Windows policies
Last updated September 25th, 2024
This section describes the policies you can configure for Windows devices.
The availability of each policy varies depending on the OS version.
System
Allows the use of features such as factory reset, camera, screen capture and VPN.
| Policy | Description | Supported system |
|---|---|---|
| Factory reset | Allows a device factory reset. |
Windows 10 and higher Windows 10 Mobile |
| Camera | Allows using the camera. |
Windows 10 and higher Windows 10 Mobile |
| Screen Capture | Allows using the screen capture function. | Windows 10 Mobile |
| VPN | Allows modifications to the VPN settings. |
Windows 10 and higher Windows 10 Mobile |
| > VPN Over Cellular |
Allows the device user to connect to a VPN over mobile data. Values
|
|
| > VPN Roaming Over Cellular |
Allows device users to use VPN over a cellular internet connection while roaming. Values
|
|
| Sign In Options |
Allows the device user to modify the Sign-in options in the device's account settings. These options include the available authentication methods, dynamic lock, and whether to display account details on the sign-in screen. Values
|
Windows 10 and higher Windows 10 Mobile |
| Date and Time |
Allows the device user to change the Date & time settings. Values
|
Windows 10 and higher Windows 10 Mobile |
| Language |
Allows the device user to change the Language settings. Values
|
Windows 10 and higher Windows 10 Mobile |
| Power and Sleep |
Allows the device user to change the Power & sleep settings. Values
|
Windows 10 and higher Windows 10 Mobile |
| Region |
Allows the device user to change the Region settings. Values
|
Windows 10 and higher Windows 10 Mobile |
| Workplace |
Allows the device user to change the Workplace settings, also known as the Access work or school settings, and change EMM account credentials on the device. Values
|
Windows 10 and higher Windows 10 Mobile |
| Account |
Allows the device user to change the account settings, including adding and removing other users. Values
|
Windows 10 and higher Windows 10 Mobile |
| Windows Sync |
Allows the device user to sync their Windows settings across devices. Values
|
|
| Windows Tips |
Allows the device user to use Windows Tips. Values
|
Windows 10 and higher Windows 10 Mobile |
Connectivity
Controls the network settings, such as Bluetooth, Wi-Fi tethering, and NFC.
| Policy | Description | Supported system |
|---|---|---|
| Wi-Fi | Allows the use of Wi-Fi. |
Windows 10 and higher Windows 10 Mobile |
| > Wi-Fi Tethering | Allows tethering the Wi-Fi connection. |
Windows 10 and higher Windows 10 Mobile |
| Bluetooth | Allows the use of Bluetooth. |
Windows 10 and higher Windows 10 Mobile |
| Bluetooth Advertisement |
Enables broadcasting the device's presence over Bluetooth. Values
|
Windows 10 and higher Windows 10 Mobile |
| > Search Mode | Allows using device search via Bluetooth. |
Windows 10 and higher Windows 10 Mobile |
| NFC | Allows the use of NFC (Near Field Communication). | Windows 10 Mobile |
| USB | Allows USB tethering connections. | Windows 10 Mobile |
| Removable Storage | Allows or blocks the usage of removable storage devices. Default: Allow. |
Windows 10 and higher Windows 10 Mobile |
| Cortana |
Allows the device user to access Cortana features. This policy doesn't affect text search. Values
|
Windows 10 and higher Windows 10 Mobile |
| IME Logging |
Allows the device user to turn on history for Windows IME (input method editor), which builds a dataset for predictive character input. Values
|
Windows 10 and higher Windows 10 Mobile |
| IME Network Access |
Allows the device user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions for Windows IME that don't exist in the local dictionary. Values
|
Windows 10 and higher Windows 10 Mobile |
Security
Configures the password settings.
| Policy | Description | Supported system |
|---|---|---|
| Password policies |
Set to apply the password policy when the screen is locked. The camera is disabled in screen lock mode. If you have enabled Samsung Knox Manage for a device with no password, certificates registered in the device will be deleted. |
Windows 10 and higher Windows 10 Mobile |
| > Maximum Failed Login Attempts |
Set the maximum number of incorrect password attempts. The value can be between 3 - 998 times. If you enter the wrong password more than the allowed number of times, a challenge phrase appears, and then the system begins the factory reset operation. A challenge phrase is a particular phrase that is presented to you to disable the autofill feature and protect your information. You need to enter the case sensitive challenge phrase exactly. |
Windows 10 and higher Windows 10 Mobile |
| > Minimum length |
Set the minimum length of the password. The value can be between 4 - 16 words. |
Windows 10 and higher Windows 10 Mobile |
| > Maximum Screen lock grace period (Minutes) |
Set an idle time before the screen lock is enabled. The value can be between 0–999 minutes. |
Windows 10 and higher Windows 10 Mobile |
| > Expiration after (days) |
Set the maximum number of days before the password must be reset. The value can be between 0 - 730 days. Set the number to 0 for an indefinite period. |
Windows 10 and higher Windows 10 Mobile |
| > Retain history for |
Set the number of times that you can reuse the password that you previously used, including the current password. The value can be between 2 - 50 times. |
Windows 10 and higher Windows 10 Mobile |
App Restrictions
Allows using the Windows App Store and configuring options for application controls, such as installation and blocklist/allowlist.
| Policy | Description | Supported system |
|---|---|---|
| Windows App store access control | Allows access to the Windows App Store. | Windows 10 Mobile |
| App Installation Block/Allowlist | Set the Windows app policies based on the blocklist or the allowlist. |
Windows 10 and higher Windows 10 Mobile |
| > Preloaded App Automatic Addition | Set to automatically add preloaded apps. |
Windows 10 and higher Windows 10 Mobile |
| > App Install/Run Allowlist |
Add applications to allow their installation. Any applications not on the allowlist are deleted, even if previously installed.
Knox Manage agent is automatically registered on the list. |
Windows 10 and higher Windows 10 Mobile |
| > App Install/Run Blocklist |
Add applications to prohibit their installation. Blocked applications will be deleted even if they were previously installed.
An application that was added on the App Install/Run Allowlist cannot be added. |
Windows 10 and higher Windows 10 Mobile |
| Developer Unlock |
Allows the device user to enable developer mode. Values
|
Windows 10 and higher Windows 10 Mobile |
| DVR and Game Broadcasting |
Allows the device user to capture video and audio with Xbox Game Bar. This policy can only be enforced on Windows 10 Pro, Business, Enterprise, and Education editions. Values
|
Windows 10 and higher Windows 10 Mobile |
| Restrict App Data to System Volume |
Forces all app data to be stored on the Windows storage volume. Values
|
Windows 10 and higher Windows 10 Mobile |
| All Trusted Apps (Non-Microsoft Store Apps) |
Allows apps from any source to be installed. Values
|
Windows 10 and higher Windows 10 Mobile |
| App Store Auto Updates |
Allows apps installed from the Microsoft Store to update automatically. Values
|
Windows 10 and higher Windows 10 Mobile |
| Share Data between Users |
Forces apps to store their data in a shared directory that all user accounts can access. When allowed, app data is stored in the SharedLocal directory, available through the Windows.Storage Namespace in the UWP API. Values
|
Windows 10 and higher Windows 10 Mobile |
next to the added application.Location
Configures policies related to location services and data.
| Policy | Description | Supported system |
|---|---|---|
| Location |
Controls location services on the device. Values
|
Windows 10 and higher Windows 10 Mobile |
Phone
Allows overseas data roaming.
| Policy | Description | Supported system |
|---|---|---|
| Data connection during roaming | Allows overseas data roaming |
Windows 10 and higher Windows 10 Mobile |
Administrative Templates
Allows you to define administrative templates to set Group Policy settings.
| Policy | Description | Supported system |
|---|---|---|
| List |
Set the Windows Group Policies
|
Windows 10 and higher Windows 10 Mobile |
ETC
Allows deleting provisioning package (PPKG) files or MDM profiles while using them.
| Policy | Description | Supported system |
|---|---|---|
| Delete PPKG | Allows users to delete provisioning package (PPKG) files while using them. |
Windows 10 and higher Windows 10 Mobile |
| MDM Client Unenrollment | Allows users to delete MDM profiles while using them. |
Windows 10 and higher Windows 10 Mobile |
Kiosk
Configures policies related to Windows kiosks. Setting these policies defines either a single-app or multi-app kiosk. When the profile is applied, the next time the device restarts it begins the provisioning process of becoming a kiosk. For more comprehensive information about how to set these policies and how they interact with kiosk technology on Windows 10/11, see Set up a Windows kiosk.
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | The unique kiosk identifier of the Knox Manage profile. This value is immutable and assigned when the profile is created. |
Windows 10 and higher |
| Kiosk App Settings |
Specifies the kiosk type. Values
If this value is unset, then the device isn't slated to become a kiosk. |
See policy values |
| > Running App Type |
Specifies the core experience of the single-app kiosk. Only available if the Kiosk App Settings policy is set to Single App. Values
|
Windows 10 and higher |
| >> Microsoft Edge Browser Settings |
Configures Microsoft Edge for single-app kiosk mode. Only available if the Running App Type policy is set to Microsoft Edge Browser. ValuesClick Configure to assign the settings. For a breakdown of the settings, see Set up a Windows kiosk. |
Windows 10 and higher |
| >> Kiosk Browser Settings |
Configures Microsoft Edge for single-app kiosk mode. Only available if the Running App Type policy is set to Kiosk Browser. ValuesClick Configure to assign the settings. For a breakdown of the settings, see Set up a Windows kiosk. |
Windows 10 and higher |
| >> App Name |
Specifies the Microsoft Store app for single-app kiosk mode. Only available if the Running App Type policy is set to Store App. ValuesClick Add to specify an app that the kiosk runs. Consult the detailed requirements of this app type and make the necessary arrangements so that the chosen app can deploy without issues. |
Windows 10 and higher |
| > App List |
Specifies the list of Microsoft Store apps for multi-app kiosk mode. Only available if the Kiosk App Settings policy is set to Multi Apps. ValuesClick Add to configure an app that the kiosk runs. See Set up Windows kiosks for configuration details. |
Windows 10 and higher |
| > Alternative Start Layout |
Specifies whether to apply a custom Start layout for the interface of the multi-app kiosk. Only available if the Kiosk App Settings policy is set to Multi Apps. Values
If this value is unset, the layout follows the app order and tile sizes gathered from the App List policy. |
Windows 10 and higher |
| >> Layout Configuration |
Defines the custom Start layout for the multi-app kiosk. Windows Start layout formatting is detailed in Customize and export Start layout in the Microsoft configuration docs. Only available if the Alternative Start Layout policy is set to Apply. ValuesClick Configure, paste the XML code of a layout into the dialog, then click Save. |
Windows 10 and higher |
| > Windows Task Bar |
Enables the task bar on the desktop for multi-app kiosk mode. Only available if the Kiosk App Settings policy is set to Multi Apps. Values
|
Windows 10 and higher |
| > Access to Downloads Folder |
Allows the device user to read and write files in the Downloads directory of the user account on the multi-app kiosk. Only available if the Kiosk App Settings policy is set to Multi Apps. Values
|
Windows 10 and higher |
Wi-Fi
Configures the Wi-Fi settings, such as SSID, security type, and proxy.
Click 
to add a configuration.
You can add or edit up to 20 configurations when you save the profile.
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Assign a unique ID for each Wi-Fi setting. |
Windows 10 and higher Windows 10 Mobile |
| Description | Enter a description for each Wi-Fi setting. | |
| Network Name (SSID) |
Enter the identifier of a wireless router to connect to. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered. |
Windows 10 and higher Windows 10 Mobile |
| Security type | Specifies the access protocol used. |
Windows 10 and higher Windows 10 Mobile |
| > Open | Allows a Wi-Fi connection without a password. |
Windows 10 and higher Windows 10 Mobile |
| > WEP | Set a password in the Password field. |
Windows 10 and higher Windows 10 Mobile |
| > WPA2 Personal | Set a password in the Password field. |
Windows 10 and higher Windows 10 Mobile |
| > EAP |
Enter an EAP XML configuration code. The EAP XML tab is enabled only when EAP is selected for the Security type. |
Windows 10 and higher Windows 10 Mobile |
| Auto connection | Check to use an automatic Wi-Fi connection. |
Windows 10 and higher Windows 10 Mobile |
| Hide Network | Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast. |
Windows 10 and higher Windows 10 Mobile |
| Proxy Server and Port | Enter the IP address of a proxy server and the port number of the proxy server. |
Windows 10 and higher Windows 10 Mobile |
Exchange
Configures the settings of a Microsoft Exchange ActiveSync account to synchronize data with it.
You can add more Exchange policy sets by clicking .
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Assign a unique ID for each Exchange setting. |
Windows 10 and higher Windows 10 Mobile |
| Description | Enter a description for each Exchange setting. |
Windows 10 and higher Windows 10 Mobile |
| User information input method | Select an input method for entering user information. |
Windows 10 and higher Windows 10 Mobile |
| > Manual Input |
Select to manually enter the email address, account ID, and password of a user. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered. |
Windows 10 and higher Windows 10 Mobile |
| > Connector interworking |
Select to choose a connector from the User Information Connector list. All the connectors are listed in Advanced > System Integration > Directory Connector. The email account that is registered is the one registered in the connected directory's information. |
Windows 10 and higher Windows 10 Mobile |
| > User Information | Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device. |
Windows 10 and higher Windows 10 Mobile |
| Domain |
Enter a domain address for the Exchange server. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered. |
Windows 10 and higher Windows 10 Mobile |
| Server Name | Assign an Exchange server name. |
Windows 10 and higher Windows 10 Mobile |
| Diagnostic Logging |
Select a configuration level for diagnostic logging.
|
Windows 10 and higher Windows 10 Mobile |
| Sync Schedule | Select the interval period to sync the incoming emails. |
Windows 10 and higher Windows 10 Mobile |
| Sync measure for the early data | Select the interval period to sync the past emails. |
Windows 10 and higher Windows 10 Mobile |
| Sync calendar | Syncs schedules on a calendar from a server to a device. |
Windows 10 and higher Windows 10 Mobile |
| Sync contacts | Syncs contact information in a phone book from an Exchange to a device. |
Windows 10 and higher Windows 10 Mobile |
| Sync Email | Syncs emails from an Exchange to a device. |
Windows 10 and higher Windows 10 Mobile |
| Sync task | Syncs tasks from an Exchange to a device. |
Windows 10 and higher Windows 10 Mobile |
| SSL | Set to use SSL for email encryption. |
Windows 10 and higher Windows 10 Mobile |
VPN
Configures VPNs (Virtual Private Network) on Windows devices.
You can add more VPN policy sets by clicking .
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Assign a unique ID for the VPN setting. |
Windows 10 and higher Windows 10 Mobile |
| Description | Enter a description for the VPN setting. |
Windows 10 and higher Windows 10 Mobile |
| VPN vendor name |
Select a VPN vendor from the following:
|
Windows 10 and higher Windows 10 Mobile |
| Server address | Enter the IP address, host name, or URL of the VPN server that the device needs to access. |
Windows 10 and higher Windows 10 Mobile |
| Customer Configuration | Enter the VPN vendor-specific settings in the XML format and click Save. |
Windows 10 and higher Windows 10 Mobile |
| Remember Credentials | Check to use remember credentials. |
Windows 10 and higher Windows 10 Mobile |
| Always On | Check to use always on mode. |
Windows 10 and higher Windows 10 Mobile |
| Lock Down | Check to use lock down mode. |
Windows 10 and higher Windows 10 Mobile |
| DNS Suffix | Enter a DNS Suffix. |
Windows 10 and higher Windows 10 Mobile |
| Trusted Network | Enter the IP address, host name, or URL. |
Windows 10 and higher Windows 10 Mobile |
| Proxy Settings |
Select the setting for the proxy server.
|
Windows 10 and higher Windows 10 Mobile |
Certificate
Configures the Knox Manage agent Root, user certificates, and server certificates for use on the device.
You can add more certificate policy sets by clicking .
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Assign a unique ID for each certificate setting. |
Windows 10 and higher Windows 10 Mobile |
| Description | Enter a description for each certificate setting. |
Windows 10 and higher Windows 10 Mobile |
| Certificate category |
Select a certification category.
|
Windows 10 and higher Windows 10 Mobile |
AppLocker
Configures the Applocker settings.
AppLocker is a built-in Windows 10 app that you can use to control a variety of executable file formats, such as exe, Windows Installers, Scripts, Packaged apps, and DLL. For more information, see The Microsoft AppLocker Guide. Before you can change AppLocker settings you must set up AppLocker.
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Assign a unique ID for each AppLocker setting. |
Windows 10 and higher Windows 10 Mobile |
| Description | Enter a description for each AppLocker setting. |
Windows 10 and higher Windows 10 Mobile |
| Executable Rules |
Windows 10 and higher Windows 10 Mobile |
|
| Windows Installer Rules |
Windows 10 and higher Windows 10 Mobile |
|
| Script Rules |
Windows 10 and higher Windows 10 Mobile |
|
| Packaged App Rules |
Windows 10 and higher Windows 10 Mobile |
|
| DLL Rules |
Windows 10 and higher Windows 10 Mobile |
Set up AppLocker
Before device users can use AppLocker on their managed device, they need to complete the following steps:
-
Create XML rules using AppLocker wizard as follows.
-
On your Windows 10 device, start Group Policy Editor.
-
Go to Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker, right-click and select Properties, then enable Rules which you need to control in your enterprise and select Enforce rules. Doing so turns on AppLocker rules.
-
Click OK.
-
On the screen that opens, right-click and click Create Default Rules, and then follow onscreen instructions on the AppLocker wizard to configure your rules. For example, the following image shows how to create an XML rule to restrict the use of a screen capture tool.
-
-
Export the newly created XML rules to your local drive.
-
Go to the Knox Manage console > copy and paste the XML rules to your Knox Manage Profile, under the AppLocker menu.
-
Deploy the newly created profile to your managed Windows 10 devices.
Proxy
When a proxy is used, the order of operation for the different connection types is Auto Detect > Setup Script > Proxy Server.
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Enter a unique identifier for the configuration. |
Windows 10 and higher |
| Description | Enter a description for each configuration. |
Windows 10 and higher |
| Auto Detect |
Allows devices to automatically detect and connect to a proxy server. Values
|
Windows 10 and higher |
| Setup Script |
Enable proxy setup using a Proxy Auto-Configuration (PAC) file, which contains the script for configuring network connections. Values
|
Windows 10 and higher |
| Setup Script Address | Enter the URL address of a PAC file to use for configuring network connections. |
Windows 10 and higher |
| Proxy Server |
Enable a proxy server on the device network. Values
|
Windows 10 and higher |
| > Proxy Server Address | Enter the address — such as an IP address or domain server URL — for your proxy server. |
Windows 10 and higher |
| > Exceptions | Enter the address — such as an IP address or domain server URL — that must not use the proxy server. |
Windows 10 and higher |
| > Proxy for Local Addresses | Enter the local network IP addresses that must use the proxy server. |
Windows 10 and higher |
Windows Hello
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Enter a unique identifier for the configuration. |
Windows 10 and higher |
| Description | Enter a description for each configuration. |
Windows 10 and higher |
| Biometrics |
Allows use of biometrics for device access. Values
|
Windows 10 and higher |
| Trusted Platform Module |
Allows the use of the Trusted Platform Module chip on the device. Values
|
Windows 10 and higher |
| Minimum PIN length | Enter the minimum number of characters to be entered for a PIN. |
Windows 10 and higher |
| Maximum PIN length | Enter the maximum number of characters that can be entered for a PIN. |
Windows 10 and higher |
| Digits |
Specifies the use of numerical digits in the PIN. Values
|
Windows 10 and higher |
| Uppercase Letters |
Specifies the use of uppercase letters in the PIN. Values
|
Windows 10 and higher |
| Lowercase Letters |
Specifies the use of lowercase letters in the PIN. Values
|
Windows 10 and higher |
| Special Letters |
Specifies the use of special characters in the PIN. Values
|
Windows 10 and higher |
Update
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Enter a unique identifier for the update setting. |
Windows 10 and higher |
| Description | Enter a description for the update setting. |
Windows 10 and higher |
| Microsoft Product Updates |
Specifies whether updates from Microsoft are applied. Values
|
Windows 10 and higher |
| Exclude Windows Drivers |
Specifies whether Windows drivers are updated. Values
|
Windows 10 and higher |
| Quality Update Deferral Period (days) |
Specify the number of days after which quality updates must be applied. Defer or pause certain period of time to control when Quality/Feature Update are applied. Values
|
Windows 10 and higher |
| Feature Update Deferral Period (days) | Specify the number of days after which feature updates must be applied. |
Windows 10 and higher |
| Pause Quality Updates Start Date | Specify the start date for quality updates. |
Windows 10 and higher |
| Pause Feature Updates Start Date | Specify the start date for feature updates. |
Windows 10 and higher |
| Set Feature Updates Uninstall Period | Specify the time period within which an older version of the feature update can be recovered. |
Windows 10 and higher |
| Update Branch | Specify the channel from which to receive feature updates. You can set branch readiness level options for prerelease and release updates. |
Windows 10 and higher |
| Product Version | Specify the Windows OS version. |
Windows 10 and higher |
| Target Release Version | Specify the version number of the update to install. |
Windows 10 and higher |
| Automatic Update Behavior | Set the active hours within which to avoid Windows updates. |
Windows 10 and higher |
| Deadline Setting |
Specify a deadline for system reboot after OS updates are installed. Values
|
Windows 10 and higher |
| Option to Pause Windows Updates |
Specify whether to temporarily pause Windows updates. Values
|
Windows 10 and higher |
| Option to Check for Windows Updates |
Specify whether the Check for updates button is enabled. Values
|
Windows 10 and higher |
| Download Updates Through Cellular Data |
Specify if cellular data can be used to download updates. Values
|
Windows 10 and higher |
| Change Notification Update Level |
Specifies display settings for notifications. Values
|
Windows 10 and higher |
Custom
| Policy | Description | Supported system |
|---|---|---|
| Configuration ID | Enter a unique identifier for the configuration. |
Windows 10 and higher |
| Description | Enter a description for each configuration. |
Windows 10 and higher |
| OMA-URI List | Create custom settings for the profile using Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings. |
Windows 10 and higher |
| Atomic Command |
Enables the Atomic command, which rolls back all settings if any Synchronization Markup Language (SyncML) setting fails. In other words, all settings must be successful in order to be applied. Values
|
Windows 10 and higher |
On this page
Is this page helpful?