Profile attributes for Windows 10 devices

To enforce security compliance on your Windows 10 devices, create one or more profiles with the required settings. To complete this task, you must have the correct authorizations. See Operator permissions and associated profile actions.

  1. Specify a Profile Name , a Description and select the Site where the profile is created. The sites that are available are those that your operator login is authorized to. These fields are mandatory. You can enforce security policies for the categories that are displayed in the left pane. To change or specify attributes in a category you must first enable it by clicking On. If you enable a category without changing any settings, the greyed values are not enforced on the devices when the profile is deployed. You must enable at least one category to save the profile.
    Note: You cannot specify double quotation marks " in the Profile Name and Description fields.
  2. Select the Password Settings tab to change authentication settings for your Windows 10 devices. You can specify the following properties:
    Password expires after [0] days
    Specify the length of time in days after which a user password must be changed. Allowed values are in the range from 0-730 where 0 (zero) means that the password never expires. The most restrictive value is 1.
    Enforce password history for the last [0] passwords.
    Specify the number of previous passwords that cannot be reused. Allowed values are in the range 0-24, where 0 (zero) means that this check is not enabled, and the most restrictive value is .24.
    Activate Password Controls
    Selecting this option automatically enforces a strong password scheme requiring that passwords have at least 3 complex element types including uppercase and lowercase letters, and numbers. Optionally, you can also specify special characters. If PINs are used, the same complexity rules apply. This policy is the most restrictive. Additionally, you can set or change the following controls:
    Device is put on BitLocker recovery mode after [0] incorrect password attempts
    Allowed values are in the range 4-16, or 0 (zero). the default value of zero means that the policy is not enforced. If BitLocker is enabled on the device, when the value set by this policy is reached, the device is rebooted and put on BitLocker recovery mode, and the user must specify the BitLocker recovery key. If BitLocker is not enabled, the device is only rebooted. The most restrictive value is 4.
    Device is locked after [0] minutes of inactivity.
    Specify how many minutes to wait in the absence of any user input, before the device is locked. After the specified time, the device becomes PIN or password locked. The allowed values are in the range 0-999, where a value of 0 means that no timeout is active and the device never locks. The most restrictive value is 1.
    Minimum password length is [4] characters
    Specifies the minimum length required for a password or PIN. Allowed values are in the range 4-14, and the default value is four. However, local accounts will always enforce a minimum password length of six characters. The most restrictive value is 14.
    Allow use of simple device passwords
    This option allows accounts on the device to sign in using picture passwords or biometric methods (such as fingerprint or iris recognition), if the device is equipped with the corresponding readers. This option is enabled by default.
  3. Select the Device Security tab to change the following properties:
    Allow Storage Card
    Controls whether the user is allowed to use removable storage cards for device storage. Default is allow. Deselect this value to prevent the use of removable SD cards and to disable USB drives on the device.
    Allow Device Discovery
    This policy controls whether a device can discover other devices when the lock screen is displayed. The Default is allow. It enables the use of shortcuts such as Win+P to project on another screen, or Win+K to search for wireless display and audio devices. Deselecting this option will disable use of these shortcut keys.
    Both options are selected by default.
  4. Select the App Security tab to specify security options for Windows Applications:
    Allow App Store Auto Update
    This setting enables automatic updates of Windows Store apps.
    Install Trusted Apps
    This policy setting enables the installation on the device of non-Windows Store applications that are trusted by a certificate. Select one of the available settings:
    Not Configured
    This is the default value, and it means that the policy is not used.
    Explicitly Allow
    Enables the installation of trusted non-Windows Store apps on the device.
    Explicitly Deny
    Installation of non-Windows store apps on the device is not permitted. This is the most restrictive option.
    Developer Mode
    Specifies whether development, deployment and debugging of installed non-packaged applications is allowed. Select one of the available settings:
    Not Configured
    This is the default value, and it means that the policy is not used.
    Explicitly Allow
    Enables the development and deployment of non-packaged apps on the device.
    Explicitly Deny
    Development and deployment of non-packaged apps is not allowed on the device. This is the most restrictive option.
    Note: The values you select in the Install Trusted Apps and Developer Mode policy settings affect how the following Developer Features in the Update and Security page on the device are handled:
    • Windows Store Apps
    • Sideload apps
    • Developer Mode
    Important: If you select Explicitly Deny for Install Trusted Apps and select Explicitly Allow for Developer Mode , the latter parameter value overrides the first, so that the installation of non-Windows Store trusted apps is also allowed.
    Select the Restrictions tab to disable access to one or more specific resources. The resources you can restrict are general purpose, such as speech, typing, account, email, and notification settings. All options are enabled by default. Click Select All to disable all resources in the list.
    Camera
    Disables the use of camera on the device.
    Microsoft Account Connection
    When selected, it prevents Microsoft accounts from performing non-email related connection authentication and services. This restriction might affect the use of Cortana, depending on the Windows 10 build that is installed on the targeted device.
    Adding Non-Microsoft Accounts Manually
    When selected, users on the device cannot add non-Microsoft email accounts.
    Sync My Settings
    Disables all Windows sync settings on the device.
    Cortana
    Specifies whether users on the device can access Cortana.
    Toasts
    Disables toast notifications above the device lock screen.
    Input Personalization
    Disables the automatic learning component of input personalization that collects speech, inking, typing, contacts, and calendar information required by Cortana. When selected, automatic learning is stopped on the device, and all previously collected learning information is cleared. Cortana and Dictation are also disabled.
    System Telemetry level
    Defines the level of telemetry events and data (such as diagnostics, usage, and reliability information) that the device is allowed to send. You can specify four different levels. Levels are cumulative.
    Security
    Send security data only. Only data pertaining to security updates is sent. This value is the most restrictive.
    Basic
    Send a limited set of system configuration and health data for problem determination. This level also includes data from the Security level.
    Enhanced
    Send data about application usage, performance, device-specific events, some diagnostics. This level also includes data from the Basic and Security levels.
    Full
    Send all necessary data to identify and resolve problems, and reliability and usage data. This level also includes data from the Basic, Enhanced, and Security levels.
    Location
    Specifies whether to allow app access to the Location service.
    Location Service is allowed
    The Location Service is enabled. This is the default value. Users on the device can control and change the Location Privacy settings (on or off).
    Force Location Off
    All Location Privacy settings are greyed out. Users on the device are not allowed to change settings, and no apps can gain access to the Location service, including Cortana.
    Force Location On
    Location Service is allowed, and Location Privacy settings are greyed out. Users on the device are not allowed to modify the Location settings.