Category filter

Restrictions for Windows devices

Configuring restrictions for Windows devices enforce control on how the users access these devices. You may allow or disallow Windows functionalities and features on the devices to ensure security to the organizational data and determine whether the corporate devices are utilized safely. Windows restriction policy can be used to generate restrictions based on device functionality, network connectivity, app configurations, security and privacy settings, and much more.

Note

  • The availability of the restrictions listed below depends on your UEM license plan and the Windows version of the end-user. For detailed information, please visit Hexnode pricing page.
  • The restrictions mentioned below are supported on Pro, Business, Enterprise and Education editions.

Basic Restrictions

To configure basic Restrictions for Windows devices,

  1. Login to your Hexnode portal.
  2. Navigate to Policies > New Policy to create a new one or click on any policy name to edit an existing one.
  3. Enter the Policy Name and Description in the provided fields.
  4. Navigate to Windows > Restrictions.
  5.  Click on Configure.

Basic Restriction policy for Windows devices provided by Hexnode

Note that all the basic Windows restrictions in Hexnode are Enabled by default.

Allow Basic Device Functionality

Device functionality-based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
Camera
10

11
Unchecking this option prevents access to device camera.
Cortana voice assistant
10

11
When this option is unchecked Cortana voice assistant is disabled on the device. However, users will still be able to use search to find items on the device.
Use Cortana if device is locked
10 (Version 1703+)

11
Unchecking this option disallows users from interacting with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
Use storage card and USB drives
10

11
Disabling this option prevents using any external storage cards or USB devices on the devices.
Notes:
  • On co-managed devices, storage cards will not be restricted.

Telemetry
10

11
Telemetry collects diagnostic data from a Windows device and sends them to Microsoft. Learn more

Click the dropdown to select Disallow/ Limited for sending diagnostic data to Microsoft.
Disallow – If you choose Disallow, diagnostic data will not be sent.
Limited – On choosing Limited, device can send only basic data to Microsoft.

Note:

On Windows 11 devices, enabling other basic restrictions may not be effective unless Telemetry is configured to Limited or Disallow.

Location services
10

11
This option specifies whether Windows apps can access the device location. There are three sub-options available in the associated drop-down list:
  1. Allow Users to Control (Default): When this option is selected, users can choose whether Windows apps can access the device’s location. This setting can be configured by navigating to Settings > Privacy and security > Location on the device.
  2. Force Location Off: When this option is selected, Windows apps will not be allowed to access the device’s location.
  3. Force Location On: When this option is selected, Windows apps will be allowed to access the device’s location.
Change language
10

11
Language settings from the device will be disabled, if this option is unchecked.
Voice recording
10

11
Unchecking this option prevents users from using Voice Recorder app on Windows devices.
Users can enable/disable Workplace
10

11
Users will not be able to change Workplace settings from the device, if this option is unchecked.
Users can change AutoPlay settings
10

11
Users will be disallowed from changing Auto Play settings from the device, if this option is unchecked. Learn more

Telemetry in Windows

Telemetry is a feature in Windows where the system information will be sent to Microsoft to provide device-specific updates. Microsoft has already revealed that they used telemetry to count the number of times Alt+Tab was used on a PC to switch between active Windows. They found that the number of users used Alt+Tab were lesser since most of them were not familiar with that function, which then led to the addition of Task View button in Windows 10.

AutoPlay

AutoPlay lets you choose the program with which you can start different kinds of media, such as DVD, CD, etc. containing music, video, photo, etc. AutoPlay begins reading from a drive as soon as you insert media files in the drive. As a result, the setup file of programs and the music on audio media starts immediately.

Allow Basic App Settings

App based settings
Restriction Supported OS
(PCs & Tablets)
Description
Sync Settings
10

11
Unchecking this option disables the Windows sync settings on the devices. Learn more
Allow SignIn Options
10

11
Unchecking this option prevents users from changing Sign In options like password, picture password, PIN, and password policy under device settings.
Allow News and Interests
10

11
Unchecking this option will remove the News and Interest feature from the taskbar.
Notes:


The device needs to be restarted for the restriction to take effect.

Sync Settings

On enabling Sync settings, Windows syncs all the settings you choose across all your Windows devices in which you have signed in with your Microsoft account. Sync settings also work if you sign in with a work or school account linked to your Microsoft account.

Allow Basic Network Settings

Network based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
Wi-Fi
10 (Version 1703+)

11
Unchecking this option prevents users from enabling, configuring, and accessing Wi-Fi on the device.
Bluetooth
10

11
If this option is unchecked, users will be disallowed from turning on/offBluetooth on the device.
Discover device over Bluetooth
10

11
When this option is unchecked, the device is prevented from being discovered by other Bluetooth-enabled devices.
Users can turn VPN on/off
10

11
Uncheck this option to disallow users from adding or removing a VPN connection.
Connect to VPN if on mobile network
10

11
Disabling the option prevents the device from accessing VPN connection when connected to a mobile network.
Connect to VPN if roaming
10

11
Disabling the option prevents the device from accessing VPN connection when roaming on a mobile network.
Cellular data roaming
10

11
Unchecking the option prevents data roaming between networks. Using cellular data while roaming might incur additional data charges.

Allow Basic Security and Privacy Settings

Security and privacy-based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
Manual MDM administration removal
10

11
Unchecking this option prevents users from accessing workplace control panel to delete the workplace account on the device. Learn More
Note:

If your device is Azure AD joined, disabling this option will have no effect.

Show toast notification on lock screen
10

11
Disable this option to prevent toast notification on the device lock screen.

Account Settings

Account based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
OneDrive file sync
10

11
Unchecking this option restricts users from synchronising files to OneDrive from their devices.

Advanced Restrictions

To configure Advanced Restrictions for Windows devices,

  1. Login to your Hexnode UEM portal.
  2. Navigate to Policies. You can either create a new policy or click on any policy name to edit an existing one.
  3. Enter the Policy Name and Description in the provided fields.
  4. Navigate to Windows > Advanced Restrictions.
  5. Click on Configure.

Hexnode UEM advanced restrictions for Windows mobiles and desktops

Allow Device Functionality

Device functionality-based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
Users can reset the device
10

11
Users will not be able to perform factory-reset or wipe on their devices, if this option is unchecked.

Allowed by default.

Users can change date and time
10

11
Uncheck this option to prevent users from changing date and time settings on the device.

Allowed by default.

Users can change power and sleep settings
10
11
Uncheck this option to prevent users from changing power and sleep settings on the device.

Allowed by default.

Allow Embedded Mode
10

11
Enable this option to allow users to activate Embedded Mode on their devices. Learn more

Disabled by default.

Allow Region
10

11
Unchecking the option prevents users from changing Region under device settings.

Region option is useful in finding localized content and apps.

Allowed by default.

Embedded Mode

Embedded mode restricts the device to run a single app (often called kiosk mode). Embedded mode is allowed by default on devices running Windows 10 IoT Core. On mobile, and desktop devices, it must be enabled manually. Not only does this let you access a single app when using the device, Embedded Mode enables background tasks and other functionalities on the devices in addition to running single app in Kiosk mode.

Allow App Settings

App based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
Unlock developer options
10

11
Configure the Windows developer settings here. Click the dropdown to select Deny/ Allow for using developer features on the device.

Not Configured by default.

Search can use user location
10

11
Disabling this option disallows Windows Search from using device location.

Allowed by default.

Users can add non-Microsoft accounts
10

11
Users will not be able to add non-Microsoft email accounts on the devices, if this option is unchecked.

Allowed by default.

Allow Network Settings

All the Windows advanced network settings supported by Hexnode are allowed by default.

Network based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
Internet Sharing
10

11
Uncheck this option to prevent users from sharing their Internet connection through Bluetooth or by creating a portable Wi-Fi hotspot.
Connect to Wi-Fi Sense automatically
10

11
Select the option to allow devices to connect to open Wi-Fi hotspot automatically. Unchecking the option prevents automatic connection to Wi-Fi hotspots.
Connect to external Wi-Fi networks manually
10

11
Uncheck this option to disallow users from connecting to a Wi-Fi network other than the MDM configured Wi-Fi networks.
Notes:
  • Enabling this option deletes user-configured Wi-Fi and Wi-Fi sense profiles that have been previously installed on the device.
  • Not all non-MDM profiles or non-user configured Wi-Fi profiles may get deleted completely.

Wi-Fi Direct
10 (Version 1703+)

11
Disabling the option restricts users from turning on Wi-Fi Direct on the device.

Wi-Fi Direct is a certification from the non-profit Wi-Fi Alliance that allows devices to connect directly to each other without the need for a wireless router.

Users can turn Data Sense on/off
10

11
Users won’t be able to turn on/off Data Sense on their devices, if this option is unchecked.

Data Sense helps you to monitor and track the data consumption of users on the devices and block data usage when it crosses the set limit.

Allow Security and Privacy Settings

Security and Privacy based restrictions
Restriction Supported OS
(PCs & Tablets)
Description
Install provisioning package
10

11
Users can apply configurations to the device directly from the provisioning file or through a removable device. More info

Disabling this option will prevent installation of provisioning package by run-time configuration agent.

Allowed by default.

Mandate signed certificate for provisioning package
10

11
Specifies whether provisioning packages must have a certificate signed by a device trusted authority. A trusted authority signed provisioning package could be easily installed on a device without any user consent.

Disabled by default.

Remove provisioning package
10

11
Disabling this option prevents the run-time configuration agents that removes the provisioning packages.

Allowed by default.

Receive advertisements over Bluetooth
10

11
Disabling this option prevents the device from receiving advertisements over Bluetooth.

Allowed by default.

Pair with other devices automatically
10 (Version 1703+)

11
Unchecking this option disallows devices from pairing with the host devices over Bluetooth automatically.

Allowed by default.

Users can download Windows Beta updates
10

11
Click the dropdown to specify whether the users can download Windows Beta Updates through Windows Insider Program. Available options are: Disallow/ Allowed /Not Configured.

Not Configured by default.

Provisioning package

Windows provisioning makes it easy for administrators to configure user devices without imaging. A provisioning package (.ppkg) is a container used for a collection of configuration settings. Provisioning packages can be installed using removable media such as an SD card or USB flash drive, attached to an email, downloaded from a network share, deployed in NFC tags or barcodes.

Customize Start Menu

For quick access, you can add different folders to show up on the left side menu, on Windows 10 devices. By default, only File Explorer and Settings folders will be listed there. The following restrictions allow Admin to customize start menu by choosing whether to show or hide shortcuts for some folders.

Not Enforced is selected as the default value for all the Start Menu customization options. To add or remove the shortcuts from the Start menu, select the appropriate value from the drop-down. Drop-down values are: Hide shortcut/ Show shortcut.

Restrictions on start menu customization
Restriction Supported OS
(PCs & Tablets)
Description
Documents folder
10 (Version 1709+)

11
Specifies whether the Documents folder shortcut is to be hidden from the Windows Start menu.
Downloads folder
10 (Version 1709+)

11
Specifies whether the Downloads folder shortcut is to be hidden from the Windows Start menu.
File Explorer
10 (Version 1709+)

11
Specifies whether the File Explorer shortcut is to be hidden from the Windows Start menu. Windows devices use File Explorer to organize and manage files and folders.
Home group
10 (Version 1709+)

11
Specifies whether the Home group shortcut is to be hidden from the Windows Start menu. The Home group allows Windows devices to share documents, music, videos, pictures, and printers with other devices on the same Home group network.
Music folder
10 (Version 1709+)

11
Specifies whether the Music folder shortcut is to be hidden from the Windows Start menu.
Networks
10 (Version 1709+)

11
Specifies whether the Networks shortcut is to be hidden from the Windows Start menu.
Personal folder
10 (Version 1709+)

11
Specifies whether the Personal folder shortcut is to be hidden from the Windows Start menu. The most frequently used folders will be stored in Personal folder.
Pictures folder
10 (Version 1709+)

11
Specifies whether the Pictures folder shortcut is to be hidden from the Windows Start menu.
Settings
10 (Version 1709+)

11
Specifies whether the Settings shortcut is to be hidden from the Windows Start menu. Settings menu allow users to configure different settings for the Windows operating system.
Videos folder
10 (Version 1709+)

11
Specifies whether the Videos folder shortcut is to be hidden from the Windows Start menu.

Note


To add folders to the Windows 10 Start menu,

  • Click on Start menu > Settings.
  • Click on Personalization > Start.
  • Click on Choose which folders appear on Start.
  • Click on the switch under the folder you want to add.


Advanced Account Settings

Account Settings
Restriction Supported OS
(PCs & Tablets)
Description
Block Microsoft accounts
10

11
This option allows administrators to control the usage of Microsoft accounts on the device.
Notes
  • If this setting is configured, users cannot add a Microsoft account through Accounts > Other users > Add account.
  • If the user is logged in as a local account, the “Sign in with a Microsoft account instead” option under Your info will be disabled.

There are 3 options available:

  • Not configured: No restrictions are applied.
  • Users cannot add Microsoft accounts: Prevents users from adding new Microsoft accounts to their devices.
    Note


    When this option is selected, users cannot switch from a local account to a Microsoft account or log out of an existing domain account and add a Microsoft account.

  • Users cannot add or log on with Microsoft accounts: Blocks users from adding new Microsoft accounts or logging in to existing ones.
Users can change account settings
10

11
If the option is enabled, it allows users to modify their account settings. Enabled by default.
Note


If this option is disabled,

  • Users can add non-Microsoft accounts and Users can connect using Microsoft accounts options are disabled.
  • The Adjust your photo, Account settings, and Related settings options under the Accounts > Your Info settings of the device are disabled. Additionally, Add account, and Accounts used by other apps options under Accounts > Email & Accounts settings are disabled.

Users can add non-Microsoft accounts
10

11
If the option is enabled, it allows users to add accounts from other providers like Office 365, Google, Yahoo, iCloud, etc. but restricts adding Microsoft accounts. Enabled by default.
Note


Users can add non-Microsoft accounts through Accounts > Email & Accounts > Add account.

Users can connect using Microsoft accounts
10

11
If the option is enabled, it allows users to log in or connect to services using their Microsoft accounts.
Enabled by default.
Note


If this option is disabled,

  • Users cannot use their Microsoft accounts to log in to non-mail-related apps like Microsoft Store, OneDrive, Microsoft Teams, etc. It also prevents setting a PIN for a new local user (even when created with a Microsoft account).
  • If logged in as a local account, the users cannot sign in to a Microsoft account through Accounts > Your info > Sign in with a Microsoft account instead.
  • Users cannot add a Microsoft account from Accounts > Email & Accounts > Add a Microsoft account.

How to Apply the Restrictions to Devices/Groups?

There are two ways by which you can associate restrictions to the devices in bulk.

If you haven’t saved the policy yet,

  1. Navigate to Policy Targets
  2. Click on + Add Devices, search and select the required device(s) to which you need to apply the policy > Click OK
  3. Click on Save to apply the policies to the devices.

To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and you’re taken to the page which displays the policy list,

  1. Select the required policy
  2. Click on Manage > Associate Targets
  3. Select Device/ User/ Device Group/ User Group/ Domain
  4. Search and select the device(s)/ user(s)/ device group(s)/ user group(s)/ domain(s) to which you need to apply the policy > Click Associate.
  • Managing Windows Devices