Deploy a restrictions payload for added security on Windows Desktop devices. Use the Restrictions payload to disable end-user access to device features to ensure that devices are not tampered with.

The Windows version and edition you use change what restrictions apply to a device.

To enforce a Restrictions profile:

  1. Navigate to Devices > Profiles > List View and select Add.
  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.
  4. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the Restrictions profile.
  6. Configure the Administration settings:
    Settings Descriptions
    Allow Manual MDM Unenrollment

    Allow the end user to unenroll from AirWatch manually through the Workplace/Work Access enrollment.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Security and Privacy
    Runtime Configuration Agent to Install Provisioning Packages

    Enable to allow the use of provisioning packages to enroll devices into AirWatch (bulk provisioning).

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Location

    Select how location services run on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Runtime Configuration Agent to Remove Provisioning Packages

    Enable to allow the removal of provisioning packages.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow the Device to Send Diagnostic and Usage Telemetry Data

    Enable to allow the device to send diagnostic and usage telemetry data to the AirWatch Console.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Require Microsoft Account for MDM Enable to require a Microsoft Account for devices to receive policies or applications.
    Require of Microsoft Account for Modern Applications Enable to require a Microsoft Account for devices to download and install Windows Apps.
    Provisioning Packages Must Have a Certificate Signed by a Device Trusted Authority

    Enable to require a trusted certificate for all provisioning packages (bulk provisioning).

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Settings
    Allow User to Change Auto Play Settings

    Allow the user to change what program is used for Auto Play of file types.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow User to Change Data Sense Settings

    Allow the user to change the Data Sense settings to restrict data use on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Date/Time

    Allow the user to change the Date/Time settings.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Language

    Allow the user to change the language settings.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow User to Change Power and Sleep Settings

    Allow the user to change the Power and Sleep settings.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Region

    Allow the user to change the region.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow User to Change Sign-In Options

    Allow the user to change the Sign-In Options.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    VPN

    Allow the user to change the VPN settings.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow User to Change Workplace Settings

    Allow the user to change Workplace settings and change how MDM functions on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow the User to Change Account Settings

    Allow the user to change Account settings.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Bluetooth
    Bluetooth

    Allow the use of Bluetooth on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Device Bluetooth Advertising

    Allow the device to broadcast Bluetooth Advertisements.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Bluetooth-enabled devices can discovery the device

    Allow Bluetooth discovery of the device by other Bluetooth devices.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Device Functionality
    Camera

    Allow access the camera function of the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Cortana

    Allow access to the Cortana application.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Device Discovery UX on the Lock Screen

    Allow the device discovery UX on the lock screen to discover projectors and other displays.

    When enabled, the Win+P and Win+K shortcuts do not work.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    IME Logging

    Enable to allow the user to turn on and off the logging for incorrect conversions and saving of auto-tuning result to a file and history-based predictive input.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    IME Network Access

    Enable to allow the user to turn on the Open Extended Dictionary to integrate Internet searches to provide input suggestions that do not exist in a devices local dictionary.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Smart Screen

    Enable to allow the end user to use the Microsoft SmartScreen feature, which is a form of security requesting the end user to draw shapes on an image to unlock the device. This option also allows end users to use PINs as their passcode.

    Note:

    After you disable function, you cannot reenable it through AirWatch MDM. To reenable it, you must factory reset the device.

    This restriction applies to both Windows 8.1 and Windows 10 devices. The restriction does not apply to Windows 10 Home edition devices.

    Search to Leverage Location Information

    Allow the search to use the device location information.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Storage Card

    Enable to allow the use of an SD card.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Windows Sync Settings

    Allow user to sync Windows settings across devices.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Windows Tips

    Allow Windows Tips on the device to help the user.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    User Account Control Setting

    Select the level of notification sent to end users when a change to the operating system requires device admin permission.

    Applications
    Allow Non-Windows Store Trusted Applications

    Allows the downloading and installation of applications not trusted by the Windows Store.

    This restriction applies to all Windows 10 devices.

    App Store Auto Updates

    Enable to allow apps downloaded from the Windows Store to update automatically when new versions are available.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow Developer Unlock

    Allows the use of the Developer Unlock setting for sideloading applications onto devices.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow DVR & Game Broadcasting

    Enable to allow the recording and broadcasting of games on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow Share Data Among Multiple Users of the Same App

    Allows sharing of data between multiple users of an app.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Restrict App Data to System Volume

    Restricts app data to the same volume as the OS instead of secondary volumes or removable media.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Restrict Installation of Applications to System Drive

    Restricts the installation of apps to the system drive instead of secondary drives or removable media.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Network
    Auto Connect to Wi-Fi Hotspots

    Enable to allow the device to connect to Wi-Fi hotspots automatically using the Wi-Fi Sense functionality.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Cellular Data On Roaming

    Enable to allow cellular data use while roaming.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Internet Sharing

    Enable to allow Internet sharing between devices.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Data Usage on Roaming

    Enable to allow end users to transmit and receive data while roaming.

    This restriction applies to all Windows devices.

    VPN Over Cellular

    Allow the use of a VPN over cellular data connections.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    VPN Roaming Over Cellular

    Allow the use of a VPN while on roaming cellular data connections.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Edge Browser
    Auto fill

    Allow the use of Auto fill to complete user information.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Cookies

    Allow the use of cookies.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Do Not Track

    Allow the use of Do Not Track requests.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Password Manager

    Allow the use of a password manager.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Pop-ups

    Allow pop-up browser windows.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Search Suggestions in Address Bar

    Allow search suggestions to appear in address bar.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Smart Screen

    Allow the use of the SmartScreen malicious site and content filter.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Send Intranet Traffic to Internet Explorer

    Enable to restrict intranet traffic to Internet Explorer instead of Microsoft Edge.

    This restriction applies to all Windows 10 devices.

    Enterprise Site List URL

    Enter the URL for an enterprise site list. The enterprise site list provides a list of sites for Enterprise Mode compatibility. This feature allows you to support legacy web apps. See Microsoft documentation for more information on this feature.

    This restriction applies to all Windows 10 devices.

  7. Select Save & Publish when you are finished to push the profile to devices.