Menu

Windows policies

This section describes the policies you can configure for Windows devices.

The availability of each policy varies depending on the OS version.

System

Allows the use of features such as factory reset, camera, screen capture and VPN.

Policy Description Supported system
Factory reset Allows a device factory reset.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Camera Allows using the camera.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Screen Capture Allows using the screen capture function. Windows 10 Mobile
VPN Allows modifications to the VPN settings.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Sign In Options

Allows the device user to modify the Sign-in options in the device's account settings. These options include the the available authentication methods, dynamic lock, and whether to display account details on the sign-in screen.

Values

  • Allow (default) — The device user can modify the Sign-in options.
  • Disallow — The device user can't modify the Sign-in options.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Date and Time

Allows the device user to change the Date & time settings.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Language

Allows the device user to change the Language settings.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Power and Sleep

Allows the device user to change the Power & sleep settings.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Region

Allows the device user to change the Region settings.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Workplace

Allows the device user to change the Workplace settings, also known as the Access work or school settings, and change EMM account credentials on the device.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Account

Allows the device user to change the account settings, including adding and removing other users.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Windows Sync

Allows the device user to sync their Windows settings across devices.

Values

  • Allow (default)
  • Disallow
Windows Tips

Allows the device user to use Windows Tips.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Interface

Controls the network settings, such as Bluetooth, Wi-Fi tethering, and NFC.

Policy Description Supported system
Wi-Fi Allows the use of Wi-Fi.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Wi-Fi Tethering Allows tethering the Wi-Fi connection.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Bluetooth Allows the use of Bluetooth.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Bluetooth Advertisement

Enables broadcasting the device's presence over Bluetooth.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Search Mode Allows using device search via Bluetooth.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

NFC Allows the use of NFC (Near Field Communication). Windows 10 Mobile
USB Allows USB tethering connections. Windows 10 Mobile
Removable Storage Allows or blocks the usage of removable storage devices. Default:Allow.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Cortana

Allows the device user to access Cortana features. This policy doesn't affect text search.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

IME Logging

Allows the device user to turn on history for Windows IME (input method editor), which builds a dataset for predictive character input.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

IME Network Access

Allows the device user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions for Windows IME that don't exist in the local dictionary.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Security

Configures the password settings.

Policy Description Supported system
Password policies

Set to apply the password policy when the screen is locked. The camera is disabled in screen lock mode.

NOTE — If you have enabled Samsung Knox Manage for a device with no password, certificates registered in the device will be deleted.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts.

The value can be between 3 - 998 times.

NOTE — If you enter the wrong password more than the allowed number of times, a challenge phrase appears, and then the system begins the factory reset operation. A challenge phrase is a particular phrase that is presented to you to disable the autofill feature and protect your information. You need to enter the case sensitive challenge phrase exactly.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Minimum length

Set the minimum length of the password.

The value can be between 4 - 16 words.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Maximum Screen lock grace period (Minutes)

Set an idle time before the screen lock is enabled.

The value can be between 0–999 minutes.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Expiration after (days)

Set the maximum number of days before the password must be reset.

The value can be between 0 - 730 days.

NOTE — Set the number to 0 for an indefinite period.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Retain history for

Set the number of times that you can reuse the password that you previously used, including the current password.

The value can be between 2 - 50 times.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Application

Allows using the Windows App Store and configuring options for application controls, such as installation and blocklist/allowlist.

Policy Description Supported system
Windows App store access control Allows access to the Windows App Store. Windows 10 Mobile
App Installation Block/Allowlist Set the Windows app policies based on the blocklist or the allowlist.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Preloaded App Automatic Addition Set to automatically add preloaded apps.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> App Install/Run Allowlist

Add applications to allow their installation. Any applications not on the allowlist are deleted, even if previously installed.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click delete next to the added application.
NOTE — Knox Manage agent is automatically registered on the list.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> App Install/Run Blocklist

Add applications to prohibit their installation. Blocked applications will be deleted even if they were previously installed.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click delete next to the added application.
NOTE — An application that was added on the App Install/Run Allowlist cannot be added.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Developer Unlock

Allows the device user to enable developer mode.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

DVR and Game Broadcasting

Allows the device user to capture video and audio with Xbox Game Bar.

This policy can only be enforced on Windows 10 Pro, Business, Enterprise, and Education editions.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Restrict App Data to System Volume

Forces all app data to be stored on the Windows storage volume.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

All Trusted Apps (Non-Microsoft Store Apps)

Allows apps from any source to be installed.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

App Store Auto Updates

Allows apps installed from the Microsoft Store to update automatically.

Values

  • Allow (default)
  • Disallow

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Share Data between Users

Forces apps to store their data in a shared directory that all user accounts can access.

When allowed, app data is stored in the SharedLocal directory, available through the Windows.Storage Namespace in the UWP API.

Values

  • Allow (default) — Enables shared app data.
  • Disallow — Disables shared app data. If this policy was previously set to Allow, any data in the SharedLocal directory is left as-is and remains shared.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Location

Configures policies related to location services and data.

Policy Description Supported system
Location

Controls location services on the device.

Values

  • Force location off — Disables location services, and the device user can't change the setting.
  • Allow location service (default) — The device user chooses whether to enable location services.
  • Force location on — Enables location services, and the device user can't change the setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Phone

Allows overseas data roaming.

Policy Description Supported system
Data connection during roaming Allows overseas data roaming

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

ETC

Allows deleting provisioning package (PPKG) files or MDM profiles while using them.

Policy Description Supported system
Delete PPKG Allows users to delete provisioning package (PPKG) files while using them.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

MDM Client Unenrollment Allows users to delete MDM profiles while using them.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Kiosk

Configures policies related to Windows kiosks. Setting these policies defines either a single-app or multi-app kiosk. When the profile is applied, the next time the device restarts it begins the provisioning process of becoming a kiosk. For more comprehensive information about how to set these policies and how they interact with kiosk technology on Windows 10/11, see Set up a Windows kiosk.

Policy Description Supported system
Configuration ID The unique kiosk identifier of the Knox Manage profile. This value is immutable and assigned when the profile is created.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Kiosk App Settings

Specifies the kiosk type.

Values

  • Single App — The device sets up as a single-app kiosk. Available for devices running Windows 10/11 Pro, Enterprise, Business, and Education.
  • Multi Apps — The device sets up as a multi-app kiosk. Available for devices running Windows 10 Pro, Enterprise, Business, and Education.

If this value is unset, then the device isn't slated to become a kiosk.

See policy values
> Running App Type

Specifies the core experience of the single-app kiosk. Only available if the Kiosk App Settings policy is set to Single App.

Values

  • Microsoft Edge Browser — The kiosk interface is Microsoft Edge. Requires Windows 10 version 1809 or higher.
  • Kiosk Browser — The kiosk interface is Microsoft's Kiosk Browser (not to be confused with Knox Manage Kiosk Browser).
  • Store App — The kiosk interface is an assigned app from the Microsoft Store.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

>> Microsoft Edge Browser Settings

Configures Microsoft Edge for single-app kiosk mode. Only available if the Running App Type policy is set to Microsoft Edge Browser.

Values

Click Configure to assign the settings. For a breakdown of the settings, see Set up a Windows kiosk.

Windows 10*/11 Pro

Windows 10*/11 Business

Windows 10*/11 Enterprise

Windows 10*/11 Education

* Version 1809 or higher

>> Kiosk Browser Settings

Configures Microsoft Edge for single-app kiosk mode. Only available if the Running App Type policy is set to Kiosk Browser.

Values

Click Configure to assign the settings. For a breakdown of the settings, see Set up a Windows kiosk.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

>> App Name

Specifies the Microsoft Store app for single-app kiosk mode. Only available if the Running App Type policy is set to Store App.

Values

Click Add to specify an app that the kiosk runs. Consult the detailed requirements of this app type and make the necessary arrangements so that the chosen app can deploy without issues.

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

> App List

Specifies the list of Microsoft Store apps for multi-app kiosk mode. Only available if the Kiosk App Settings policy is set to Multi Apps.

Values

Click Add to configure an app that the kiosk runs. See Set up Windows kiosks for configuration details.

Windows 10 Pro

Windows 10 Business

Windows 10 Enterprise

Windows 10 Education

> Alternative Start Layout

Specifies whether to apply a custom Start layout for the interface of the multi-app kiosk. Only available if the Kiosk App Settings policy is set to Multi Apps.

Values

If this value is unset, the layout follows the app order and tile sizes gathered from the App List policy.

Windows 10 Pro

Windows 10 Business

Windows 10 Enterprise

Windows 10 Education

>> Layout Configuration

Defines the custom Start layout for the multi-app kiosk. Windows Start layout formatting is detailed in Customize and export Start layout in the Microsoft configuration docs. Only available if the Alternative Start Layout policy is set to Apply.

Values

Click Configure, paste the XML code of a layout into the dialog, then click Save.

Windows 10 Pro

Windows 10 Business

Windows 10 Enterprise

Windows 10 Education

> Windows Task Bar

Enables the task bar on the desktop for multi-app kiosk mode. Only available if the Kiosk App Settings policy is set to Multi Apps.

Values

  • Show
  • Hide

Windows 10 Pro

Windows 10 Business

Windows 10 Enterprise

Windows 10 Education

> Access to Downloads Folder

Allows the device user to read and write files in the Downloads directory of the user account on the multi-app kiosk. Only available if the Kiosk App Settings policy is set to Multi Apps.

Values

  • Allow
  • Disallow (default)

Windows 10 Pro

Windows 10 Business

Windows 10 Enterprise

Windows 10 Education

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description Supported system
Configuration ID Assign a unique ID for each Wi-Fi setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Description Enter a description for each Wi-Fi setting.
Network Name (SSID)

Enter the identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Security type Specifies the access protocol used.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Open Allows a Wi-Fi connection without a password.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> WEP Set a password in the Password field.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> WPA2 Personal Set a password in the Password field.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> EAP

Enter an EAP XML configuration code.

NOTE — The EAP XML tab is enabled only when EAP is selected for the Security type.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Auto connection Check to use an automatic Wi-Fi connection.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Hide Network Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Proxy Server and Port Enter the IP address of a proxy server and the port number of the proxy server.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Exchange

Configures the settings of a Microsoft Exchange ActiveSync account to synchronize data with it.

You can add more Exchange policy sets by clicking add.

Policy Description Supported system
Configuration ID Assign a unique ID for each Exchange setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Description Enter a description for each Exchange setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

User information input method Select an input method for entering user information.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Manual Input

Select to manually enter the email address, account ID, and password of a user.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> Connector interworking

Select to choose a connector from the User Information Connector list.

NOTE — All the connectors are listed in Advanced > System Integration > Directory Connector. The email account that is registered is the one registered in the connected directory's information.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

> User Information Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Domain

Enter a domain address for the Exchange server.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Server Name Assign an Exchange server name.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Diagnostic Logging

Select a configuration level for diagnostic logging.

  • Logging off — Does not leave a record in the Event Viewer log.
  • Basic logging — Configure the default diagnostic log information.
  • Advanced logging — Configure the diagnostic log information for the security-related events.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Sync Schedule Select the interval period to sync the incoming emails.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Sync measure for the early data Select the interval period to sync the past emails.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Sync calendar Syncs schedules on a calendar from a server to a device.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Sync contacts Syncs contact information in a phone book from an Exchange to a device.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Sync Email Syncs emails from an Exchange to a device.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Sync task Syncs tasks from an Exchange to a device.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

SSL Set to use SSL for email encryption.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

VPN

Configures VPNs (Virtual Private Network) on Windows devices.

You can add more VPN policy sets by clicking add.

Policy Description Supported system
Configuration ID Assign a unique ID for the VPN setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Description Enter a description for the VPN setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

VPN vendor name

Select a VPN vendor from the following:

  • Pulse Secure
  • Check Point Capsule VPN
  • F5 Access
  • Palo Alto Networks GlobalProtect
  • SonicWall Mobile Connect

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Server address Enter the IP address, host name, or URL of the VPN server that the device needs to access.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Customer Configuration Enter the VPN vendor-specific settings in the XML format and click Save.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Remember Credentials Check to use remember credentials.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Always On Check to use always on mode.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Lock Down Check to use lock down mode.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

DNS Suffix Enter a DNS Suffix.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Trusted Network Enter the IP address, host name, or URL.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Proxy Settings

Select the setting for the proxy server.

  • Manual — Enter the IP address of the proxy server.
  • Auto — Enter the Auto Config URL.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Certificate

Configures the Knox Manage agent Root, user certificates, and server certificates for use on the device.

You can add more certificate policy sets by clicking add.

Policy Description Supported system
Configuration ID Assign a unique ID for each certificate setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Description Enter a description for each certificate setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Certificate category

Select a certification category.

  • Root — Select a certificate to use. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and Type set as Root will appear on the list.
  • User — Select a certificate to use. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Type set as User will appear on the list.
  • Server — Select a certificate to use. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Type set as Server will appear on the list.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

AppLocker

Configures the Applocker settings.

AppLocker is a built-in Windows 10 app that you can use to control a variety of executable file formats, such as exe, Windows Installers, Scripts, Packaged apps, and DLL. For more information, see The Microsoft AppLocker Guide. Before you can change AppLocker settings you must set up AppLocker.

Policy Description Supported system
Configuration ID Assign a unique ID for each AppLocker setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Description Enter a description for each AppLocker setting.

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Executable Rules

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Windows Installer Rules

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Script Rules

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Packaged App Rules

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

DLL Rules

Windows 10/11 Home

Windows 10/11 Pro

Windows 10/11 Business

Windows 10/11 Enterprise

Windows 10/11 Education

Windows 10 Mobile

Set up AppLocker

Before device users can use AppLocker on their managed device, they need to complete the following steps:

  1. Create XML rules using AppLocker wizard as follows.
    1. On your Windows 10 device, start Group Policy Editor.
    2. Go to Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker, right-click and select Properties, then enable Rules which you need to control in your enterprise and select Enforce rules. Doing so turns on AppLocker rules.
    3. Click OK.
    4. On the screen that opens, right-click and click Create Default Rules, and then follow onscreen instructions on the AppLocker wizard to configure your rules. For example, the following image shows how to create an XML rule to restrict the use of a screen capture tool.

  2. Export the newly created XML rules to your local drive.

  3. Go to the KM console > copy and paste the XML rules to your Knox Manage Profile, under the AppLocker menu.

  4. Deploy the newly created profile to your managed Windows 10 devices.