Security settings
The Security settings provide device, app, data, and backup and restore settings for a Windows device.
Use the Security settings to configure the following security-specific policy settings.
- Device Security
- Device Encryption (BitLocker)
- Data Security
- Authentication and Cryptography
- App Security
| Policy setting | Description | Supported devices |
|---|---|---|
| Disable USB or SD Card | Disables external USB or SD card usage on the device. |
|
| Allow Developer Unlock | Unlocks the phone to enable app deployment to the phone. Disable this setting to prevent
running untrusted apps. Note: Enabling this setting overrides the Allow installation of
non-Windows store Apps setting.
|
|
| Allow Notification center in device lock screen | Enables action center notifications in the device lock screen. | Windows Phone 8.1+ |
| Allow Factory Reset | If you disable this setting and lose the network access or if the device becomes unreachable,
you must service the device at a Microsoft authorized
service center. Although the Reset this PC menu and the Advanced
Startup options are still available, they might not work correctly. Disabling this
setting does not prevent you from restoring the device by using a Windows image from removable media like a USB or CD. Important: The
vendor is not responsible for any damage that is caused to the device by using this
feature.
|
|
| Allow Manual Unenrollment | Enables the user to manually delete the WorkPlace account from the device. Disabling this setting causes the device to harden or lose connectivity and might require the device to be serviced at a Microsoft authorized service center. |
|
| Policy setting | Description | Supported devices |
|---|---|---|
| Enforce Device Drives Encryption | Enables internal storage encryption on a device by default. These settings are not applied to
drives that are already encrypted. The default is No. The status of encryption is
published as Encryption Level in device view.In
Edit mode, select the checkbox to enable Enforce
Device Drives Encryption and view the following options.Note: Supported in MDM Extender
Agent (MES) version 4.37 and later.
Important: If the drive is encrypted using IBM®
MaaS360®, removing the Device Encryption
(BitLocker) policy initiates the decryption of the drive.
|
|
| Enforce Removable Drives Encryption | Enforces encryption on removable devices during write or save content action on removable devices. | Windows 10+ Professional, Education, Enterprise |
| Override System Drive Recovery Message | Overrides the default system drive recovery message. | Windows 10+ Professional, Education, Enterprise |
| Backup BitLocker Recovery Password to Active Directory | The BitLocker recovery password is automatically backed up on Domain joined devices.
|
Windows 10+ Professional, Education, Enterprise |
| Backup BitLocker Recovery Key to MaaS360 | BitLocker Recovery Key of the device is backed up in MaaS360. The user can obtain the recovery key by accessing their Device record on the End User Portal. It can also be obtained by sharing the recovery key through email from Device record on the Admin Portal. | Windows 10+ Professional, Education, Enterprise |
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow Copy Paste | Enables a user to copy and paste content on the device. | Windows Phone 8.1+ |
| Allow Screen Capture | Enables screen captures on the device. | Windows Phone 8.1+ |
| Allow Save As of Office Documents | Enables a user to save files on the device as a Microsoft Office file. | Windows Phone 8.1+ |
| Allow Sharing of Office Documents | Enables a user to share Microsoft Office files. | Windows Phone 8.1+ |
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow FIPS Compliance Policy | Enables the Federal Information Processing Standard (FIPS) policy on the device. |
|
| Allow SSO using EAP certificate based authentication | Enables single-sign-on by using extensible authentication protocol (EAP) certificate-based authentication for accessing internal resources. | Windows 10+ Professional, Education, Enterprise |
| Allow Fast Reconnect | Enables fast EAP reconnection that is attempted for the Transport Layer Security (TLS). |
|
| Allow Secondary Authentication Device | Enables secondary authenticated devices to work with Windows. |
|
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow installation of Non-Windows Store Apps | Set the value as enabled, or disabled, or set user control to allow or disallow
reinstallation on non-Windows store apps. This setting
works with the Allow Developer Unlock policy setting. Note: This setting must
be enabled if you are using Mobile App Management for Enterprise Apps or Browsers for Windows Phones.
|
|
| Allow auto-update of Windows Store Apps | Enables the user to update apps automatically from the Microsoft Store. |
|
| Disallow Installed Store Apps | Enables the factory reset on the device. | Windows 10+ Education, Enterprise |
| Allow Private Store Only | Enables only Windows Store for Business. The retail catalog is disabled. |
|
| Restrict installation of apps to system drives | Restricts installing apps to system drives. |
|
| Restrict app data to system volume | App data is restricted to the system volume. |
|