Windows: Security and privacy rules
Windows
: Security and privacy rulesName | Description | Activation types | Default | Possible values |
|---|---|---|---|---|
Send activation data to Microsoft | Specify whether the device can send data about its activation state to Microsoft. This rule applies to Windows 10 computers and tablets and to smartphones with Windows 10 Mobile Enterprise. Minimum OS version: 10.0.14393 | MDM controls | Disabled |
|
Allow device to accept pairing and privacy consent prompts | Specify whether the device can automatically accept pairing and privacy user consent prompts when launching apps. If this rule is not selected, the user must manually accept the prompts. Minimum OS version: 10.0.14393 | MDM controls | Disabled |
|
Allow projection to device | Specify whether the device is discoverable for other devices to project to it. This rule does not apply to Windows 10 smartphones. Minimum OS version: 10.0.14393 | MDM controls | Allow |
|
Require PIN for pairing | Specify whether a PIN is required for pairing with other devices. This rule does not apply to Windows 10 smartphones. Minimum OS version: 10.0.14393 | MDM controls | Not required |
|
Enable Microsoft advertising ID | Specify whether the Microsoft advertising ID is enabled on the device. Minimum OS version: 10.0.14393 | MDM controls | 65535 |
|
Default app access to account information | Specify whether apps can access account information by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access account information. If you select "Disallow," apps can't access account information. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to account information | Specify the list of apps that are always allowed to access account information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to account information" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to account information | Specify the list of apps that are never allowed to access account information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to account information" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to account information controlled by user | Specify the list of apps that users can choose to allow or disallow access to account information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to account information" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to calendar | Specify whether apps can access the calendar by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the calendar. If you select "Disallow," apps can't access the calendar. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to calendar | Specify the list of apps that are always allowed to access the calendar. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to calendar" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to calendar | Specify the list of apps that are never allowed to access the calendar. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to calendar" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to calendar controlled by user | Specify the list of apps that users can choose to allow or disallow access to the calendar. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to calendar" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to call history | Specify whether apps can access the call history by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the call history. If you select "Disallow," apps can't access the call history. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to call history | Specify the list of apps that are always allowed to access the call history. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to call history" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to call history | Specify the list of apps that are never allowed to access the call history. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to call history" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to call history controlled by user | Specify the list of apps that users can choose to allow or disallow access to the call history. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to call history" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to camera | Specify whether apps can access the camera by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the camera. If you select "Disallow," apps can't access the camera. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to camera | Specify the list of apps that are always allowed to access the camera. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to camera" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to camera | Specify the list of apps that are never allowed to access the camera. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to camera" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to camera controlled by user | Specify the list of apps that users can choose to allow or disallow access to the camera. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to camera" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to contacts | Specify whether apps can access the contacts by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the contacts. If you select "Disallow," apps can't access the contacts. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to contacts | Specify the list of apps that are always allowed to access the contacts. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to contacts" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to contacts | Specify the list of apps that are never allowed to access the contacts. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to contacts" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to contacts controlled by user | Specify the list of apps that users can choose to allow or disallow access to the contacts. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to contacts" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to email | Specify whether apps can access email on the device by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access email. If you select "Disallow," apps can't access email. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to email | Specify the list of apps that are always allowed to access email. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to email" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to email | Specify the list of apps that are never allowed to access email. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to email" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to email controlled by user | Specify the list of apps that users can choose to allow or disallow access to email. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to email" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to location services | Specify whether apps can access location services by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access location services. If you select "Disallow," apps can't access location services. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to location services | Specify the list of apps that are always allowed to access location services. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to location services" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to location services | Specify the list of apps that are never allowed to access location services. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to location services" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to location services controlled by user | Specify the list of apps that users can choose to allow or disallow access to location services. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to location services" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to messaging | Specify whether apps can access SMS and MMS messaging by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access messaging. If you select "Disallow," apps can't access messaging. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to messaging | Specify the list of apps that are always allowed to access SMS and MMS messaging. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to messaging" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to messaging | Specify the list of apps that are never allowed to access SMS and MMS messaging. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to messaging" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to messaging controlled by user | Specify the list of apps that users can choose to allow or disallow access to SMS and MMS messaging. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to messaging" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to microphone | Specify whether apps can access the microphone by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the microphone. If you select "Disallow," apps can't access the microphone. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to microphone | Specify the list of apps that are always allowed to access the microphone. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to microphone" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to microphone | Specify the list of apps that are never allowed to access the microphone. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to microphone" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to microphone controlled by user | Specify the list of apps that users can choose to allow or disallow access to the microphone. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to microphone" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to motion data | Specify whether apps can access motion data by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access motion data. If you select "Disallow," apps can't access motion data. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to motion data | Specify the list of apps that are always allowed to access motion data. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to motion data" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to motion data | Specify the list of apps that are never allowed to access motion data. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to motion data" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to motion data controlled by user | Specify the list of apps that users can choose to allow or disallow access to motion data. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to motion data" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to phone | Specify whether apps can access the phone by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the phone. If you select "Disallow," apps can't access the phone. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to phone | Specify the list of apps that are always allowed to access the phone. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to phone" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to phone | Specify the list of apps that are never allowed to access the phone. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to phone" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to phone controlled by user | Specify the list of apps that users can choose to allow or disallow access to the phone. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to phone" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to radios | Specify whether apps can access device radios by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the radios. If you select "Disallow," apps can't access the radios. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to radios | Specify the list of apps that are always allowed to access device radios. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to radios" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to radios | Specify the list of apps that are never allowed to access device radios. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to radios" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to radios controlled by user | Specify the list of apps that users can choose to allow or disallow access to device radios. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to radios" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to trusted devices | Specify whether apps can access the list of trusted devices by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access the trusted devices. If you select "Disallow," apps can't access trusted devices. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to trusted devices | Specify the list of apps that are always allowed to access the list of trusted devices. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to trusted devices" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps denied access to trusted devices | Specify the list of apps that are never allowed to access the list of trusted devices. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to trusted devices" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App access to trusted devices controlled by user | Specify the list of apps that users can choose to allow or disallow access to the list of trusted devices. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to trusted devices" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app synchronization | Specify whether apps can synchronize with the device by default. If you select "User controlled," the user can choose whether to allow synchronization. If you select "Allow," apps can synchronize with the device. If you select "Disallow," apps can't synchronize with the device. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed to synchronize with the device | Specify the list of apps that are always allowed to synchronize with the device. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app synchronization" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps not allowed to synchronize with the device | Specify the list of apps that are never allowed to synchronize with the device. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app synchronization" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App synchronization controlled by user | Specify the list of apps that users can choose to allow to synchronize with the device. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app synchronization" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to notifications | Specify whether apps can access device notifications by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access notifications. If you select "Disallow," apps can't access notifications. Minimum OS version: 10.0.14393 | MDM controls | User controlled |
|
Apps allowed access to notifications | Specify the list of apps that are always allowed to access notifications. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to notifications" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Apps not allowed access to notifications | Specify the list of apps that are never allowed to access notifications. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to notifications" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
App notification access controlled by user | Specify the list of apps that users can choose to allow to access notifications. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to notifications" rule. Minimum OS version: 10.0.14393 | MDM controls | ||
Default app access to diagnostic information | Specify whether apps can access device diagnostic information about other apps by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access diagnostic information. If you select "Disallow," apps can't access diagnostic information. Minimum OS version: 10.0.15063 | MDM controls | User controlled |
|
Apps allowed access to diagnostic information | Specify the list of apps that are always allowed to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule. Minimum OS version: 10.0.15063 | MDM controls | ||
Apps not allowed access to diagnostic information | Specify the list of apps that are never allowed to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule. Minimum OS version: 10.0.15063 | MDM controls | ||
App access to diagnostic information controlled by user | Specify the list of apps that users can choose to allow to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule. Minimum OS version: 10.0.15063 | MDM controls | ||
Default apps can run in background | Specify whether apps can run in background by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can run in background. If you select "Disallow," apps can't run in background. Minimum OS version: 10.0.15063 | MDM controls | User controlled |
|
Apps allowed to run in background | Specify the list of apps that are always allowed to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule. Minimum OS version: 10.0.15063 | MDM controls | ||
Apps not allowed to run in background | Specify the list of apps that are never allowed to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule. Minimum OS version: 10.0.15063 | MDM controls | ||
App ability to run in background controlled by user | Specify the list of apps that users can choose to allow to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule. Minimum OS version: 10.0.15063 | MDM controls | ||
MDM wins over group policies | When enabled MDM policy will be used whenever both the MDM policy and its equivalent group policy are set on the device. Minimum OS version: 10.0.17763 | MDM controls | No |
|
BitLocker encryption method for desktop | Specify the BitLocker Drive Encryption method and cipher strength for desktop. Minimum OS version: 10.0.17763 | MDM controls | AES-CBC 128-bit |
|
Allow storage card encryption prompts on the device | Specify whether the device prompts the user to encrypt the storage card. If this rule is not selected, encryption is not disabled. Minimum OS version: 10.0.17763 | MDM controls | No |
|
Allow BitLocker Device Encryption to enable encryption on the device | Specify whether BitLocker Device Encryption can enable encryption on the device. If this rule is not selected, encryption is not disabled but the user is not prompted to enable it. Minimum OS version: 10.0.17763 | MDM controls | No |
|
Set default encryption methods for each drive type | Specify whether the default algorithm and cipher strength used by BitLocker Drive Encryption can be configured separately for different drive types. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Encryption method for operating system drives | Specify the encryption method for operating system drives. Depends on: Set default encryption methods for each drive type Minimum OS version: 10.0.17763 | MDM controls | AES-CBC 128-bit |
|
Encryption method for fixed data drives | Specify the encryption method for fixed data drives. Depends on: Set default encryption methods for each drive type Minimum OS version: 10.0.17763 | MDM controls | AES-CBC 128-bit |
|
Encryption method for removable data drives | Specify the encryption method for removable data drives. Depends on: Set default encryption methods for each drive type Minimum OS version: 10.0.17763 | MDM controls | AES-CBC 128-bit |
|
Require additional authentication at startup | Specify whether BitLocker requires additional authentication each time the device starts. This setting is applied when BitLocker is turned on. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow BitLocker without a compatible TPM | Specify whether BitLocker can be started without a TPM chip. If this rule is selected, BitLocker can be started with a password or a startup key on a USB flash drive. Depends on: Require additional authentication at startup Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Require TPM startup key | Specify whether a TPM startup key is optional, required, or disallowed. Depends on: Require additional authentication at startup Minimum OS version: 10.0.17763 | MDM controls | Optional |
|
Require TPM startup PIN | Specify whether a TPM startup PIN is optional, required, or disallowed. Depends on: Require additional authentication at startup Minimum OS version: 10.0.17763 | MDM controls | Optional |
|
Require TPM startup key and PIN | Specify whether both a TPM startup key and PIN are optional, required, or disallowed. Depends on: Require additional authentication at startup Minimum OS version: 10.0.17763 | MDM controls | Optional |
|
Require TPM startup | Specify whether TPM startup is optional, required, or disallowed. Depends on: Require additional authentication at startup Minimum OS version: 10.0.17763 | MDM controls | Optional |
|
Require minimum PIN length for startup | Specify whether BitLocker has a minimum startup PIN length. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Minimum PIN length | Specify the minimum number of digits for the startup PIN. Depends on: Require minimum PIN length for startup Minimum OS version: 10.0.17763 | MDM controls | 6 digits | Minimum value: 6 digits Maximum value: 20 digits |
Pre-boot recovery message and URL | Specify whether you can customize the BitLocker pre-boot recovery message and URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Pre-boot recovery screen | Specify whether the BitLocker pre-boot recover screen is empty, displays a default message and URL, displays a custom message, or displays a custom URL. Depends on: Pre-boot recovery message and URL Minimum OS version: 10.0.17763 | MDM controls | Empty |
|
Custom recovery message | If you selected "Custom recovery message" in the "Pre-boot recovery screen" rule, specify the custom message. Depends on: Pre-boot recovery message and URL Minimum OS version: 10.0.17763 | MDM controls | Minimum value: 1 character Maximum value: 900 characters | |
Custom recovery URL | If you selected "Custom recovery URL" in the "Pre-boot recovery screen" rule, specify the custom URL. Depends on: Pre-boot recovery message and URL Minimum OS version: 10.0.17763 | MDM controls | Minimum value: 1 character Maximum value: 500 characters | |
BitLocker OS drive recovery options | Specify whether you can customize how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow certificate-based data recovery agent for OS drives | Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Depends on: BitLocker OS drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow recovery password generation for OS drives | Specify whether the user can create and store a BitLocker recovery password for OS drives. Depends on: BitLocker OS drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Allowed |
|
Allow recovery key generation for OS drives | Specify whether the user can create and store a BitLocker recovery key for OS drives. Depends on: BitLocker OS drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Allowed |
|
Exclude recovery options from the BitLocker setup wizard for OS drives | Specify whether recovery options are hidden from the user when they turn on BitLocker on an OS drive. Depends on: BitLocker OS drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow saving BitLocker recovery information for OS drives to Active Directory Domain Services | Specify whether BitLocker recovery information for OS drives can be saved to Active Directory Domain Services. Depends on: BitLocker OS drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Stored BitLocker recovery information for OS drives | Specify whether Active Directory Domain Services stores only recovery passwords, or both recovery passwords and key packages for OS drives. Depends on: BitLocker OS drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Store recovery passwords only |
|
Require Active Directory backup for recovery information for OS drives | Specify whether BitLocker recovery information saved to Active Directory Domain Services for OS drives must be backed up. Depends on: BitLocker OS drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
BitLocker fixed drive recovery options | Specify whether you can customize how BitLocker-protected fixed drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow certificate-based data recovery agent for fixed drives | Specify whether a data recovery agent can be used with BitLocker-protected fixed drives. Depends on: BitLocker fixed drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow recovery password generation for fixed drives | Specify whether the user can create and store a BitLocker recovery password for fixed drives. Depends on: BitLocker fixed drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Allowed |
|
Allow recovery key generation for fixed drives | Specify whether the user can create and store a BitLocker recovery key for fixed drives. Depends on: BitLocker fixed drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Allowed |
|
Exclude recovery options from the BitLocker setup wizard for fixed drives | Specify whether recovery options are hidden from the user when they turn on BitLocker on a fixed drive. Depends on: BitLocker fixed drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow saving BitLocker recovery information for fixed drives to Active Directory Domain Services | Allow BitLocker recovery information for fixed drives to be saved to Active Directory Domain Services. Depends on: BitLocker fixed drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Stored BitLocker recovery information for fixed drives | Specify whether Active Directory Domain Services stores only recovery passwords, or both recovery passwords and key packages for fixed drives. Depends on: BitLocker fixed drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Store recovery passwords only |
|
Require Active Directory backup for recovery information for fixed drives | Specify whether BitLocker recovery information saved to Active Directory Domain Services for fixed drives must be backed up. Depends on: BitLocker fixed drive recovery options Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Require BitLocker protection for fixed data drives | Specify whether BitLocker protection is required to allow write access to fixed data drives. If this rule is selected, all fixed data drives that are not BitLocker-protected will be mounted as read-only. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Require BitLocker protection for removable data drives | Specify whether BitLocker protection is required to allow write access to removeable data drives. If this rule is selected, all removeable data drives that are not BitLocker-protected will be mounted as read-only. Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow write access to devices configured in another organization | Specify whether removable drives that don't match the device's identification fields can have write access. If this rule is selected, only drives with identification fields matching the computer's identification fields will be given write access. Depends on: Require BitLocker protection for removable data drives Minimum OS version: 10.0.17763 | MDM controls | Not selected | |
Allow recovery key location prompt | Specify whether the user is prompted to choose where to back up the OS drive's recovery key. When this rule is not selected, the OS drive's recovery key backs up to the user's Microsoft Entra ID account. Minimum OS version: 10.0.17763 | MDM controls | Yes |
|
Enable encryption for standard users | Specify whether encryption is enabled on all fixed drives, even if a current logged in user is a standard user. This setting is only supported in Microsoft Entra ID accounts. Minimum OS version: 10.0.17763 | MDM controls | No |
|