Security settings
The Security settings provide device, app, data, and backup and restore settings for a Windows device.
Use the Security settings to configure the following security-specific policy settings:
- Device Security
- Device Encryption (Bit Locker)
- Data Security
- Authentication and Cryptography
- App Security
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow notification center in device lock screen | Enables action center notifications in the device lock screen. | Windows Phone 8.1+ |
| Disable USB or SD card | Disables external USB or SD card usage on the device. |
|
| Allow developer unlock | Unlocks the phone to enable app deployment to the phone. Disable this setting to prevent
running untrusted apps. Note: Enabling this setting overrides the Allow installation of
non-Windows store Apps setting.
|
|
| Allow manual unenrollment | Enables the user to manually delete the WorkPlace account from the device. Disabling this setting causes the device to harden or lose connectivity and might require the device to be serviced at a Microsoft authorized service center. |
|
| Allow factory reset | If you disable this setting and lose the network access or if the device becomes unreachable,
you must service the device at a Microsoft authorized
service center. Although the Reset this PC menu and the Advanced
Startup options are still available, they might not work correctly. Disabling this
setting does not prevent you from restoring the device by using a Windows image from removable media like a USB or CD. Important: The
vendor is not responsible for any damage that is caused to the device by using this
feature.
|
|
| Policy setting | Description | Supported devices |
|---|---|---|
| Enforce storage card encryption | Encryption of the storage card on the device is enforced. Note: This setting requires Windows Phone 10 version 1703+.
|
Windows Phone 10+ |
| Enforce device drive encryption | Enables internal storage encryption on a device by default. On Windows laptops and tablets, the user is prompted to enable system or fixed drive encryption. The encryption status is published as Encryption Level in the Device View. Note: This setting requires Windows 10 MDM Extender Service 1.90+ version.
|
|
| Enforce removable drives encryption | Enforces encryption on removable devices during write or save content action on removable devices. | Windows 10+ Professional, Education, Enterprise |
| Override system drive recovery message | Overrides the default system drive recovery message. | Windows 10+ Professional, Education, Enterprise |
| Backup BitLocker recovery password to Active Directory | The BitLocker recovery password is automatically backed up on Domain joined devices.
|
Windows 10+ Professional, Education, Enterprise |
| Backup BitLocker Recovery Key to MaaS360 | BitLocker Recovery Key of the device is backed up in MaaS360®. The user can obtain the recovery key by accessing their Device record on the End User Portal. It can also be obtained by sharing the recovery key through email from Device record on the Admin Portal. | Windows 10+ Professional, Education, Enterprise |
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow copy paste | Enables a user to copy and paste content on the device. | Windows Phone 8.1 |
| Allow screen capture | Enables screen captures on the device. | Windows Phone 8.1+ |
| Allow Save As of office documents | Enables a user to save files on the device as a Microsoft Office file. | Windows Phone 8.1 |
| Allow sharing of office documents | Enables a user to share Microsoft Office files. | Windows Phone 8.1 |
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow FIPS compliance policy | Enables the Federal Information Processing Standard (FIPS) policy on the device. |
|
| Allow SSO using EAP certificate based authentication | Enables single-sign-on by using extensible authentication protocol (EAP) certificate-based authentication for accessing internal resources. | Windows 10+ Professional, Education, Enterprise |
| Allow fast reconnect | Enables fast EAP reconnection that is attempted for the Transport Layer Security (TLS). |
|
| Allow secondary authentication device | Enables secondary authenticated devices to work with Windows. |
|
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow installation of non-Windows store apps | Set the value as enabled, or disabled, or set user control to allow or disallow reinstallation on non-Windows store apps. This setting works with the Allow Developer
Unlock policy setting. Note: This setting must be enabled if you are using Mobile App Management for Enterprise Apps or Browsers for Windows Phones.
|
|
| Allow auto-update of Windows store apps | Enables the user to update apps automatically from the Microsoft Store. |
|
| Disallow installed store apps | Enables the factory reset on the device. | Windows 10+ Professional, Education, Enterprise |
| Allow private store only | Enables only Windows Store for Business. The retail catalog is disabled. |
|
| Restrict installation of apps to system drives | Restricts installing apps to system drives. |
|
| Restrict app data to system volume | App data is restricted to the system volume. |
|