Category filter
Restrictions for Windows devices
Configuring restrictions for Windows devices enforce control on how the users access these devices. You may allow or disallow Windows functionalities and features on the devices to ensure security to the organizational data and determine whether the corporate devices are utilized safely. Windows restriction policy can be used to generate restrictions based on device functionality, network connectivity, app configurations, security and privacy settings, and much more.
Basic Restrictions
To configure basic Restrictions for Windows devices,
- Login to your Hexnode portal.
- Navigate to Policies > New Policy to create a new one or click on any policy name to edit an existing one.
- Enter the Policy Name and Description in the provided fields.
- Navigate to Windows > Restrictions.
- Click on Configure.
Note that all the basic Windows restrictions in Hexnode are Enabled by default.
Allow Basic Device Functionality
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Camera | Unchecking this option prevents access to device camera. | |
Cortana voice assistant | When this option is unchecked Cortana voice assistant is disabled on the device. However, users will still be able to use search to find items on the device. | |
Use Cortana if device is locked | Unchecking this option disallows users from interacting with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. | |
Use storage card and USB drives | Disabling this option prevents using any external storage cards or USB devices on the devices.
|
|
Telemetry | Telemetry collects diagnostic data from a Windows device and sends them to Microsoft. Learn more
Click the dropdown to select Disallow/ Limited for sending diagnostic data to Microsoft.
|
|
Location services | This option specifies whether Windows apps can access the device location. There are three sub-options available in the associated drop-down list:
|
|
Change language | Language settings from the device will be disabled, if this option is unchecked. | |
Voice recording | Unchecking this option prevents users from using Voice Recorder app on Windows devices. | |
Users can enable/disable Workplace | Users will not be able to change Workplace settings from the device, if this option is unchecked. | |
Users can change AutoPlay settings | Users will be disallowed from changing Auto Play settings from the device, if this option is unchecked. Learn more |
Telemetry in Windows
Telemetry is a feature in Windows where the system information will be sent to Microsoft to provide device-specific updates. Microsoft has already revealed that they used telemetry to count the number of times Alt+Tab was used on a PC to switch between active Windows. They found that the number of users used Alt+Tab were lesser since most of them were not familiar with that function, which then led to the addition of Task View button in Windows 10.
AutoPlay
AutoPlay lets you choose the program with which you can start different kinds of media, such as DVD, CD, etc. containing music, video, photo, etc. AutoPlay begins reading from a drive as soon as you insert media files in the drive. As a result, the setup file of programs and the music on audio media starts immediately.
Allow Basic App Settings
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Sync Settings | Unchecking this option disables the Windows sync settings on the devices. Learn more | |
Allow SignIn Options | Unchecking this option prevents users from changing Sign In options like password, picture password, PIN, and password policy under device settings. | |
Allow News and Interests | Unchecking this option will remove the News and Interest feature from the taskbar.
|
Sync Settings
On enabling Sync settings, Windows syncs all the settings you choose across all your Windows devices in which you have signed in with your Microsoft account. Sync settings also work if you sign in with a work or school account linked to your Microsoft account.
Allow Basic Network Settings
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Wi-Fi | Unchecking this option prevents users from enabling, configuring, and accessing Wi-Fi on the device. | |
Bluetooth | If this option is unchecked, users will be disallowed from turning on/offBluetooth on the device. | |
Discover device over Bluetooth | When this option is unchecked, the device is prevented from being discovered by other Bluetooth-enabled devices. | |
Users can turn VPN on/off | Uncheck this option to disallow users from adding or removing a VPN connection. | |
Connect to VPN if on mobile network | Disabling the option prevents the device from accessing VPN connection when connected to a mobile network. | |
Connect to VPN if roaming | Disabling the option prevents the device from accessing VPN connection when roaming on a mobile network. | |
Cellular data roaming | Unchecking the option prevents data roaming between networks. Using cellular data while roaming might incur additional data charges. |
Allow Basic Security and Privacy Settings
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Manual MDM administration removal | Unchecking this option prevents users from accessing workplace control panel to delete the workplace account on the device. Learn More
|
|
Show toast notification on lock screen | Disable this option to prevent toast notification on the device lock screen. |
Account Settings
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
OneDrive file sync | Unchecking this option restricts users from synchronising files to OneDrive from their devices. |
Advanced Restrictions
To configure Advanced Restrictions for Windows devices,
- Login to your Hexnode UEM portal.
- Navigate to Policies. You can either create a new policy or click on any policy name to edit an existing one.
- Enter the Policy Name and Description in the provided fields.
- Navigate to Windows > Advanced Restrictions.
- Click on Configure.
Allow Device Functionality
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Users can reset the device | Users will not be able to perform factory-reset or wipe on their devices, if this option is unchecked.
Allowed by default. |
|
Users can change date and time | Uncheck this option to prevent users from changing date and time settings on the device.
Allowed by default. |
|
Users can change power and sleep settings | Uncheck this option to prevent users from changing power and sleep settings on the device.
Allowed by default. |
|
Allow Embedded Mode | Enable this option to allow users to activate Embedded Mode on their devices. Learn more
Disabled by default. |
|
Allow Region | Unchecking the option prevents users from changing Region under device settings.
Region option is useful in finding localized content and apps. Allowed by default. |
Embedded Mode
Embedded mode restricts the device to run a single app (often called kiosk mode). Embedded mode is allowed by default on devices running Windows 10 IoT Core. On mobile, and desktop devices, it must be enabled manually. Not only does this let you access a single app when using the device, Embedded Mode enables background tasks and other functionalities on the devices in addition to running single app in Kiosk mode.
Allow App Settings
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Unlock developer options | Configure the Windows developer settings here. Click the dropdown to select Deny/ Allow for using developer features on the device.
Not Configured by default. |
|
Search can use user location | Disabling this option disallows Windows Search from using device location.
Allowed by default. |
|
Users can add non-Microsoft accounts | Users will not be able to add non-Microsoft email accounts on the devices, if this option is unchecked.
Allowed by default. |
Allow Network Settings
All the Windows advanced network settings supported by Hexnode are allowed by default.
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Internet Sharing | Uncheck this option to prevent users from sharing their Internet connection through Bluetooth or by creating a portable Wi-Fi hotspot. | |
Connect to Wi-Fi Sense automatically | Select the option to allow devices to connect to open Wi-Fi hotspot automatically. Unchecking the option prevents automatic connection to Wi-Fi hotspots. | |
Connect to external Wi-Fi networks manually | Uncheck this option to disallow users from connecting to a Wi-Fi network other than the MDM configured Wi-Fi networks.
|
|
Wi-Fi Direct | Disabling the option restricts users from turning on Wi-Fi Direct on the device.
Wi-Fi Direct is a certification from the non-profit Wi-Fi Alliance that allows devices to connect directly to each other without the need for a wireless router. |
|
Users can turn Data Sense on/off | Users won’t be able to turn on/off Data Sense on their devices, if this option is unchecked.
Data Sense helps you to monitor and track the data consumption of users on the devices and block data usage when it crosses the set limit. |
Allow Security and Privacy Settings
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Install provisioning package | Users can apply configurations to the device directly from the provisioning file or through a removable device. More info
Disabling this option will prevent installation of provisioning package by run-time configuration agent. Allowed by default. |
|
Mandate signed certificate for provisioning package | Specifies whether provisioning packages must have a certificate signed by a device trusted authority. A trusted authority signed provisioning package could be easily installed on a device without any user consent.
Disabled by default. |
|
Remove provisioning package | Disabling this option prevents the run-time configuration agents that removes the provisioning packages.
Allowed by default. |
|
Receive advertisements over Bluetooth | Disabling this option prevents the device from receiving advertisements over Bluetooth.
Allowed by default. |
|
Pair with other devices automatically | Unchecking this option disallows devices from pairing with the host devices over Bluetooth automatically.
Allowed by default. |
|
Users can download Windows Beta updates | Click the dropdown to specify whether the users can download Windows Beta Updates through Windows Insider Program. Available options are: Disallow/ Allowed /Not Configured.
Not Configured by default. |
Provisioning package
Windows provisioning makes it easy for administrators to configure user devices without imaging. A provisioning package (.ppkg) is a container used for a collection of configuration settings. Provisioning packages can be installed using removable media such as an SD card or USB flash drive, attached to an email, downloaded from a network share, deployed in NFC tags or barcodes.
Customize Start Menu
For quick access, you can add different folders to show up on the left side menu, on Windows 10 devices. By default, only File Explorer and Settings folders will be listed there. The following restrictions allow Admin to customize start menu by choosing whether to show or hide shortcuts for some folders.
Not Enforced is selected as the default value for all the Start Menu customization options. To add or remove the shortcuts from the Start menu, select the appropriate value from the drop-down. Drop-down values are: Hide shortcut/ Show shortcut.
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Documents folder | Specifies whether the Documents folder shortcut is to be hidden from the Windows Start menu. | |
Downloads folder | Specifies whether the Downloads folder shortcut is to be hidden from the Windows Start menu. | |
File Explorer | Specifies whether the File Explorer shortcut is to be hidden from the Windows Start menu. Windows devices use File Explorer to organize and manage files and folders. | |
Home group | Specifies whether the Home group shortcut is to be hidden from the Windows Start menu. The Home group allows Windows devices to share documents, music, videos, pictures, and printers with other devices on the same Home group network. | |
Music folder | Specifies whether the Music folder shortcut is to be hidden from the Windows Start menu. | |
Networks | Specifies whether the Networks shortcut is to be hidden from the Windows Start menu. | |
Personal folder | Specifies whether the Personal folder shortcut is to be hidden from the Windows Start menu. The most frequently used folders will be stored in |
|
Pictures folder | Specifies whether the Pictures folder shortcut is to be hidden from the Windows Start menu. | |
Settings | Specifies whether the Settings shortcut is to be hidden from the Windows Start menu. |
|
Videos folder | Specifies whether the Videos folder shortcut is to be hidden from the Windows Start menu. |
Advanced Account Settings
Restriction | Supported OS (PCs & Tablets) |
Description |
---|---|---|
Block Microsoft accounts | This option allows administrators to control the usage of Microsoft accounts on the device.
There are 3 options available:
|
|
Users can change account settings | If the option is enabled, it allows users to modify their account settings. Enabled by default. | |
Users can add non-Microsoft accounts | If the option is enabled, it allows users to add accounts from other providers like Office 365, Google, Yahoo, iCloud, etc. but restricts adding Microsoft accounts. Enabled by default. | |
Users can connect using Microsoft accounts | If the option is enabled, it allows users to log in or connect to services using their Microsoft accounts. Enabled by default. |
How to Apply the Restrictions to Devices/Groups?
There are two ways by which you can associate restrictions to the devices in bulk.
If you haven’t saved the policy yet,
- Navigate to Policy Targets
- Click on + Add Devices, search and select the required device(s) to which you need to apply the policy > Click OK
- Click on Save to apply the policies to the devices.
To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.
If you’ve already saved the policy and you’re taken to the page which displays the policy list,
- Select the required policy
- Click on Manage > Associate Targets
- Select Device/ User/ Device Group/ User Group/ Domain
- Search and select the device(s)/ user(s)/ device group(s)/ user group(s)/ domain(s) to which you need to apply the policy > Click Associate.