Skip Navigation

Windows
: Compliance profile settings

See Common: Compliance profile settings for descriptions of the enforcement actions that
BlackBerry UEM
can take if a device violates a compliance rule.
Compliance profile setting
Description
Required app is not installed
This setting creates a compliance rule to ensure that devices have required apps installed. Internal app dispositions can't be monitored.
Restricted OS version is installed
This setting creates a compliance rule to ensure that devices do not have a restricted OS version installed. You can select the restricted OS versions.
Restricted device model detected
This setting creates a compliance rule to restrict device models. You can select the device models that are allowed or restricted.
Device out of contact
This setting creates a compliance rule to ensure that devices are not out of contact with
UEM
for more than a specified amount of time.
BlackBerry Dynamics
library version verification
This setting creates a compliance rule that allows you to select the
BlackBerry Dynamics
library versions that cannot be activated. You can select the blocked library versions.
BlackBerry Dynamics
connectivity verification
This setting creates a compliance rule to ensure that
BlackBerry Dynamics
apps are not out of contact with
UEM
for more than a specified amount of time. The enforcement action is applied to
BlackBerry Dynamics
apps.
Antivirus signature
This setting creates a compliance rule to ensure that devices have an antivirus signature enabled.
Antivirus status
This setting creates a compliance rule to ensure that devices have antivirus software enabled. You can select the vendors that are allowed.
Firewall status
This setting creates a compliance rule to ensure that devices have a firewall enabled.
Encryption status
This setting creates a compliance rule to ensure that devices require encryption.
Windows update status
This setting creates a compliance rule to ensure that devices allow
UEM
to install
Windows
OS updates or notify users of required updates.
Restricted app is installed
This setting creates a compliance rule to ensure that devices do not have restricted apps installed. To restrict apps, see Add an app to the restricted app list.
Windows device health attestation
Grace period expired
This setting creates a compliance rule to specify actions that occur if the attestation grace period has expired.
Attestation Identity Key not present
This setting creates a compliance rule to specify actions that occur if an AIK is not present on the device.
Data Execution Prevention Policy is disabled
This setting creates a compliance rule to specify actions that occur if the DEP policy is disabled on the device.
BitLocker is disabled
This setting creates a compliance rule to specify actions that occur if BitLocker is disabled on the device.
Secure Boot is disabled
This setting creates a compliance rule to specify actions that occur if Secure Boot is disabled on the device.
Code integrity is disabled
This setting creates a compliance rule to specify actions that occur if the code integrity feature is disabled on the device.
Device is in safe mode
This setting creates a compliance rule to specify actions that occur if the device is in safe mode.
Device is in Windows preinstallation environment
This setting creates a compliance rule to specify actions that occur if the device is in the
Windows
preinstallation environment.
Early launch antimalware driver is not loaded
This setting creates a compliance rule to specify actions that occur if the early launch antimalware driver is not loaded.
Virtual Secure Mode is disabled
This setting creates a compliance rule to specify actions that occur if Virtual Secure Mode is disabled.
Boot debugging is enabled
This setting creates a compliance rule to specify actions that occur if boot debugging is enabled.
OS kernel debugging is enabled
This setting creates a compliance rule to specify actions that occur if OS kernel debugging is enabled.
Test signing is enabled
This setting creates a compliance rule to specify actions that occur if test signing is enabled.
Boot manager revision list is not the expected version
This setting creates a compliance rule to specify actions that occur if the boot manager revision list is not the expected version. You specify the expected version.
Code Integrity revision list is not the expected version
This setting creates a compliance rule to specify actions that occur if the code integrity revision list is not the expected version. You specify the expected version.
Code Integrity policy hash is present and is not an allowed value
This setting creates a compliance rule to specify actions that occur if the code integrity policy hash is present and is not an allowed value. You specify the allowed values.
Custom Secure Boot configuration policy hash is present and is not an allowed value
This setting creates a compliance rule to specify actions that occur if the Custom Secure Boot configuration policy hash is present and is not an allowed value. You specify the allowed values.
PCR value is not an allowed value
This setting creates a compliance rule to specify actions that occur if the PCR value is not an allowed value. You specify the allowed values.