enable settings that you want to sync with other devices.
Enable Feedback Notifications Enable devices to show feedback questions from Microsoft.

System

Feature Control Option Description
Enable OneDrive File Sync Enable apps and features to work with files on OneDrive.
Note: This feature control option requires a device reboot.
Boot-Start Drivers If you disable or do not configure this policy setting, the boot start drivers state can be either Good, Unknown, or Bad. Boot critical drivers are initialized while Bad start drivers are skipped.
Enable Enterprise Authentication Proxy Enable Connected User Experience and Telemetry service to automatically use an authenticated proxy to send data to Microsoft on Windows 10 or later.
Enable System Restore Enable device user to access System Restore and the System Restore Wizard. The options to configure System Restore or create restore points through System Protection are also enabled.
Require to Save Diagnostics Logs Locally Mandate all diagnostics to save locally for use in internal investigations.
Restrict Telemetry Data Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose one of the following levels:
  • Security: Sends only data required to keep Windows secure
  • Basic: Sends basic data such as device information, app compatibility and usage data and data from the Security level
  • Enhanced: Sends security and basic data plus other insights such as usage data on Windows, Windows Server, System Center, apps, how they perform, and other advanced reliability data.
  • Full: Sends all data necessary to identify and solve issues plus data from the Security, Basic and Enhanced data levels.

Levels listed are in order of least to most data sent.

Enable Location Service Determines the status of Location Services on the device. Choose an option from the dropdown list:
  • User Controlled: Device user can switch location services on or off.
  • Enable: Enable Location Services and device user cannot disable them.
  • Disable: Disable All Location Services and no applications can access location information. Device user cannot enable them.
Enable SD Card Access Enable device user to access data on the SD card.
Enable Enhanced Diagnostic Data Enable device to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.

You must set Restrict Telemetry Data to Enhanced to use this feature.

Enable Windows Preview Builds Enable device user to download and install Windows preview software.
Enable Embedded Mode Enable device user to enter Embedded Mode.
Allow Microsoft Experimentation Enable Microsoft to conduct full experimentation to study user preferences or device behavior.
Enable Font Providers Enable device user to download fonts and font catalog data from online font providers.
Enable Factory Reset Enable the device user to factory reset the device.
Telemetry Proxy Specifies a proxy server through which to forward Connected User Experiences and Telemetry requests. Enter the fully qualified domain name (FQDN) or IP address of a proxy server. The format for this setting is server:port. The connection occurs over a Secure Sockets Layer (SSL) connection.
When one of the following:
  1. The named proxy fails.
  2. If there is no proxy specified when this policy is enabled.
The Connected User Experiences and Telemetry data is not transmitted and remains on the local device.

Authentication

Feature Control Option Description
Enable Azure Active Directory Password Reset Specifies whether to enable/disable password reset for Azure Active Directory accounts. This policy enable the Azure AD Tenant administrators to enable self-service password reset feature on the Windows login screen.
Enable FIDO Device Sign-On Specifies whether you can use the Fast Identity Online (FIDO) device to sign on. This policy enables the Windows login credential provider for FIDO 2.0 devices.
Enable EAP Fast Reconnect Enables EAP Fast Reconnect attempts for EAP Method TLS.
Enable Secondary Authentication Devices Enables secondary authentication devices to work with Windows.

Windows Defender

Feature Control Option Description
Cloud Protection Enable or disable Cloud Protection. If you enable this option , Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information in their cloud and learn more about problems affecting users. Microsoft can then respond with the best possible solution.
Average CPU Load Factor in Percent Show the average CPU load factor for the scan (as a % percent).
Days to Retain Cleaned Malware Time duration (in days) that system stores quarantined items.
Enable Archive Scanning Enable scanning of archives.
Enable Behavior Monitoring Enable Defender's Behavior Monitoring functionality.
Enable Email Scanning Enable scanning of email.
Enable Full Scan On Network Drives Enable a full scan of mapped network drives.
Enable Full Scan On Removable Drives Enable a full scan of removable drives.
Enable Intrusion Prevention System Enable Defender's Intrusion Prevention functionality.
Enable IOAVP Protection Enable Defender's IOAVP Protection functionality.
Enable On Access Protection Enable Defender's On Access Protection functionality.
Enable Realtime Monitoring Enable Defender's Realtime Monitoring functionality.
Enable Scanning Network Files Enable scanning of network files.
Enable Script Scanning Enable Defender's Script Scanning functionality.
Enable User UI Access Enable user access to the Defender UI. If disallowed, it suppresses all Defender notifications.
Excluded Extensions Enable an administrator to specify a list of file type extensions to ignore during a scan. Separate each file type in the list by | For example, lib|obj.
Excluded Paths Enable an administrator to specify a list of directory paths to ignore during a scan. Separate each path in the list by |. For example, C:\Example|C:\Example1.
Excluded Processes Enable an administrator to specify a list of files opened by processes to ignore during a scan.
Real Time Scan Direction Control which sets of files to monitor.
  • Bidirectional–Monitor all files.
  • Incoming–Monitor incoming files.
  • Outgoing–Monitor outgoing files.
Scan Type Select whether to perform a quick scan or a full scan.
  • Quick Scan–Perform a quick Defender scan.
  • Full Scan–Perform a full Defender scan.
Quick Scan Schedule in Minutes Specify the time of day that the Defender quick scan should run. You must specify the time as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, until 11:00 PM = 1380

Schedule Scan Day Select the day on which the Defender scan should run.
Schedule Scan Time in Minutes Specify the time of day that the Defender scan should run. You must specify the time must as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, until 11:00 PM = 1380

Signature Update Interval in Hours Specify the interval (in hours) used to check for signatures. So instead of using the ScheduleDay and ScheduleTime, Windows just checks for new signatures as set per the interval. Interval checks are in hours, so at most, Windows checks for signatures at least once every one hour.
Submit Samples Consent Check for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when opt-in for when Defender/AllowCloudProtection is allowed) before sending data.
  • Always Prompt – Always prompt the user.
  • Send Safe Samples – Send safe samples automatically.
  • Never Send – Never send samples.
  • Send All Samples – Send all samples automatically.
  • User-Controlled – Allow the device user to configure this setting.
Enable SmartScreen in Shell Specify who can configure the SmartScreen for Windows.
Ignore SmartScreen Warning Enable device user to ignore warnings in SmartScreen.
Note: SmartScreen must be enabled.

Security

Feature Control Option Description
Clear TPM If the Device Is Not Ready Admin access is required. The prompt appears on first admin login after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin login after the restart.
Configure Windows Passwords Configure the use of passwords for Windows features.
Enable Automatic Device Encryption for Azure AD Joined Devices Specifies whether to enable automatic device encryption during OOBE when the device is Azure AD joined.
Enable Adding Provisioning Package Specifies whether to enable the runtime configuration agent to install provisioning packages.
Enable Removing Provisioning Package Specifies whether to enable the runtime configuration agent to remove provisioning packages.
Require Provisioning Package Signature Specifies whether provisioning packages must have a certificate signed by a device trusted authority.

Hardware

Feature Control Option Description
Enable Device Location Switch Enable/disable the Location Service's device switch.
Enable Camera Enable/disable the device's camera.
Enable USB Access Enable/disable access to the device's USB port for the following:
  • mouse
  • disk drives
  • CD ROM
  • portable devices
  • floppy disks
  • Bluetooth devices
  • imaging devices
  • printers
  • modems
  • USB devices
  • smart card readers
  • IRDA devices
Enable USB Media Storage Enable/disable the use of external storage devices, such as USB drives or SD cards with the device.
Enable Serial Connection Access Enable/disable the device's serial port.