Category filter
Restrictions for Windows Devices
Configuring restrictions for Windows devices enforce control on how the users access these devices. You may allow or disallow Windows functionalities and features on the devices to ensure security to the organizational data and determine whether the corporate devices are utilized safely. Windows restriction policy can be used to generate restrictions based on device functionality, network connectivity, app configurations, security and privacy settings, and much more.
- The availability of the restrictions listed below depends on your MDM license plan and the Windows version of the end-user. For detailed information, please visit Hexnode pricing page.
- The restrictions mentioned below are supported on Pro, Business, Enterprise and Education editions.
Basic Restrictions
To configure basic Restrictions for Windows devices,
- Login to your Hexnode portal.
- Navigate to Policies > New Policy to create a new one or click on any policy name to edit an existing one.
- Enter the Policy Name and Description in the provided fields.
- Navigate to Windows > Restrictions.
- Click on Configure.
Note that all the basic Windows restrictions in Hexnode are Enabled by default.
Allow Basic Device Functionality
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Camera |
|
Unchecking this option prevents access to device camera. | ||||
| Copy and paste between apps |
|
Disallows users from copying and pasting text/files between apps, on unchecking this option. Disabling this option won’t restrict the user from copying and pasting between browsers. | ||||
| Cortana voice assistant |
|
When this option is unchecked Cortana voice assistant is disabled on the device. However, users will still be able to use search to find items on the device. | ||||
| Use Cortana if device is locked |
|
Unchecking this option disallows users from interacting with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. | ||||
| Use storage card |
|
Disabling this option prevents using any external storage cards on the devices. It disables SD card slot, and SD card usage will be blocked. | ||||
| Telemetry |
|
Telemetry collects diagnostic data from a Windows device and sends them to Microsoft. Learn more
Click the dropdown to select Disallow/ Limited for sending diagnostic data to Microsoft. |
||||
| Location services |
|
Uncheck this option to disable Location services or prevent users from turning on Location services from the device settings. | ||||
| Edit device name |
|
Disable this option to prevent users from changing the name of the device. | ||||
| Change language |
|
Language settings from the device will be disabled, if this option is unchecked. | ||||
| Voice recording |
|
Unchecking this option prevents users from using Voice Recorder app on Windows devices. | ||||
| Users can enable/disable Workplace |
|
Users will not be able to change Workplace settings from the device, if this option is unchecked. | ||||
| Users can change AutoPlay settings |
|
Users will be disallowed from changing Auto Play settings from the device, if this option is unchecked. Learn more |
Telemetry in Windows
Telemetry is a feature in Windows where the system information will be sent to Microsoft to provide device-specific updates. Microsoft has already revealed that they used telemetry to count the number of times Alt+Tab was used on a PC to switch between active Windows. They found that the number of users used Alt+Tab were lesser since most of them were not familiar with that function, which then led to the addition of Task View button in Windows 10.
AutoPlay
AutoPlay lets you choose the program with which you can start different kinds of media, such as DVD, CD, etc. containing music, video, photo, etc. AutoPlay begins reading from a drive as soon as you insert media files in the drive. As a result, the setup file of programs and the music on audio media starts immediately.
Allow Basic App Settings
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Sync Settings |
|
Unchecking this option disables the Windows sync settings on the devices. Learn more | ||||
| Share Microsoft Office files |
|
Users won’t be able to share the Microsoft Office files, if this option is unchecked. | ||||
| Save as Microsoft Office files |
|
Users won’t be able to save files on their devices as Microsoft Office files, if this option is unchecked. | ||||
| Show notifications on Action Center |
|
Users can choose which apps to show notifications on the Action Center. If this option is unchecked, Action Center notifications will be prevented from showing up on the device lock screen. | ||||
| Access Internet Explorer or Microsoft Edge |
|
By default, users can access Internet Explorer on Windows 8.1 and Microsoft Edge on Windows 10. Unchecking this option prevents user from accessing them on the devices. | ||||
| Allow SignIn Options |
|
Unchecking this option prevents users from changing Sign In options like password, picture password, PIN, and password policy under device settings. |
Sync Settings
On enabling Sync settings, Windows syncs all the settings you choose across all your Windows devices in which you have signed in with your Microsoft account. Sync settings also work if you sign in with a work or school account linked to your Microsoft account.
Allow Basic Network Settings
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Wi-Fi |
|
Unchecking this option prevents users from enabling, configuring, and accessing Wi-Fi on the device. | ||||
| Bluetooth |
|
If this option is unchecked, users will be disallowed from turning on/offBluetooth on the device. | ||||
| Discover device over Bluetooth |
|
When this option is unchecked, the device is prevented from being discovered by other Bluetooth-enabled devices. | ||||
| Users can turn VPN on/off |
|
Uncheck this option to disallow users from adding or removing a VPN connection. | ||||
| Connect to VPN if on mobile network |
|
Disabling the option prevents the device from accessing VPN connection when connected to a mobile network. | ||||
| Connect to VPN if roaming |
|
Disabling the option prevents the device from accessing VPN connection when roaming on a mobile network. | ||||
| Cellular data roaming |
|
Unchecking the option prevents data roaming between networks. Using cellular data while roaming might incur additional data charges. |
Allow Basic Security and Privacy Settings
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Manual MDM administration removal |
|
Unchecking this option prevents users from accessing workplace control panel to delete the workplace account on the device. Learn More
Note:
If your device is Azure AD joined, disabling this option will have no effect.
|
||||
| Show toast notification on lock screen |
|
Disable this option to prevent toast notification on the device lock screen. |
Account Settings
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| MMS |
|
Unchecking this option disables MMS (Multimedia Messaging Service) send/ receive functionality on the device. | ||||
| Sync MMS |
|
Disabling this option restricts MMS messages from being backed-up, restored, or synced between Windows devices. | ||||
| RCS messaging |
|
Users will not be allowed to send or receive RCS (Rich Communication Services) messages on the devices, if this option is unchecked. RCS is a text-message system that is richer and more interactive than SMS. | ||||
| OneDrive file sync |
|
Unchecking this option restricts users from synchronising files to OneDrive from their devices. |
Advanced Restrictions
To configure Advanced Restrictions for Windows devices,
- Login to your Hexnode MDM portal.
- Navigate to Policies. You can either create a new policy or click on any policy name to edit an existing one.
- Enter the Policy Name and Description in the provided fields.
- Navigate to Windows > Advanced Restrictions.
- Click on Configure.
Allow Device Functionality
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| NFC |
|
Unchecking the option restricts Near Field Communications (NFC) capabilities and prevents user from configuring NFC settings on the device.
Allowed by default. |
||||
| USB connection |
|
Access to any external device by USB connection is prevented, if this option is unchecked.
Note:
USB charging won’t be affected.
Allowed by default. |
||||
| Users can reset the device |
|
Users will not be able to perform factory-reset or wipe on their devices, if this option is unchecked.
Allowed by default. |
||||
| Screen capture |
|
Disabling the option prevents users from taking screenshots on the devices. | ||||
| Users can change date and time |
|
Uncheck this option to prevent users from changing date and time settings on the device.
Allowed by default. |
||||
| Users can change power and sleep settings |
|
Uncheck this option to prevent users from changing power and sleep settings on the device.
Allowed by default. |
||||
| Allow Embedded Mode |
|
Enable this option to allow users to activate Embedded Mode on their devices. Learn more
Disabled by default. |
||||
| Allow Region |
|
Unchecking the option prevents users from changing Region under device settings.
Region option is useful in finding localized content and apps. Allowed by default. |
Embedded Mode
Embedded mode restricts the device to run a single app (often called kiosk mode). Embedded mode is allowed by default on devices running Windows 10 IoT Core. On mobile, and desktop devices, it must be enabled manually. Not only does this let you access a single app when using the device, Embedded Mode enables background tasks and other functionalities on the devices in addition to running single app in Kiosk mode.
Allow App Settings
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Windows Store |
|
Unchecking this option disables Microsoft Store from the devices.
Allowed by default. |
||||
| Unlock developer options |
|
Configure the Windows developer settings here. Click the dropdown to select Deny/ Allow for using developer features on the device.
Not Configured by default. |
||||
| Users can turn Safe Search on/off |
|
Users won’t be able to change the Safe Search settings from the devices, if this option is unchecked. Safe search is where Cortana filters out adult content from the search results. Allowed by default. |
||||
| Search can use user location |
|
Disabling this option disallows Windows Search from using device location.
Allowed by default. |
||||
| Store images captured for Vision search |
|
Uncheck this option to prevent devices from storing images captured for Vision search.
Vision search (or Bing Vision) is a feature provided by Bing. Bing allows you to scan an image with your Windows device and display its details. Allowed by default. |
||||
| Users can add non-Microsoft accounts |
|
Users will not be able to add non-Microsoft email accounts on the devices, if this option is unchecked.
Allowed by default. |
Allow Network Settings
All the Windows advanced network settings supported by Hexnode are allowed by default.
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Internet Sharing |
|
Uncheck this option to prevent users from sharing their Internet connection through Bluetooth or by creating a portable Wi-Fi hotspot. | ||||
| Connect to Wi-Fi Sense automatically |
|
Select the option to allow devices to connect to open Wi-Fi hotspot automatically. Unchecking the option prevents automatic connection to Wi-Fi hotspots. | ||||
| Connect to external Wi-Fi networks manually |
|
Uncheck this option to disallow users from connecting to a Wi-Fi network other than the MDM configured Wi-Fi networks.
Notes:
|
||||
| Wi-Fi Direct |
|
Disabling the option restricts users from turning on Wi-Fi Direct on the device.
Wi-Fi Direct is a certification from the non-profit Wi-Fi Alliance that allows devices to connect directly to each other without the need for a wireless router. |
||||
| Users can turn Data Sense on/off |
|
Users won’t be able to turn on/off Data Sense on their devices, if this option is unchecked.
Data Sense helps you to monitor and track the data consumption of users on the devices and block data usage when it crosses the set limit. |
Allow Security and Privacy Settings
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Manually install root certificate |
|
Uncheck the option to prevent users from installing Root certificates on Windows mobile devices manually.
Allowed by default. |
||||
| Install provisioning package |
|
Users can apply configurations to the device directly from the provisioning file or through a removable device. More info
Disabling this option will prevent installation of provisioning package by run-time configuration agent. Allowed by default. |
||||
| Mandate signed certificate for provisioning package |
|
Specifies whether provisioning packages must have a certificate signed by a device trusted authority. A trusted authority signed provisioning package could be easily installed on a device without any user consent.
Disabled by default. |
||||
| Remove provisioning package |
|
Disabling this option prevents the run-time configuration agents that removes the provisioning packages.
Allowed by default. |
||||
| Receive advertisements over Bluetooth |
|
Disabling this option prevents the device from receiving advertisements over Bluetooth.
Allowed by default. |
||||
| Pair with other devices automatically |
|
Unchecking this option disallows devices from pairing with the host devices over Bluetooth automatically.
Allowed by default. |
||||
| Users can download Windows Beta updates |
|
Click the dropdown to specify whether the users can download Windows Beta Updates through Windows Insider Program. Available options are: Disallow/ Allowed /Not Configured.
Not Configured by default. |
Provisioning package
Windows provisioning makes it easy for administrators to configure user devices without imaging. A provisioning package (.ppkg) is a container used for a collection of configuration settings. Provisioning packages can be installed using removable media such as an SD card or USB flash drive, attached to an email, downloaded from a network share, deployed in NFC tags or barcodes.
For quick access, you can add different folders to show up on the left side menu, on Windows 10 devices. By default, only File Explorer and Settings folders will be listed there. The following restrictions allow Admin to customize start menu by choosing whether to show or hide shortcuts for some folders.
Not Enforced is selected as the default value for all the Start Menu customization options. To add or remove the shortcuts from the Start menu, select the appropriate value from the drop-down. Drop-down values are: Hide shortcut/ Show shortcut.
| Restriction | Supported OS | Description | ||||
|---|---|---|---|---|---|---|
| Documents folder |
|
Specifies whether the Documents folder shortcut is to be hidden from the Windows Start menu. | ||||
| Downloads folder |
|
Specifies whether the Downloads folder shortcut is to be hidden from the Windows Start menu. | ||||
| File Explorer |
|
Specifies whether the File Explorer shortcut is to be hidden from the Windows Start menu. Windows devices use File Explorer to organize and manage files and folders. | ||||
| Home group |
|
Specifies whether the Home group shortcut is to be hidden from the Windows Start menu. The Home group allows Windows devices to share documents, music, videos, pictures, and printers with other devices on the same Home group network. | ||||
| Music folder |
|
Specifies whether the Music folder shortcut is to be hidden from the Windows Start menu. | ||||
| Networks |
|
Specifies whether the Networks shortcut is to be hidden from the Windows Start menu. | ||||
| Personal folder |
|
Specifies whether the Personal folder shortcut is to be hidden from the Windows Start menu. The most frequently used folders will be stored in |
||||
| Pictures folder |
|
Specifies whether the Pictures folder shortcut is to be hidden from the Windows Start menu. | ||||
| Settings |
|
Specifies whether the Settings shortcut is to be hidden from the Windows Start menu. |
||||
| Videos folder |
|
Specifies whether the Videos folder shortcut is to be hidden from the Windows Start menu. |
To add folders to the Windows 10 Start menu,
- Click on Start menu > Settings.
- Click on Personalization > Start.
- Click on Choose which folders appear on Start.
- Click on the switch under the folder you want to add.
How to Apply the Restrictions to Devices/Groups?
There are two ways by which you can associate restrictions to the devices in bulk.
If you haven’t saved the policy yet,
- Navigate to Policy Targets
- Click on + Add Devices, search and select the required device(s) to which you need to apply the policy > Click OK
- Click on Save to apply the policies to the devices.
To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.
If you’ve already saved the policy and you’re taken to the page which displays the policy list,
- Select the required policy
- Click on Manage > Associate Targets
- Select Device/ User/ Device Group/ User Group/ Domain
- Search and select the device(s)/ user(s)/ device group(s)/ user group(s)/ domain(s) to which you need to apply the policy > Click Associate.
