Feature Control (Windows Modern)
For security-conscious organizations where privacy and information security concerns require controlling mobile data and other features, SOTI MobiControl provides diverse on-device restrictions. These include blocking certain device communications, similar to firewalls and more. You can configure feature control when:
You may also selectively turn off device features with the Feature Control profile configuration. Applying the configuration at the individual or group level creates custom profiles for different users and locations in an organization. For example, turning Bluetooth and infrared ports on or off determines if device users can beam business cards, applications, or documents to one another.
General
Application
Feature Control Option | Description |
---|---|
Enable DVR and Broadcasting | Enable the use of Digital Video Recorder (DVR) and broadcasting. |
App Install Control | Specify if device users can install apps from sources other than the Windows Store. |
Enable Non Admin User for App Install | Toggle on this option for non-administrator users to install msix and
appx applications. |
Enable Store Originated Apps | Enable the launch of all apps from the Microsoft Store that came pre-installed or were already downloaded. |
Enable User Control Over Install | Enable users to change installation options that typically are available only to system administrators. |
Enable Elevated Privileges to Install Programs | Enable elevated permissions to install programs that need special permissions. The system applies to the current user's permissions when it installs programs a system administrator does not distribute or offer. |
Enable Private Store Only | Disable the retail catalog only to enable the Private store. |
Auto Update of Store Applications | Specify if device users can control the app update schedule from the Windows Store. |
Background Application Run | Specify if device users can let Windows apps run in the background. |
Developer Model Unlock | Specify whether developer unlock is explicitly allowed, denied, or not configured. |
Enable Shared User App Data | Enable more than one user of the same app to share data. |
Limit App to Data System Volume | Store application data only on the system drive. |
Limit App to System Volume | Restrict installation of applications to the system drive. |
Device Account
Feature Control Option | Description |
---|---|
Enable Microsoft Account Connection | Enable users to link their devices to a Microsoft account. |
Enable Adding Non-Microsoft Accounts Manually | Enable users to manually link their devices to a non-Microsoft account. |
Enable Adding Microsoft Account Sign-in Assistant. | Enable users to enable the Microsoft Account Sign-in Assistant NT service. Requires device restart. |
Domain Names for Email Sync | Enter the list of domains that can sync email on the device. |
Search
Feature Control Option | Description |
---|---|
Enable Search to Use Location | Enable Bing search to use location services on the device. |
Enable Search Indexer | Configure the search indexing service to run. |
Settings
Feature Control Option | Description |
---|---|
Enable AutoPlay Settings | Let the user change AutoPlay settings. |
Enable Language Settings | Let the user change language settings. |
Enable Online Tips Settings | Enable the retrieval of online tips and help for the Settings app. |
Enable Power Sleep Settings | Let the user change power and sleep settings. |
Enable Region Settings | Let the user change region settings. |
Enable Sign-in Options Settings | Let the user change sign-in options. |
Enable Workplace Settings | Let the user change workplace settings. |
Enable Data Usage Settings | Let the user change data usage settings. |
Enable Date Time Settings | Let the user change date and time settings. |
Enable Edit Device Name Settings | Let the user edit the device name. |
Enable VPN Settings | Let the user change Virtual Private Network (VPN) settings. |
Enable Account Settings | Let the user change account settings. |
Text Input
Feature Control Option | Description |
---|---|
Enable IME Logging | Let the user turn on and off the logging for wrong conversion. Save automatic tuning results to a file along with history-based predictive input. |
Enable IME Network Access | Let the user turn on Open Extended Dictionary, Internet Search Integration, and online service to offer input suggestions that doesn't exist in a local dictionary of a PC. |
Enable Japanese IME Surrogate Pair Characters | Enable the Japanese Input Method Editor (IME) surrogate pair characters. |
Enable Japanese IVS Characters | Enable Japanese Ideographic Variation Sequence (IVS) characters. |
Enable Japanese Non-Publishing Standard Glyph | Enable the Japanese non-publishing standard glyph. |
Enable Japanese User Dictionary | Enable the Japanese user dictionary. |
Enable Korean Extended Hanja | Enable the use of Korean Extended Hanja character set. |
Exclude Japanese IME Except JISO208 | Let users restrict the character code range of conversion by setting the character filter. |
Exclude Japanese IME Except JISO208 and End User Defined Characters (EUDC) | Let users restrict the character code range of conversion by setting the character filter. |
Exclude Japanese IME Except Shift Japanese Industrial Standards (JIS) | Let users restrict the character code range of conversion by setting the character filter. |
Windows Update
Feature Control Option | Description |
---|---|
Enable Update Service | Select this option to let the device use Microsoft Update, Windows Server Update
Services (WSUS), or Windows Store. Even when configuring Windows
Update to receive updates from an intranet update service, the
update service periodically retrieves information from the public
Windows Update service. The information enables future connections
to Windows Update and other services like Microsoft Update or the
Windows Store. Enabling this policy disables this functionality and
may cause connections to public services(such as the Windows Store)
to stop working. Note: This policy applies only when you link the
desktop or device to an intranet update service using the Custom
Update WSUS server URL policy. |
Auto Update Settings | Enable the IT administrator to manage automatic updates behavior
to scan, download, and install updates.
|
Enable Non-Microsoft Signed Update | Enable the IT administrator to manage whether Automatic
Updates accepts updates signed by entities other than
Microsoft when found at the UpdateServiceUrl
location. This policy supports using WSUS for third-party software
and patch distribution. Supported operations are Get and
Replace. |
Scheduled Install Time (0 to 23 hours) | Enable the IT administrator to schedule the time of the update installation. |
WSUS Server URL | Specify the URL of a custom update WSUS server. This enables the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot join the Internet. |
Scheduled Install Day | Enable the IT administrator to schedule the day of the update installation. |
Start Menu
Feature Control Option | Description |
---|---|
Show Change Account Settings | Enables the Change Account settings to appear in the Start Menu. |
Show Frequently Used Apps | Enables the Frequently Used Apps option to appear in the Start Menu. Note: Requires
device restart. |
Show Hibernate | Enables Hibernate power option to appear in the Start Menu. |
Show Lock | Enables the Lock option to appear in the Start Menu. |
Show Power Button | Enables the Power button to appear in the Start Menu. Note: Requires device
restart. |
Show Recent Jump lists | Enables Recent Jump lists to appear in the Start Menu. Note: Requires device
restart. |
Show Recently Added Apps | Enables the Recently Added Apps option to appear in the Start Menu. Note: Requires
device restart. |
Show Restart | Enables Restart power option to appear in the Start Menu. |
Show Shutdown | Enables Shutdown power option to appear in the Start Menu. |
Show Sign Out | Enables Sign Out option to appear in the Start Menu. |
Show Sleep | Enables Sleep power option to appear in the Start Menu. |
Show User Tile | Enables user tiles to appear in the Start Menu. |
Enable Pin to Taskbar Connectivity | Enables the administrator to configure the task bar by enabling pinning and unpinning apps on the task bar. |
Connectivity
Cellular Data and Roaming
Feature Control Option | Description |
---|---|
VPN Roaming Over Cellular | Lets users enable VPN while the device is roaming. |
VPN Over Cellular | Lets users enable VPN while the device is on a cellular data network. |
Enable Device Cellular Data | Enable the cellular data channel on the device. |
Cellular Data Roaming | Let the user use cellular data while the device is roaming. |
Enable Enterprise APN User Control | Enable the device user to change enterprise Access Point Name (APN) settings for the
APN profile configuration. Supported on desktop devices running Windows 10 version 1703 and later. |
Wi-Fi
Feature Control Option | Description |
---|---|
Enable Auto Connect to Wi-Fi Sense Hotspots | Let the device automatically link to Wi-Fi hotspots. |
Bluetooth
Feature Control Option | Description |
---|---|
Enable Bluetooth | Let the user enable Bluetooth. |
Enable Bluetooth Discoverable Mode | Turn on Bluetooth discoverable mode. |
Set Bluetooth Device Name | Enter a string that specifies the local Bluetooth device name. |
Enable Bluetooth Advertising | Let the device act as a source for advertisements. |
Enable Bluetooth Pre-pairing | Enable specific bundled Bluetooth peripherals to automatically pair with host devices. |
Connectivity
Feature Control Option | Description |
---|---|
Enable Printing Over HTTP | Let the user print over HTTP from their client. |
Enable Downloading of Print Drivers Over HTTP | Let the user download print driver packages over HTTP. |
Enable Download of Online Wizards | Enable Windows to download providers. A service providers displays only if local registry caches it. |
Enable Network Connectivity Active Tests | Enable the Network Connectivity Status Indicator (NCSI) active probe, preventing network connectivity to www.msftconnecttest.com. |
Enable Configuration of Network Bridge | Let the user install and configure the Network Bridge. |
Enable Connected Devices | Let the user enable the Connected Devices Platform (CDP). |
Security and Privacy
Data Protection
Feature Control Option | Description |
---|---|
Enable Internet Sharing Over Wi-Fi | Let the device share its Internet as a Wi-Fi hotspot. |
Enable Direct Memory Access | Enable Direct Memory Access. |
Experience
Feature Control Option | Description |
---|---|
Enable Windows Consumer Features | Enable experiences that are typically for consumers only, such as Start suggestions, Membership notifications, post OOBE app install, and redirect tiles from turning on. |
Enable Windows Tips | Enable Windows Tips / soft landing. |
Enable Cortana | Enable Cortana (personal digital assistant) on the device. |
Allow Manual MDM Unenrollment | Let the user unenroll the device. |
Enable Device Discovery on Lock Screen | Enable the device discovery user interface on the lock screen. |
Enable Find My Device | Register the device's location on cloud so the Find My Device feature can work. |
Enable Syncing of Settings | Enable synchronization of settings with other devices. |
Enable Feedback Notifications | Enable devices to show feedback questions from Microsoft. |
System
Feature Control Option | Description |
---|---|
Enable OneDrive File Sync | Enable apps and features to work with files on OneDrive.
Note: This feature control option requires a device
reboot. |
Boot-Start Drivers | If you disable or do not configure this policy setting, the boot start drivers state can be either Good, Unknown, or Bad. Boot critical drivers initialize while skipping Bad start drivers. |
Enable Enterprise Authentication Proxy | Enable Connected User Experience and Telemetry service to automatically use an authenticated proxy to send data to Microsoft on Windows 10 or later. |
Enable System Restore | Enable device user to access System Restore and the System Restore Wizard. The options to configure System Restore or create restore points through System Protection are also enabled. |
Require to Save Diagnostics Logs Locally | Mandate all diagnostics to save locally for internal investigations. |
Restrict Telemetry Data | Determines the amount of diagnostic and usage telemetry data sent
to Microsoft. Choose from the following levels:
Note: Levels listed are in order of least
to most data sent. |
Enable Location Service | Determines the status of Location Services on the device. Choose
from the following:
|
Enable SD Card Access | Let device user access data on the SD card. |
Enable Enhanced Diagnostic Data | Let devices send Microsoft a specific set of diagnostic data for
IT insights via Windows Analytics services. Important: You must set
Restrict Telemetry Data to
Enhanced to use this
feature. |
Enable Windows Preview Builds | Let device users download and install Windows preview software. |
Enable Embedded Mode | Let device users enter Embedded Mode. |
Allow Microsoft Experimentation | Let Microsoft conduct full experimentation to study user preferences or device behavior. |
Enable Font Providers | Let device users download fonts and font catalog data from online font providers. |
Enable Factory Reset | Let device users factory reset the device. |
Telemetry Proxy | Specifies a proxy server to forward Connected User Experiences
and Telemetry requests. Enter the Fully Qualified Domain Name (FQDN)
or IP address of the proxy server. This connection occurs over a
Secure Sockets Layer (SSL) connection. The format for this setting
is server:port . The Connected
User Experiences and Telemetry data is not transmitted and
remains on the local device when:
|
Authentication
Feature Control Option | Description |
---|---|
Enable Azure Active Directory Password Reset | Specifies whether to enable/disable password reset for Azure Active Directory accounts. This policy enable the Azure AD Tenant administrators to enable self-service password reset feature on the Windows login screen. |
Enable FIDO Device Sign-On | Specifies whether you can use the Fast Identity Online (FIDO) device to sign on. This policy enables the Windows login credential provider for FIDO 2.0 devices. |
Enable EAP Fast Reconnect | Enables Extensible Authentication Protocol (EAP) Fast Reconnect attempts for EAP Method Transport Layer Security (TLS). |
Enable Secondary Authentication Devices | Enables secondary authentication devices to work with Windows. |
Feature Control Option | Description |
---|---|
Cloud Protection | Enable or disable Cloud Protection. If enabled, Windows Defender sends information to Microsoft about problems it finds. Microsoft then analyzes this information in their cloud, learning more about the problems. They then respond with the best solution. |
Average CPU Load Factor in Percent | Show the average CPU load factor for the scan (as a % percent). |
Days to Retain Cleaned Malware | Specify the time duration (in days) for the system to store quarantined items. |
Enable Archive Scanning | Enable scanning of archives. |
Enable Behavior Monitoring | Enable Defender's Behavior Monitoring functionality. |
Enable Email Scanning | Enable scanning of email. |
Enable Full Scan On Network Drives | Enable a full scan of mapped network drives. |
Enable Full Scan On Removable Drives | Enable a full scan of removable drives. |
Enable Intrusion Prevention System | Enable Defender's Intrusion Prevention functionality. |
Enable IOAVP Protection | Enable Defender's Office Anti Virus Protection (IOAVP) functionality. |
Enable On Access Protection | Enable Defender's On Access Protection functionality. |
Enable Realtime Monitoring | Enable Defender's Realtime Monitoring functionality. |
Enable Scanning Network Files | Enable scanning of network files. |
Enable Script Scanning | Enable Defender's Script Scanning functionality. |
Enable User UI Access | Enable user access to the Defender UI. If disallowed, it suppresses all Defender notifications. |
Excluded Extensions | Enable an administrator to specify a list of file type extensions
to ignore during a scan. Separate each file type in the list by |
For example, lib|obj . |
Excluded Paths | Enable an administrator to specify a list of directory paths to
ignore during a scan. Separate each path in the list by |. For
example, C:\Example|C:\Example1 . |
Excluded Processes | Enable an administrator to specify a list of files opened by processes to ignore during a scan. |
Real Time Scan Direction | Control which sets of files to watch.
|
Scan Type | Select whether to perform a quick scan or a full scan.
|
Quick Scan Schedule in Minutes | Specify the time of day that the Defender quick scan should run.
You must specify the time as the number of minutes past midnight
(local time). Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, until 11:00 PM = 1380 |
Schedule Scan Day | Select the day on which the Defender scan should run. |
Schedule Scan Time in Minutes | Specify the time of day that the Defender scan should run. You
must specify the time must as the number of minutes past midnight
(local time). Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, until 11:00 PM = 1380 |
Signature Update Interval in Hours | Specify the interval (in hours) used to check for signatures. So
instead of using the ScheduleDay and
ScheduleTime , Windows just checks for new
signatures as set per the interval. Interval checks are in hours, so
at most, Windows checks for signatures at least once every one
hour. |
Submit Samples Consent | Check for the user consent level in Defender to send data. If the
user grants the required consent, Defender submits them. If the user
has specified never ask again, the UI launches to ask for user
consent when opt-in for when enabling Defender/
AllowCloudProtection) before sending data.
|
Enable SmartScreen in Shell | Specify who can configure the SmartScreen for Windows. |
Ignore SmartScreen Warning | Enable device user to ignore warnings in SmartScreen. Important: You must enable SmartScreen must.
|
Security
Feature Control Option | Description |
---|---|
Clear TPM If the Device Is Not Ready | This requires administrator access. The prompt appears on the first admin login after a reboot when the Trusted Platform Module (TPM) is in a non-ready state for remediation with a TPM Clear. The prompt describes what clearing the TPM does and requires a reboot. The user can dismiss it, but it appears on the next admin login after the restart. |
Configure Windows Passwords | Configure the use of passwords for Windows features. |
Enable Automatic Device Encryption for Entra ID Joined Devices | Specifies whether to enable automatic device encryption during the Out of Box Experience (OOBE) when the device is Entra ID joined. |
Enable Adding Provisioning Package | Specifies whether the runtime configuration agent installs provisioning packages. |
Enable Removing Provisioning Package | Specifies whether the runtime configuration agent removes provisioning packages. |
Require Provisioning Package Signature | Specifies whether provisioning packages must have a certificate signed by a trusted device authority. |
Hardware
Feature Control Option | Description |
---|---|
Enable Device Location Switch | Enable/disable the Location Service's device switch. |
Enable Camera | Enable/disable the device's camera. |
Enable USB Access | Enable/disable access to the device's USB port for the following:
|
Enable USB Media Storage | Enable/disable the use of external storage devices, such as USB drives or SD cards, with the device. |
Enable Serial Connection Access | Enable/disable the device's serial port. |