Skip to content

Restrictions configuration (Windows policy)

With the Restrictions configuration, you define restrictions for Windows computers.

Device

Setting Description
Forbid SD card Users can’t access the storage card.
Forbid manual addition of non-Microsoft email accounts Users can’t add mail accounts, including Exchange, Microsoft 365, and Outlook.com accounts.
Forbid developer mode This setting turns off Windows developer mode.
Forbid camera This setting turns off the Windows Privacy setting Let apps use my camera.
Disable Edge autofill This setting turns off the Save form entries setting in the Edge web browser.

Clear the check box to turn on Save form entries.

In both cases, users can’t change the setting.

Disable Edge F12 Developer Tools This setting disables the F12 Developer Tools in the Edge web browser.
Disable Edge pop-up blocker This setting turns off the Block pop-ups setting in the Edge web browser.

Clear the check box to turn on Block pop-ups.

In both cases, users can’t change the setting.

Disable AutoPlay settings,
Disable Date & Time settings,
Disable Language settings,
Disable Power & Sleep settings,
Disable Region settings,
Disable Sign-in settings,
Disable VPN settings,
Disable Workplace settings,
Disable Account settings
These settings disable Windows Control Panel sections.

Note that the Disable AutoPlay settings setting doesn’t affect connected devices like mobile phones.

Telemetry level This setting sets the amount of diagnostic and usage data that Windows sends to Microsoft.
  • Full: All data required to identify and analyze issues.
  • Enhanced: Data about how Windows and apps are used and how they perform.
  • Basic: A limited set of data that is critical for understanding the device and its configuration.
  • Security: Information that is required to keep the device protected with the latest security updates.

Levels are cumulative from bottom to top. For example, Enhanced includes all data from Basic and Security.

For detailed information on telemetry levels, see the Microsoft document Configure Windows diagnostic data in your organization.

Various

Setting Description
Forbid Cortana This setting turns off Cortana.
Forbid “Sync my settings” Users can’t synchronize device settings with other Windows computers.
Disable Windows tips This setting turns off the Windows notification setting Show me tips about Windows.

Wi-Fi

Setting Description
Forbid internet sharing This setting turns off Internet Connection Sharing (ICS).
Forbid Wi-Fi Sense (hotspot auto-connect) Devices can’t automatically connect to Wi-Fi hotspots.
Forbid manual configuration Users can’t add Wi-Fi connections.

When the policy is applied, existing user-configured and Wi-Fi Sense Wi-Fi profiles are deleted.

Connectivity

Setting Description
Forbid Bluetooth This setting turns off Bluetooth.

Security and privacy

Setting Description
Forbid use of location when searching The search can’t use location information.

Unenrollment

Setting Description
Forbid manual MDM unenrollment Users can’t delete the workplace account.