Feature Control (Desktop)

Use this dialog box to configure individual device features.

Note: Some feature control policies are not supported on desktop devices running Windows 10 Home Edition.

Hardware


Feature Control Option	Description	Supported on Home Edition
Disable Camera	Prevent the user from using the camera on the device.	No
Disable Location Service	Disable any Location Services on the device. This will also block various applications on the device from using Location Services.	No

Application


Feature Control Option	Description	Supported on Home Edition
Disable DVR and Broadcasting	Disable DVR and broadcasting.	No
Disable Store Application Automatic Update	Disable automatic update of apps from Windows Store.	No

Cellular Data and Roaming


Feature Control Option	Description	Supported on Home Edition
Disable Cellular Data Roaming	Prevent the user from using cellular data while the device is roaming.	No
Disable Enterprise APN User Control	Prevents the device user from changing enterprise APN settings for the APN profile configuration. Supported on desktop devices running Windows 10 version 1703 and later.	Yes

WiFi


Feature Control Option	Description	Supported on Home Edition
Disable WiFi Hotspot Reporting	Disable WiFi hotspot information from being reported to Microsoft.	No
Disable Auto Connect to WiFi Sense Hotspots	Prevent the device from auto connecting to WiFi hotspots.	No

Bluetooth


Feature Control Option	Description	Supported on Home Edition
Disable Bluetooth Advertising	Disable the device from acting as a source for advertisements.	No
Disable Bluetooth Discoverable Mode	Disable the Bluetooth discoverable mode.	No
Set Bluetooth Device Name	Enter a string that specifies the local Bluetooth device name.	No
Disable Bluetooth	Prevent the user from enabling Bluetooth.	No

Data Protection


Feature Control Option	Description	Supported on Home Edition
Disable SD Card Access	Disable access to the SD card directory.	No
Disable Internet Sharing Over WiFi	Disables the device from being able to share Internet and becoming a WiFi hotspot.	No
Disable Direct Memory Access	Disable Direct Memory Access.	No

Experience


Feature Control Option	Description	Supported on Home Edition
Disable Cortana	Disable Cortana (personal digital assistant) on the device.	No
Allow Manual MDM Unenrollment	Allow the user to unenroll the device.	No
Disable Device Discovery on Lock Screen	Disable the device discovery user interface on the lock screen.	No

Defender


Feature Control Option	Description	Supported on Home Edition
Disable Cloud Protection	Disables Cloud Protection. If this option is not selected, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information in their cloud, and learn more about problems affecting users. Microsoft can then respond with the best possible solution.	Yes
Average CPU Load Factor in Percent	Show the average CPU load factor for the scan (as a percent).	Yes
Days to Retain Cleaned Malware	Time period (in days) that quarantined items will be stored on the system.	Yes
Disable Archive Scanning	Disable scanning of archives.	Yes
Disable Behavior Monitoring	Disable Defender's Behavior Monitoring functionality.	Yes
Disable Email Scanning	Disable scanning of email.	Yes
Disable Full Scan On Network Drives	Disable a full scan of mapped network drives.	Yes
Disable Full Scan On Removable Drives	Disable a full scan of removable drives.	Yes
Disable Intrusion Prevention System	Disable Defender's Intrusion Prevention functionality.	Yes
Disable IOAVP Protection	Disable Defender's IOAVP Protection functionality.	Yes
Disable On Access Protection	Disable Defender's On Access Protection functionality.	Yes
Disable Realtime Monitoring	Disable Defender's Realtime Monitoring functionality.	Yes
Disable Scanning Network Files	Disable scanning of network files.	Yes
Disable Script Scanning	Disable Defender's Script Scanning functionality.	Yes
Disable User UI Access	Disallow user access to the Defender UI. If disallowed, all Defender notifications will also be suppressed.	Yes
Excluded Extensions	Allow an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by \|. For example, "lib\|obj".	Yes
Excluded Paths	Allow an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by \|. For example, "C:\Example\|C:\Example1".	Yes
Excluded Processes	Allow an administrator to specify a list of files opened by processes to ignore during a scan.	Yes
Real Time Scan Direction	Control which sets of files should be monitored. Bidirectional – Monitor all files. Incoming – Monitor incoming files. Outgoing – Monitor outgoing files.	Yes
Scan Type	Select whether to perform a quick scan or a full scan. Quick Scan – Perform a quick Defender scan. Full Scan – Perform a full Defender scan.	Yes
Quick Scan Schedule in Minutes	Specify the time of day that the Defender quick scan should run. The time must be specified as the number of minutes past midnight (local time). Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380	Yes
Schedule Scan Day	Select the day on which the Defender scan should run.	Yes
Schedule Scan Time in Minutes	Specify the time of day that the Defender scan should run. The time must be specified as the number of minutes past midnight (local time). Valid values are 0 to 1380 where 12:00 AM = 0, 1:00 AM = 60, and so on until 11:00 PM = 1380	Yes
Signature Update Interval in Hours	Specify the interval (in hours) that will be used to check for signatures; so instead of using the ScheduleDay and ScheduleTime, Windows will just check for new signatures as set per the interval. Interval is set in hours, so at most Windows will check for signatures every hour.	Yes
Submit Samples Consent	Check for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when opt-in for when Defender/AllowCloudProtection is allowed) before sending data. Always Prompt – Always prompt the user. Send Safe Samples – Send safe samples automatically. Never Send – Never send samples. Send All Samples – Send all samples automatically.	Yes

Text Input


Feature Control Option	Description	Supported on Home Edition
Disable IME Logging	For the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.	No
Disable IME Network Access	Disallow the user to turn on Open Extended Dictionary, Internet Search Integration, online service to provide input suggestions that doesn’t exist in a PC's local dictionary.	No
Disable Japanese IME Surrogate Pair Characters	Disable the Japanese IME surrogate pair characters.	No
Disable Japanese IVS Characters	Disable Japanese Ideographic Variation Sequence (IVS) characters.	No
Disable Japanese Non-Publishing Standard Glyph	Disable the Japanese non-publishing standard glyph.	No
Disable Japanese User Dictionary	Disable the Japanese user dictionary.	No
Disable Korean Extended Hanja	Disable the use of Korean Extended Hanja character set.	Yes
Exclude Japanese IME Except JISO208	Disallow the users to restrict character code range of conversion by setting the character filter.	No
Exclude Japanese IME Except JISO208 and EUDC	Disallow the users to restrict character code range of conversion by setting the character filter.	No
Exclude Japanese IME Except Shift JIS	Disallow the users to restrict character code range of conversion by setting the character filter.	No

Update


Feature Control Option	Description	Supported on Home Edition
Auto Update Settings	Allow the IT administrator to manage automatic update behavior to scan, download, and install updates. Notify User: Notify the user before downloading the update. This policy is used by enterprises that want to enable end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. Install and Notify: Auto install the update and then notify the user to schedule a restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart is forced. Enabling the end-user to control the restart time reduces the risk of accidental app data loss caused by apps that do not shutdown properly on restart. Install and Restart: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental app data loss caused by apps that do not shutdown properly on restart. Install and Restart at Specific Time: Auto install and restart at a specified time. The IT administrator specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. Install and Restart Without User Control: Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the computer is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. It sets the end-user control panel to read-only. No Auto Updates: Turn off automatic updates.	No
Disable Non-Microsoft Signed Update	Disallow the IT administrator to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Supported operations are Get and Replace.	No
Disable Update Service	Specify whether the device can se Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working. Note: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Custom Update WSUS server URL policy.	No
Scheduled Install Time (0-23 hours)	Enable the IT administrator to schedule the time of the update installation.	No
Custom Update WSUS Server URL	The URL of a custom update WSUS server. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.	No
Scheduled Install Day	Enable the IT administrator to schedule the day of the update installation.	No