Security settings

The Security settings provide device, app, data, and backup and restore settings for a Windows device.

Use the Security settings to configure the following security-specific policy settings:

  • Device Security
  • Device Encryption (Bit Locker)
  • Data Security
  • Authentication and Cryptography
  • App Security
Table 1. Device security settings
Policy setting Description Supported devices
Allow notification center in device lock screen Allows action center notifications in the device lock screen. Windows Phone 8.1+
Disable USB or SD card Does not allow external USB or SD card usage on the device.
  • Windows Phone 8+
  • Windows 10+ Professional, Education, Enterprise
Allow developer unlock Unlocks the phone to enable app deployment to the phone. Disable this setting to prevent running untrusted apps.
Note: Enabling this setting overrides the Allow installation of non-Windows store Apps setting.
  • Windows Phone 8.1+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Allow manual unenrollment Allows a user to manually delete the WorkPlace account from the device. Disabling this setting causes the device to harden or lose connectivity and might require the device to be serviced at a Microsoft authorized service center.
  • Windows Phone 8.1+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Allow factory reset If you disable this setting and then lose network access or the device becomes unreachable, you might need to service the device at a Microsoft authorized service center. Although the Reset this PC menu and the Advanced Startup options are still available, they might not work correctly. Disabling this setting does not prevent you from restoring the device by using a Windows image from removable media like a USB or CD.
Important: The vendor is not responsible for any damage that is caused to the device by using this feature.
  • Windows Phone 8.1+
  • Windows 10+ Professional, Education, Enterprise
Table 2. Device encryption (Bit Locker) settings
Policy setting Description Supported devices
Enforce storage card encryption Encryption of the storage card on the device is enforced.
Note: This setting requires Windows Phone 10 version 1703+.
Windows Phone 10+
Enforce device drive encryption Enables internal storage encryption on a device by default. On Windows laptops and tablets, the user is prompted to enable system or fixed drive encryption. The encryption status is published as Encryption Level in the Device View.
Note: This setting requires Windows 10 MDM Extender Service 1.90+ version.
  • Windows Phone 8+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Enforce removable drives encryption Enforces encryption on removable devices during write or save content action on removable devices. Windows 10+ Professional, Education, Enterprise
Override system drive recovery message Overrides the default system drive recovery message. Windows 10+ Professional, Education, Enterprise
Backup BitLocker recovery password to Active Directory The BitLocker recovery password is automatically backed up on Domain joined devices.
  • For Azure Active Directory joined devices, the password is displayed under the device information in the Azure portal.
  • For On-Premise Active Directory joined devices, the password is displayed under the Properties section of the Device View.
Windows 10+ Professional, Education, Enterprise
Backup BitLocker recovery password to End User Portal The recovery password is automatically backed up daily on any device in the End User Portal. A user can recover their password from the device record in the End User Portal. Windows 10+ Professional, Education, Enterprise
Table 3. Data security settings
Policy setting Description Supported devices
Allow copy paste Allows a user to copy and paste content on the device. Windows Phone 8.1
Allow screen capture Allows screen captures on the device. Windows Phone 8.1+
Allow Save As of office documents Allows a user to save files on the device as a Microsoft Office file. Windows Phone 8.1
Allow sharing of office documents Allows a user to share Microsoft Office files. Windows Phone 8.1
Table 4. Authentication and cryptography settings
Policy setting Description Supported devices
Allow FIPS compliance policy Allows the Federal Information Processing Standard (FIPS) policy on the device.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
Allow SSO using EAP certificate based authentication Allows single-sign-on by using extensible authentication protocol (EAP) certificate-based authentication for accessing internal resources. Windows 10+ Professional, Education, Enterprise
Allow fast reconnect Allows fast EAP reconnection that is attempted for the Transport Layer Security (TLS).
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Allow secondary authentication device Allows secondary authenticated devices to work with Windows.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
Table 5. App security settings
Policy setting Description Supported devices
Allow installation of non-Windows store apps Set the value as enabled, or disabled, or set user control to allow or disallow reinstallation on non-Windows store apps. This setting works with the Allow Developer Unlock policy setting.
Note: This setting must be enabled if you are using Mobile App Management for Enterprise Apps or Browsers for Windows Phones.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Allow auto-update of Windows store apps Allows you to update apps automatically from the Microsoft Store.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Disallow installed store apps Allows a factory reset on the device. Windows 10+ Professional, Education, Enterprise
Allow private store only Allows only Windows Store for Business. The retail catalog is disabled.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
Restrict installation of apps to system drives Restricts installing apps to system drives.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
Restrict app data to system volume App data is restricted to the system volume.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise