| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
The following list shows the supported values: - 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. - 1 – Allowed. Users can make their devices available for downloading and installing preview software. - 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. **System/AllowEmbeddedMode**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Specifies whether set general purpose device to be in embedded mode.
The following list shows the supported values: - 0 (default) – Not allowed. - 1 – Allowed.
Most restricted value is 0. **System/AllowExperimentation**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
The following list shows the supported values: - 0 – Disabled. - 1 (default) – Permits Microsoft to configure device settings only. - 2 – Allows Microsoft to conduct full experimentations.
Most restricted value is 0. **System/AllowFontProviders**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
2 |
2 |
2 |
2 |
2 |
2 |
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
Supported values: - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. > [!Note] > Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
To verify if System/AllowFontProviders is set to true: - After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. **System/AllowLocation**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Specifies whether to allow app access to the Location service.
The following list shows the supported values: - 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. - 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. - 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
Most restricted value is 0.
While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. **System/AllowStorageCard**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
The following list shows the supported values: - 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. - 1 (default) – Allow a storage card.
Most restricted value is 0. **System/AllowTelemetry**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Allow the device to send diagnostic and usage telemetry data, such as Watson.
The following tables describe the supported values:
| Windows 8.1 Values |
|---|
0 – Not allowed. |
1 – Allowed, except for Secondary Data Requests. |
2 (default) – Allowed. |
| Windows 10 Values |
|---|
0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
Note This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
|
1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. |
2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. |
3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. |
Most restricted value is 0. **System/AllowUserToResetPhone**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed to reset to factory default settings.
Most restricted value is 0. **System/BootStartDriverInitialization**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
2 |
2 |
2 |
2 |
|
|
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users cannot access OneDrive from the OneDrive app or file picker. * Windows Store apps cannot access OneDrive using the WinRT API. * OneDrive does not appear in the navigation pane in File Explorer. * OneDrive files are not kept in sync with the cloud. * Users cannot automatically upload photos and videos from the camera roll folder.
If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
The following list shows the supported values: - 0 (default) – False (sync enabled). - 1 – True (sync disabled).
To validate on Desktop, do the following: 1. Enable policy. 2. Restart machine. 3. Verify that OneDrive.exe is not running in Task Manager. **System/DisableSystemRestore**
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
| Home | Pro | Business | Enterprise | Education | Mobile | Mobile Enterprise |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.