Feature Control (Windows Modern)

For security-conscious organizations where privacy and information security concerns require controlling mobile data and other features, SOTI MobiControl provides diverse on-device restrictions. These include blocking certain device communications, similar to firewalls and more. You can configure feature control when:

You may also selectively turn off device features with the Feature Control profile configuration. Applying the configuration at the individual or group level creates custom profiles for different users and locations in an organization. For example, turning Bluetooth and infrared ports on or off determines if device users can beam business cards, applications, or documents to one another.

General

Application

Feature Control Option Description
Enable DVR and Broadcasting Enable the use of Digital Video Recorder (DVR) and broadcasting.
App Install Control Specify if device users can install apps from sources other than the Windows Store.
Enable Non Admin User for App Install Toggle on this option for non-administrator users to install msix and appx applications.
Enable Store Originated Apps Enable the launch of all apps from the Microsoft Store that came pre-installed or were already downloaded.
Enable User Control Over Install Enable users to change installation options that typically are available only to system administrators.
Enable Elevated Privileges to Install Programs Enable elevated permissions to install programs that need special permissions. The system applies to the current user's permissions when it installs programs a system administrator does not distribute or offer.
Enable Private Store Only Disable the retail catalog only to enable the Private store.
Auto Update of Store Applications Specify if device users can control the app update schedule from the Windows Store.
Background Application Run Specify if device users can let Windows apps run in the background.
Developer Model Unlock Specify whether developer unlock is explicitly allowed, denied, or not configured.
Enable Shared User App Data Enable more than one user of the same app to share data.
Limit App to Data System Volume Store application data only on the system drive.
Limit App to System Volume Restrict installation of applications to the system drive.

Device Account

Feature Control Option Description
Enable Microsoft Account Connection Enable users to link their devices to a Microsoft account.
Enable Adding Non-Microsoft Accounts Manually Enable users to manually link their devices to a non-Microsoft account.
Enable Adding Microsoft Account Sign-in Assistant. Enable users to enable the Microsoft Account Sign-in Assistant NT service. Requires device restart.
Domain Names for Email Sync Enter the list of domains that can sync email on the device.

Search

Feature Control Option Description
Enable Search to Use Location Enable Bing search to use location services on the device.
Enable Search Indexer Configure the search indexing service to run.

Settings

Feature Control Option Description
Enable AutoPlay Settings Let the user change AutoPlay settings.
Enable Language Settings Let the user change language settings.
Enable Online Tips Settings Enable the retrieval of online tips and help for the Settings app.
Enable Power Sleep Settings Let the user change power and sleep settings.
Enable Region Settings Let the user change region settings.
Enable Sign-in Options Settings Let the user change sign-in options.
Enable Workplace Settings Let the user change workplace settings.
Enable Data Usage Settings Let the user change data usage settings.
Enable Date Time Settings Let the user change date and time settings.
Enable Edit Device Name Settings Let the user edit the device name.
Enable VPN Settings Let the user change Virtual Private Network (VPN) settings.
Enable Account Settings Let the user change account settings.

Text Input

Feature Control Option Description
Enable IME Logging Let the user turn on and off the logging for wrong conversion. Save automatic tuning results to a file along with history-based predictive input.
Enable IME Network Access Let the user turn on Open Extended Dictionary, Internet Search Integration, and online service to offer input suggestions that doesn't exist in a local dictionary of a PC.
Enable Japanese IME Surrogate Pair Characters Enable the Japanese Input Method Editor (IME) surrogate pair characters.
Enable Japanese IVS Characters Enable Japanese Ideographic Variation Sequence (IVS) characters.
Enable Japanese Non-Publishing Standard Glyph Enable the Japanese non-publishing standard glyph.
Enable Japanese User Dictionary Enable the Japanese user dictionary.
Enable Korean Extended Hanja Enable the use of Korean Extended Hanja character set.
Exclude Japanese IME Except JISO208 Let users restrict the character code range of conversion by setting the character filter.
Exclude Japanese IME Except JISO208 and End User Defined Characters (EUDC) Let users restrict the character code range of conversion by setting the character filter.
Exclude Japanese IME Except Shift Japanese Industrial Standards (JIS) Let users restrict the character code range of conversion by setting the character filter.

Windows Update

Feature Control Option Description
Enable Update Service Select this option to let the device use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when configuring Windows Update to receive updates from an intranet update service, the update service periodically retrieves information from the public Windows Update service. The information enables future connections to Windows Update and other services like Microsoft Update or the Windows Store. Enabling this policy disables this functionality and may cause connections to public services(such as the Windows Store) to stop working.
Note: This policy applies only when you link the desktop or device to an intranet update service using the Custom Update WSUS server URL policy.
Auto Update Settings Enable the IT administrator to manage automatic updates behavior to scan, download, and install updates.
  • Notify User: Inform the user before downloading the update. Enterprises use this policy to enable end-users to manage data usage. With this option, the device informs users when there are updates that apply to the device and are ready for download. Users can download and install these updates from the Windows Update control panel.
  • Install and Notify: Automatically install the update and then inform the user to schedule a restart. Download updates automatically on non-metered networks and have them installed during Automatic Maintenance (when the computer is not in use and is not running on battery power). If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If the installation requires a restart, the end-user receives a prompt to schedule the restart time. The end-user has up to seven days to schedule the restart, and after that, a forced restart occurs. Enabling the end-user to control the restart time reduces the risk of accidental app data loss caused by apps that do not shut down correctly on restart.
  • Install and Restart: Auto install and restart. Updates download automatically on non-metered networks and install during Automatic Maintenance when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update install updates right away. If end users require a restart, then the device is automatically restarted when the device is not in use. This is the default behavior for unmanaged devices. Devices update immediately, but it increases the risk of accidental app data loss caused by apps that do not shut down correctly on restart.
  • Install and Restart at Specific Time: Auto install and restart at a specified time. The IT administrator specifies the installation day and time. If you do not specify a day and time, the default is 3:00 AM daily. Automatic installation happens at this time and restart happens after a 15-minute countdown. If the user remains logged in when Windows is ready to restart, they can interrupt the 15-minute countdown to delay the restart.
  • Install and Restart Without User Control: Auto install and restart without end-user control. Updates download automatically on non-metered networks and installed during Automatic Maintenance when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs the updates right away. If you require restart then the device is automatically restarted when the device is not actively used. It sets the end-user control panel to read-only.
  • No Auto Updates: Turn off automatic updates.
Enable Non-Microsoft Signed Update Enable the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace.
Scheduled Install Time (0 to 23 hours) Enable the IT administrator to schedule the time of the update installation.
WSUS Server URL Specify the URL of a custom update WSUS server. This enables the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot join the Internet.
Scheduled Install Day Enable the IT administrator to schedule the day of the update installation.

Start Menu

Feature Control Option Description
Show Change Account Settings Enables the Change Account settings to appear in the Start Menu.
Show Frequently Used Apps Enables the Frequently Used Apps option to appear in the Start Menu.
Note: Requires device restart.
Show Hibernate Enables Hibernate power option to appear in the Start Menu.
Show Lock Enables the Lock option to appear in the Start Menu.
Show Power Button Enables the Power button to appear in the Start Menu.
Note: Requires device restart.
Show Recent Jump lists Enables Recent Jump lists to appear in the Start Menu.
Note: Requires device restart.
Show Recently Added Apps Enables the Recently Added Apps option to appear in the Start Menu.
Note: Requires device restart.
Show Restart Enables Restart power option to appear in the Start Menu.
Show Shutdown Enables Shutdown power option to appear in the Start Menu.
Show Sign Out Enables Sign Out option to appear in the Start Menu.
Show Sleep Enables Sleep power option to appear in the Start Menu.
Show User Tile Enables user tiles to appear in the Start Menu.
Enable Pin to Taskbar Connectivity Enables the administrator to configure the task bar by enabling pinning and unpinning apps on the task bar.

Connectivity

Cellular Data and Roaming

Feature Control Option Description
VPN Roaming Over Cellular Lets users enable VPN while the device is roaming.
VPN Over Cellular Lets users enable VPN while the device is on a cellular data network.
Enable Device Cellular Data Enable the cellular data channel on the device.
Cellular Data Roaming Let the user use cellular data while the device is roaming.
Enable Enterprise APN User Control Enable the device user to change enterprise Access Point Name (APN) settings for the APN profile configuration.

Supported on desktop devices running Windows 10 version 1703 and later.

Wi-Fi

Feature Control Option Description
Enable Auto Connect to Wi-Fi Sense Hotspots Let the device automatically link to Wi-Fi hotspots.

Bluetooth

Feature Control Option Description
Enable Bluetooth Let the user enable Bluetooth.
Enable Bluetooth Discoverable Mode Turn on Bluetooth discoverable mode.
Set Bluetooth Device Name Enter a string that specifies the local Bluetooth device name.
Enable Bluetooth Advertising Let the device act as a source for advertisements.
Enable Bluetooth Pre-pairing Enable specific bundled Bluetooth peripherals to automatically pair with host devices.

Connectivity

Feature Control Option Description
Enable Printing Over HTTP Let the user print over HTTP from their client.
Enable Downloading of Print Drivers Over HTTP Let the user download print driver packages over HTTP.
Enable Download of Online Wizards Enable Windows to download providers. A service providers displays only if local registry caches it.
Enable Network Connectivity Active Tests Enable the Network Connectivity Status Indicator (NCSI) active probe, preventing network connectivity to www.msftconnecttest.com.
Enable Configuration of Network Bridge Let the user install and configure the Network Bridge.
Enable Connected Devices Let the user enable the Connected Devices Platform (CDP).

Security and Privacy

Data Protection

Feature Control Option Description
Enable Internet Sharing Over Wi-Fi Let the device share its Internet as a Wi-Fi hotspot.
Enable Direct Memory Access Enable Direct Memory Access.

Experience

Feature Control Option Description
Enable Windows Consumer Features Enable experiences that are typically for consumers only, such as Start suggestions, Membership notifications, post OOBE app install, and redirect tiles from turning on.
Enable Windows Tips Enable Windows Tips / soft landing.
Enable Cortana Enable Cortana (personal digital assistant) on the device.
Allow Manual MDM Unenrollment Let the user unenroll the device.
Enable Device Discovery on Lock Screen Enable the device discovery user interface on the lock screen.
Enable Find My Device Register the device's location on cloud so the Find My Device feature can work.
Enable Syncing of Settings Enable synchronization of settings with other devices.
Enable Feedback Notifications Enable devices to show feedback questions from Microsoft.

System

Feature Control Option Description
Enable OneDrive File Sync Enable apps and features to work with files on OneDrive.
Note: This feature control option requires a device reboot.
Boot-Start Drivers If you disable or do not configure this policy setting, the boot start drivers state can be either Good, Unknown, or Bad. Boot critical drivers initialize while skipping Bad start drivers.
Enable Enterprise Authentication Proxy Enable Connected User Experience and Telemetry service to automatically use an authenticated proxy to send data to Microsoft on Windows 10 or later.
Enable System Restore Enable device user to access System Restore and the System Restore Wizard. The options to configure System Restore or create restore points through System Protection are also enabled.
Require to Save Diagnostics Logs Locally Mandate all diagnostics to save locally for internal investigations.
Restrict Telemetry Data Determines the amount of diagnostic and usage telemetry data sent to Microsoft. Choose from the following levels:
  • Security: Sends only data required to keep Windows secure.
  • Basic: Sends basic data such as device information, app compatibility and usage data and data from the Security level.
  • Enhanced: Sends security, basic data, and other insights such as usage data on Windows, Windows Server, System Center, apps, how they perform, or other advanced reliability data.
  • Full: Sends all data necessary to identify and solve issues in addition to data from the Security, Basic and Enhanced levels.
Note: Levels listed are in order of least to most data sent.
Enable Location Service Determines the status of Location Services on the device. Choose from the following:
  • User Controlled: Device user can switch location services on or off.
  • Enable: Enable Location Services not allowing the device user to disable them.
  • Disable: Disable device users from enabling Location Services, restricting applications from accessing location information.
Enable SD Card Access Let device user access data on the SD card.
Enable Enhanced Diagnostic Data Let devices send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
Important: You must set Restrict Telemetry Data to Enhanced to use this feature.
Enable Windows Preview Builds Let device users download and install Windows preview software.
Enable Embedded Mode Let device users enter Embedded Mode.
Allow Microsoft Experimentation Let Microsoft conduct full experimentation to study user preferences or device behavior.
Enable Font Providers Let device users download fonts and font catalog data from online font providers.
Enable Factory Reset Let device users factory reset the device.
Telemetry Proxy Specifies a proxy server to forward Connected User Experiences and Telemetry requests. Enter the Fully Qualified Domain Name (FQDN) or IP address of the proxy server. This connection occurs over a Secure Sockets Layer (SSL) connection. The format for this setting is server:port.
The Connected User Experiences and Telemetry data is not transmitted and remains on the local device when:
  • The named proxy fails.
  • If there is no proxy specified with this policy enabled.

Authentication

Feature Control Option Description
Enable Azure Active Directory Password Reset Specifies whether to enable/disable password reset for Azure Active Directory accounts. This policy enable the Azure AD Tenant administrators to enable self-service password reset feature on the Windows login screen.
Enable FIDO Device Sign-On Specifies whether you can use the Fast Identity Online (FIDO) device to sign on. This policy enables the Windows login credential provider for FIDO 2.0 devices.
Enable EAP Fast Reconnect Enables Extensible Authentication Protocol (EAP) Fast Reconnect attempts for EAP Method Transport Layer Security (TLS).
Enable Secondary Authentication Devices Enables secondary authentication devices to work with Windows.
Windows Defender
Note: Starting SOTI MobiControl version 2025.0, Windows Defender configuration options move from the Feature Control payload to its stand-alone profile payload. See Windows Defender - Configuration Details.
Feature Control Option Description
Cloud Protection Enable or disable Cloud Protection. If enabled, Windows Defender sends information to Microsoft about problems it finds. Microsoft then analyzes this information in their cloud, learning more about the problems. They then respond with the best solution.
Average CPU Load Factor in Percent Show the average CPU load factor for the scan (as a % percent).
Days to Retain Cleaned Malware Specify the time duration (in days) for the system to store quarantined items.
Enable Archive Scanning Enable scanning of archives.
Enable Behavior Monitoring Enable Defender's Behavior Monitoring functionality.
Enable Email Scanning Enable scanning of email.
Enable Full Scan On Network Drives Enable a full scan of mapped network drives.
Enable Full Scan On Removable Drives Enable a full scan of removable drives.
Enable Intrusion Prevention System Enable Defender's Intrusion Prevention functionality.
Enable IOAVP Protection Enable Defender's Office Anti Virus Protection (IOAVP) functionality.
Enable On Access Protection Enable Defender's On Access Protection functionality.
Enable Realtime Monitoring Enable Defender's Realtime Monitoring functionality.
Enable Scanning Network Files Enable scanning of network files.
Enable Script Scanning Enable Defender's Script Scanning functionality.
Enable User UI Access Enable user access to the Defender UI. If disallowed, it suppresses all Defender notifications.
Excluded Extensions Enable an administrator to specify a list of file type extensions to ignore during a scan. Separate each file type in the list by | For example, lib|obj.
Excluded Paths Enable an administrator to specify a list of directory paths to ignore during a scan. Separate each path in the list by |. For example, C:\Example|C:\Example1.
Excluded Processes Enable an administrator to specify a list of files opened by processes to ignore during a scan.
Real Time Scan Direction Control which sets of files to watch.
  • Bidirectional: Watch all files.
  • Incoming: Watch incoming files.
  • Outgoing: Watch outgoing files.
Scan Type Select whether to perform a quick scan or a full scan.
  • Quick Scan–Perform a quick Defender scan.
  • Full Scan–Perform a full Defender scan.
Quick Scan Schedule in Minutes Specify the time of day that the Defender quick scan should run. You must specify the time as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, until 11:00 PM = 1380

Schedule Scan Day Select the day on which the Defender scan should run.
Schedule Scan Time in Minutes Specify the time of day that the Defender scan should run. You must specify the time must as the number of minutes past midnight (local time).

Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, until 11:00 PM = 1380

Signature Update Interval in Hours Specify the interval (in hours) used to check for signatures. So instead of using the ScheduleDay and ScheduleTime, Windows just checks for new signatures as set per the interval. Interval checks are in hours, so at most, Windows checks for signatures at least once every one hour.
Submit Samples Consent Check for the user consent level in Defender to send data. If the user grants the required consent, Defender submits them. If the user has specified never ask again, the UI launches to ask for user consent when opt-in for when enabling Defender/ AllowCloudProtection) before sending data.
  • Always Prompt: Always prompt the user.
  • Send Safe Samples: Send safe samples automatically.
  • Never Send: Never send samples.
  • Send All Samples: Send all samples automatically.
  • User-Controlled: Let the device user configure this setting.
Enable SmartScreen in Shell Specify who can configure the SmartScreen for Windows.
Ignore SmartScreen Warning Enable device user to ignore warnings in SmartScreen.
Important: You must enable SmartScreen must.

Security

Feature Control Option Description
Clear TPM If the Device Is Not Ready This requires administrator access. The prompt appears on the first admin login after a reboot when the Trusted Platform Module (TPM) is in a non-ready state for remediation with a TPM Clear. The prompt describes what clearing the TPM does and requires a reboot. The user can dismiss it, but it appears on the next admin login after the restart.
Configure Windows Passwords Configure the use of passwords for Windows features.
Enable Automatic Device Encryption for Entra ID Joined Devices Specifies whether to enable automatic device encryption during the Out of Box Experience (OOBE) when the device is Entra ID joined.
Enable Adding Provisioning Package Specifies whether the runtime configuration agent installs provisioning packages.
Enable Removing Provisioning Package Specifies whether the runtime configuration agent removes provisioning packages.
Require Provisioning Package Signature Specifies whether provisioning packages must have a certificate signed by a trusted device authority.

Hardware

Feature Control Option Description
Enable Device Location Switch Enable/disable the Location Service's device switch.
Enable Camera Enable/disable the device's camera.
Enable USB Access Enable/disable access to the device's USB port for the following:
  • mouse
  • disk drives
  • CD ROM
  • portable devices
  • floppy disks
  • Bluetooth devices
  • imaging devices
  • printers
  • modems
  • USB devices
  • smart card readers
  • IrDA devices
Enable USB Media Storage Enable/disable the use of external storage devices, such as USB drives or SD cards, with the device.
Enable Serial Connection Access Enable/disable the device's serial port.