Security settings
The Security settings provide device, app, data, and backup and restore settings for a Windows device.
Use the Security settings to configure the following security-specific policy settings:
- Device Security
- Device Encryption (Bit Locker)
- Data Security
- Authentication and Cryptography
- App Security
Policy setting | Description | Supported devices |
---|---|---|
Allow notification center in device lock screen | Allows action center notifications in the device lock screen. | Windows Phone 8.1+ |
Disable USB or SD card | Does not allow external USB or SD card usage on the device. |
|
Allow developer unlock | Unlocks the phone to enable app deployment to the phone. Disable this setting to prevent
running untrusted apps. Note: Enabling this setting overrides the Allow installation of
non-Windows store Apps setting.
|
|
Allow manual unenrollment | Allows a user to manually delete the WorkPlace account from the device. Disabling this setting causes the device to harden or lose connectivity and might require the device to be serviced at a Microsoft authorized service center. |
|
Allow factory reset | If you disable this setting and then lose network access or the device becomes unreachable,
you might need to service the device at a Microsoft
authorized service center. Although the Reset this PC menu and the
Advanced Startup options are still available, they might not work correctly.
Disabling this setting does not prevent you from restoring the device by using a Windows image from removable media like a USB or CD. Important: The vendor is not responsible for any damage that is caused to the device by using
this feature.
|
|
Policy setting | Description | Supported devices |
---|---|---|
Enforce storage card encryption | Encryption of the storage card on the device is enforced. Note: This setting requires Windows Phone 10 version 1703+.
|
Windows Phone 10+ |
Enforce device drive encryption | Enables internal storage encryption on a device by default. On Windows laptops and tablets, the user is prompted to enable system or fixed drive encryption. The encryption status is published as Encryption Level in the Device View. Note: This setting requires Windows 10 MDM Extender Service 1.90+ version.
|
|
Enforce removable drives encryption | Enforces encryption on removable devices during write or save content action on removable devices. | Windows 10+ Professional, Education, Enterprise |
Override system drive recovery message | Overrides the default system drive recovery message. | Windows 10+ Professional, Education, Enterprise |
Backup BitLocker recovery password to Active Directory | The BitLocker recovery password is automatically backed up on Domain joined devices.
|
Windows 10+ Professional, Education, Enterprise |
Backup BitLocker recovery password to End User Portal | The recovery password is automatically backed up daily on any device in the End User Portal. A user can recover their password from the device record in the End User Portal. | Windows 10+ Professional, Education, Enterprise |
Policy setting | Description | Supported devices |
---|---|---|
Allow copy paste | Allows a user to copy and paste content on the device. | Windows Phone 8.1 |
Allow screen capture | Allows screen captures on the device. | Windows Phone 8.1+ |
Allow Save As of office documents | Allows a user to save files on the device as a Microsoft Office file. | Windows Phone 8.1 |
Allow sharing of office documents | Allows a user to share Microsoft Office files. | Windows Phone 8.1 |
Policy setting | Description | Supported devices |
---|---|---|
Allow FIPS compliance policy | Allows the Federal Information Processing Standard (FIPS) policy on the device. |
|
Allow SSO using EAP certificate based authentication | Allows single-sign-on by using extensible authentication protocol (EAP) certificate-based authentication for accessing internal resources. | Windows 10+ Professional, Education, Enterprise |
Allow fast reconnect | Allows fast EAP reconnection that is attempted for the Transport Layer Security (TLS). |
|
Allow secondary authentication device | Allows secondary authenticated devices to work with Windows. |
|
Policy setting | Description | Supported devices |
---|---|---|
Allow installation of non-Windows store apps | Set the value as enabled, or disabled, or set user control to allow or disallow reinstallation on non-Windows store apps. This setting works with the Allow Developer
Unlock policy setting. Note: This setting must be enabled if you are using Mobile App Management for Enterprise Apps or Browsers for Windows Phones.
|
|
Allow auto-update of Windows store apps | Allows you to update apps automatically from the Microsoft Store. |
|
Disallow installed store apps | Allows a factory reset on the device. | Windows 10+ Professional, Education, Enterprise |
Allow private store only | Allows only Windows Store for Business. The retail catalog is disabled. |
|
Restrict installation of apps to system drives | Restricts installing apps to system drives. |
|
Restrict app data to system volume | App data is restricted to the system volume. |
|