Category filter

Restrictions for Windows devices

Configuring restrictions for Windows devices enforce control on how the users access these devices. You may allow or disallow Windows functionalities and features on the devices to ensure security to the organizational data and determine whether the corporate devices are utilized safely. Windows restriction policy can be used to generate restrictions based on device functionality, network connectivity, app configurations, security and privacy settings, and much more.

Note

The availability of the restrictions listed below depends on your UEM license plan and the Windows version of the end-user. For detailed information, please visit Hexnode pricing page.
The restrictions mentioned below are supported on Pro, Business, Enterprise and Education editions.

Basic Restrictions

To configure basic Restrictions for Windows devices,

Login to your Hexnode portal.
Navigate to Policies > New Policy to create a new one or click on any policy name to edit an existing one.
Enter the Policy Name and Description in the provided fields.
Navigate to Windows > Restrictions.
Click on Configure.

Basic Restriction policy for Windows devices provided by Hexnode

Note that all the basic Windows restrictions in Hexnode are Enabled by default.

Allow Basic Device Functionality

Device functionality-based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
Camera	✓10 ✓11	Unchecking this option prevents access to device camera.
Cortana voice assistant	✓10 ✓11	When this option is unchecked Cortana voice assistant is disabled on the device. However, users will still be able to use search to find items on the device.
Use Cortana if device is locked	✓10 (Version 1703+) ✓11	Unchecking this option disallows users from interacting with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
Use storage card and USB drives	✓10 ✓11	Disabling this option prevents using any external storage cards or USB devices on the devices. Notes: On co-managed devices, storage cards will not be restricted.
Telemetry	✓10 ✓11	Telemetry collects diagnostic data from a Windows device and sends them to Microsoft. Learn more Click the dropdown to select Disallow/ Limited for sending diagnostic data to Microsoft. Disallow – If you choose Disallow, diagnostic data will not be sent. Limited – On choosing Limited, device can send only basic data to Microsoft. Note: On Windows 11 devices, enabling other basic restrictions may not be effective unless Telemetry is configured to Limited or Disallow.
Location services	✓10 ✓11	This option specifies whether Windows apps can access the device location. There are three sub-options available in the associated drop-down list: Allow Users to Control (Default): When this option is selected, users can choose whether Windows apps can access the device’s location. This setting can be configured by navigating to Settings > Privacy and security > Location on the device. Force Location Off: When this option is selected, Windows apps will not be allowed to access the device’s location. Force Location On: When this option is selected, Windows apps will be allowed to access the device’s location.
Change language	✓10 ✓11	Language settings from the device will be disabled, if this option is unchecked.
Voice recording	✓10 ✓11	Unchecking this option prevents users from using Voice Recorder app on Windows devices.
Users can enable/disable Workplace	✓10 ✓11	Users will not be able to change Workplace settings from the device, if this option is unchecked.
Users can change AutoPlay settings	✓10 ✓11	Users will be disallowed from changing Auto Play settings from the device, if this option is unchecked. Learn more

Telemetry in Windows

Telemetry is a feature in Windows where the system information will be sent to Microsoft to provide device-specific updates. Microsoft has already revealed that they used telemetry to count the number of times Alt+Tab was used on a PC to switch between active Windows. They found that the number of users used Alt+Tab were lesser since most of them were not familiar with that function, which then led to the addition of Task View button in Windows 10.

AutoPlay

AutoPlay lets you choose the program with which you can start different kinds of media, such as DVD, CD, etc. containing music, video, photo, etc. AutoPlay begins reading from a drive as soon as you insert media files in the drive. As a result, the setup file of programs and the music on audio media starts immediately.

Allow Basic App Settings

App based settings

Restriction	Supported OS (PCs & Tablets)	Description
Sync Settings	✓10 ✓11	Unchecking this option disables the Windows sync settings on the devices. Learn more
Allow SignIn Options	✓10 ✓11	Unchecking this option prevents users from changing Sign In options like password, picture password, PIN, and password policy under device settings.
Allow News and Interests	✓10 ✓11	Unchecking this option will remove the News and Interest feature from the taskbar. Notes: The device needs to be restarted for the restriction to take effect.

Sync Settings

On enabling Sync settings, Windows syncs all the settings you choose across all your Windows devices in which you have signed in with your Microsoft account. Sync settings also work if you sign in with a work or school account linked to your Microsoft account.

Allow Basic Network Settings

Network based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
Wi-Fi	✓10 (Version 1703+) ✓11	Unchecking this option prevents users from enabling, configuring, and accessing Wi-Fi on the device.
Bluetooth	✓10 ✓11	If this option is unchecked, users will be disallowed from turning on/offBluetooth on the device.
Discover device over Bluetooth	✓10 ✓11	When this option is unchecked, the device is prevented from being discovered by other Bluetooth-enabled devices.
Users can turn VPN on/off	✓10 ✓11	Uncheck this option to disallow users from adding or removing a VPN connection.
Connect to VPN if on mobile network	✓10 ✓11	Disabling the option prevents the device from accessing VPN connection when connected to a mobile network.
Connect to VPN if roaming	✓10 ✓11	Disabling the option prevents the device from accessing VPN connection when roaming on a mobile network.
Cellular data roaming	✓10 ✓11	Unchecking the option prevents data roaming between networks. Using cellular data while roaming might incur additional data charges.

Allow Basic Security and Privacy Settings

Security and privacy-based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
Manual MDM administration removal	✓10 ✓11	Unchecking this option prevents users from accessing workplace control panel to delete the workplace account on the device. Learn More Note: If your device is Azure AD joined, disabling this option will have no effect.
Show toast notification on lock screen	✓10 ✓11	Disable this option to prevent toast notification on the device lock screen.

Account Settings

Account based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
OneDrive file sync	✓10 ✓11	Unchecking this option restricts users from synchronising files to OneDrive from their devices.

Advanced Restrictions

To configure Advanced Restrictions for Windows devices,

Login to your Hexnode UEM portal.
Navigate to Policies. You can either create a new policy or click on any policy name to edit an existing one.
Enter the Policy Name and Description in the provided fields.
Navigate to Windows > Advanced Restrictions.
Click on Configure.

Allow Device Functionality

Device functionality-based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
Users can reset the device	✓10 ✓11	Users will not be able to perform factory-reset or wipe on their devices, if this option is unchecked. Allowed by default.
Users can change date and time	✓10 ✓11	Uncheck this option to prevent users from changing date and time settings on the device. Allowed by default.
Users can change power and sleep settings	✓10 ✓11	Uncheck this option to prevent users from changing power and sleep settings on the device. Allowed by default.
Allow Embedded Mode	✓10 ✓11	Enable this option to allow users to activate Embedded Mode on their devices. Learn more Disabled by default.
Allow Region	✓10 ✓11	Unchecking the option prevents users from changing Region under device settings. Region option is useful in finding localized content and apps. Allowed by default.

Embedded Mode

Embedded mode restricts the device to run a single app (often called kiosk mode). Embedded mode is allowed by default on devices running Windows 10 IoT Core. On mobile, and desktop devices, it must be enabled manually. Not only does this let you access a single app when using the device, Embedded Mode enables background tasks and other functionalities on the devices in addition to running single app in Kiosk mode.

Allow App Settings

App based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
Unlock developer options	✓10 ✓11	Configure the Windows developer settings here. Click the dropdown to select Deny/ Allow for using developer features on the device. Not Configured by default.
Search can use user location	✓10 ✓11	Disabling this option disallows Windows Search from using device location. Allowed by default.
Users can add non-Microsoft accounts	✓10 ✓11	Users will not be able to add non-Microsoft email accounts on the devices, if this option is unchecked. Allowed by default.

Allow Network Settings

All the Windows advanced network settings supported by Hexnode are allowed by default.

Network based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
Internet Sharing	✓10 ✓11	Uncheck this option to prevent users from sharing their Internet connection through Bluetooth or by creating a portable Wi-Fi hotspot.
Connect to Wi-Fi Sense automatically	✓10 ✓11	Select the option to allow devices to connect to open Wi-Fi hotspot automatically. Unchecking the option prevents automatic connection to Wi-Fi hotspots.
Connect to external Wi-Fi networks manually	✓10 ✓11	Uncheck this option to disallow users from connecting to a Wi-Fi network other than the MDM configured Wi-Fi networks. Notes: Enabling this option deletes user-configured Wi-Fi and Wi-Fi sense profiles that have been previously installed on the device. Not all non-MDM profiles or non-user configured Wi-Fi profiles may get deleted completely.
Wi-Fi Direct	✓10 (Version 1703+) ✓11	Disabling the option restricts users from turning on Wi-Fi Direct on the device. Wi-Fi Direct is a certification from the non-profit Wi-Fi Alliance that allows devices to connect directly to each other without the need for a wireless router.
Users can turn Data Sense on/off	✓10 ✓11	Users won’t be able to turn on/off Data Sense on their devices, if this option is unchecked. Data Sense helps you to monitor and track the data consumption of users on the devices and block data usage when it crosses the set limit.

Allow Security and Privacy Settings

Security and Privacy based restrictions

Restriction	Supported OS (PCs & Tablets)	Description
Install provisioning package	✓10 ✓11	Users can apply configurations to the device directly from the provisioning file or through a removable device. More info Disabling this option will prevent installation of provisioning package by run-time configuration agent. Allowed by default.
Mandate signed certificate for provisioning package	✓10 ✓11	Specifies whether provisioning packages must have a certificate signed by a device trusted authority. A trusted authority signed provisioning package could be easily installed on a device without any user consent. Disabled by default.
Remove provisioning package	✓10 ✓11	Disabling this option prevents the run-time configuration agents that removes the provisioning packages. Allowed by default.
Receive advertisements over Bluetooth	✓10 ✓11	Disabling this option prevents the device from receiving advertisements over Bluetooth. Allowed by default.
Pair with other devices automatically	✓10 (Version 1703+) ✓11	Unchecking this option disallows devices from pairing with the host devices over Bluetooth automatically. Allowed by default.
Users can download Windows Beta updates	✓10 ✓11	Click the dropdown to specify whether the users can download Windows Beta Updates through Windows Insider Program. Available options are: Disallow/ Allowed /Not Configured. Not Configured by default.

Provisioning package

Windows provisioning makes it easy for administrators to configure user devices without imaging. A provisioning package (.ppkg) is a container used for a collection of configuration settings. Provisioning packages can be installed using removable media such as an SD card or USB flash drive, attached to an email, downloaded from a network share, deployed in NFC tags or barcodes.

For quick access, you can add different folders to show up on the left side menu, on Windows 10 devices. By default, only File Explorer and Settings folders will be listed there. The following restrictions allow Admin to customize start menu by choosing whether to show or hide shortcuts for some folders.

Not Enforced is selected as the default value for all the Start Menu customization options. To add or remove the shortcuts from the Start menu, select the appropriate value from the drop-down. Drop-down values are: Hide shortcut/ Show shortcut.

Restrictions on start menu customization

Restriction	Supported OS (PCs & Tablets)	Description
Documents folder	✓10 (Version 1709+) ✓11	Specifies whether the Documents folder shortcut is to be hidden from the Windows Start menu.
Downloads folder	✓10 (Version 1709+) ✓11	Specifies whether the Downloads folder shortcut is to be hidden from the Windows Start menu.
File Explorer	✓10 (Version 1709+) ✓11	Specifies whether the File Explorer shortcut is to be hidden from the Windows Start menu. Windows devices use File Explorer to organize and manage files and folders.
Home group	✓10 (Version 1709+) ✓11	Specifies whether the Home group shortcut is to be hidden from the Windows Start menu. The Home group allows Windows devices to share documents, music, videos, pictures, and printers with other devices on the same Home group network.
Music folder	✓10 (Version 1709+) ✓11	Specifies whether the Music folder shortcut is to be hidden from the Windows Start menu.
Networks	✓10 (Version 1709+) ✓11	Specifies whether the Networks shortcut is to be hidden from the Windows Start menu.
Personal folder	✓10 (Version 1709+) ✓11	Specifies whether the Personal folder shortcut is to be hidden from the Windows Start menu. The most frequently used folders will be stored in Personal folder.
Pictures folder	✓10 (Version 1709+) ✓11	Specifies whether the Pictures folder shortcut is to be hidden from the Windows Start menu.
Settings	✓10 (Version 1709+) ✓11	Specifies whether the Settings shortcut is to be hidden from the Windows Start menu. Settings menu allow users to configure different settings for the Windows operating system.
Videos folder	✓10 (Version 1709+) ✓11	Specifies whether the Videos folder shortcut is to be hidden from the Windows Start menu.

Note

To add folders to the Windows 10 Start menu,

Click on Start menu > Settings.
Click on Personalization > Start.
Click on Choose which folders appear on Start.
Click on the switch under the folder you want to add.

How to Apply the Restrictions to Devices/Groups?

There are two ways by which you can associate restrictions to the devices in bulk.

If you haven’t saved the policy yet,

Navigate to Policy Targets
Click on + Add Devices, search and select the required device(s) to which you need to apply the policy > Click OK
Click on Save to apply the policies to the devices.

To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and you’re taken to the page which displays the policy list,

Select the required policy
Click on Manage > Associate Targets
Select Device/ User/ Device Group/ User Group/ Domain
Search and select the device(s)/ user(s)/ device group(s)/ user group(s)/ domain(s) to which you need to apply the policy > Click Associate.