Common custom settings for Windows 10 or 11 devices

As an admin managing your organization's Microsoft Windows 10 or 11 devices with Google's Windows device management, you can add custom settings. These settings let you control device settings from the Admin console. This article provides the information you need to set up many common custom settings.

Note: The following information is provided for your convenience and reference, but Microsoft might change the behavior of these settings.

Before you apply these settings

  1. Review the Microsoft documentation. Links are provided in the following setting descriptions under Name.
  2. Test the behavior before you apply these settings in production.

Open all   |   Close all

Device management

Block users from unenrolling a device

Name: AllowManualMDMUnenrollment

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment

Data type: Integer

Value: 0 = Block unenrollment by users, 1 = Allow users to unenroll (default). Note: When set to 0, even user accounts with local admin access can't unenroll the device. To unenroll a device when set to 0, use the Admin console. Learn how


Open all   |   Close all

Block users from changing VPN settings

Name: AllowVPN

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/AllowVPN

Data type: Integer

Value: 0 = Block user changes to VPN settings, 1 = Allow users to change VPN settings (default)

Control user access to Settings

Name: PageVisibilityList

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList

Data type: String

Value: Specify the page to show or hide, by using the prefixes showonly: or hide:. For example, to hide VPN settings, use hide:network-vpn. Default is an empty string, which shows all pages.

For a complete list of pages you can show or hide, go to the Microsoft reference. Enter only the second part of the page URI, not the ms-settings: prefix. 

Block users from changing Autoplay settings

Name: AllowAutoPlay

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/AllowAutoPlay

Data type: Integer

Value: 0 = Block user changes, 1 = Allow users to change Autoplay settings (default)

Automatically lock a device after it's idle for a set time (in minutes)

To set a timeout, you must also explicitly turn on device lock:

  1. Set the idle timeout:

    Name: MaxInactivityTimeDeviceLock

    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock

    Data type: Integer

    Value: 0–999, 0 = No timeout (default)

  2. Turn on device lock.
Block users from connecting remotely with Remote Desktop

Name: AllowUsersToConnectRemotely

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely

Data type: String

Value: To block Remote Desktop access, enter <disabled />.

Require a device password and turn on device lock

This setting is required in order to set password and device lock settings.

Note: When you explicitly turn on device lock, Microsoft applies some password requirements. We recommend you review the setting documentation.

Name: DevicePasswordEnabled

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled

Data type: Integer

Value: 0 = enabled (default), 1 = disabled

Hardware and network

Open all   |   Close all

Set Wi-Fi profiles

Name: WlanXml

OMA-URI: ./Vendor/MSFT/WiFi/Profile/<Enter SSID>/WlanXml 

Replace <Enter SSID> with the name of the Wi-Fi network

Data type: String (XML)

Value:  Upload an XML file with the following format. You can create the XML file from an existing Wi-Fi connection, or edit the following sample template. Update the network parameters as required, such as the following:

  • SSID (in <name>)—Enter the name of the Wi-Fi network.
  • Password (in <keyMaterial>)—If you use a password for authentication, enter the Wi-Fi password. If you use a different type of authentication, learn how to format it in WLAN_profile Schema Elements.
  • In <connectionMode>, enter auto to automatically connect the device to the Wi-Fi network, or enter manual to require the user manually connect.

For more parameter details and options, review the Microsoft documentation on WLAN_profile Schema Elements.

<?xml version="1.0"?>
<WLANProfile xmlns="">

Disable the camera

Name: AllowCamera

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera

Data type: Integer

Value:  0 = Disable camera, 1 = Enable camera (default)

Disable USB drives and SD cards

Name: AllowStorageCard

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard

Data type: Integer

Value:  0 = Disable USB drives and block SD card use, 1 = Enable USB drives and allow SD cards (default)

Disable Bluetooth advertisements

Name: AllowAdvertising

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowAdvertising

Data type: Integer

Value:  0 = Disable advertising. The device can't be discovered by Bluetooth devices. 1 = Enable advertising. The device can be discovered by Bluetooth devices (default).

Disable Bluetooth

Name: AllowBluetooth

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth

Data type: Integer

Value:  0 = Disable Bluetooth, 2 = Enable Bluetooth (default)

Block write access to removable disks

Name: RemovableDiskDenyWriteAccess

OMA-URI: ./[Device|User]/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess

Data type: Integer

Value:  0 = Allow write access to removable disks (default), 1 = Block write access to removable disks

Block users from adding printers

Name: PreventAddingNewPrinters

OMA-URI: ./User/Vendor/MSFT/Policy/Config/Education/PreventAddingNewPrinters

Data type: Integer

Value: 0 = Allow user to add printers (default), 1 = Disable adding printers and scanners


Open all   |   Close all

Disable Cortana

Name: AllowCortana

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowCortana

Data type: Integer

Value: 0 = Disable Cortana, 1 = Enable Cortana (default)

Block Windows spotlight notifications in the Action Center

Name: AllowWindowsSpotlight

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight

Data type: Integer

Value: 0 = Disable spotlight notifications, 1 = Enable spotlight notifications (default)

Block non-Microsoft Store apps

Name: AllowAllTrustedApps

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps

Data type: Integer

Value:  0 = Block non-Microsoft Store apps, 1 = Allow all apps, 65535 = Not configured (default)

Disable OneDrive

Name: DisableOneDriveFileSync

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync

Data type: Integer

Value:  0 = Allow access to OneDrive file storage (default), 1 = Block access to OneDrive file storage

Block advanced gaming services

Advanced gaming services might send data to Microsoft or the publishers of the games.

Name: AllowAdvancedGamingServices

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices

Data type: Integer

Value: 0 = Block advanced gaming services, 1 = Allow advanced gaming services (default)

Block all unsigned applications or specific applications

Name: Policy (part of the AppLocker CSP)

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/[EXE | StoreApps | MSI | Script | DLL]/Policy

Data type: String (XML)

Value: An XML file that specifies the application and the groups or users the policy applies to. For instructions, see Block applications with custom settings.

Block Microsoft Store apps
OMA-URI: ./Device/Vendor/MSFT/Policy/ApplicationManagement/DisableStoreOriginatedApps
Data type: Integer
Value: 0 = Allow all apps from the Microsoft Store (pre-installed or downloaded) to run (default), 1 = Block running apps from the Microsoft Store
Allow only apps from your organization's private store in Microsoft Store
OMA-URI: ./Device/Vendor/MSFT/Policy/ApplicationManagement/RequirePrivateStoreOnly
Data type: Integer
Value: 0 = Allow access to apps in both the public and private store (default), 1 = Block access to the public store and allow access only to the private store
Force the location service on or off
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
Data type: Integer
Value: 0 = Force location off. No apps can access the Location service and users can't change the setting. 1 = Let users set Location Privacy settings for each app (default). 2 = Force location on. All apps can access the Location service and users can't change the setting or grant consent.
Block screen capture, recording, and broadcast through Game DVR
OMA-URI: ./Device/Vendor/MSFT/Policy/ApplicationManagement/AllowGameDVR
Data type: Integer
Value: 0 = Block Game Bar, 1 = Allow Game Bar (default)


Open all   |   Close all

Set the desktop image

Name: DesktopImageUrl

OMA-URI: ./Vendor/MSFT/Personalization/DesktopImageUrl

Data type: String

Value: The URL of an image, such as or file:///c:/images/desktopimage.jpg.

Set the lock screen image

Name: LockScreenImageUrl

OMA-URI: ./Vendor/MSFT/Personalization/LockScreenImageUrl

Data type: String

Value: The URL of an image, such as or file:///c:/images/desktopimage.jpg.


Open all   |   Close all

Skip the privacy settings setup screen
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/DisablePrivacyExperience
Data type: Integer
Value: 0 = Show the privacy settings setup screen when users sign in for the first time or after an upgrade (default), 1 = Don't show privacy settings setup. If you set privacy settings for devices in your organization by policies, you might want to skip this screen, which prompts users to change the settings.
Block online speech recognition for all apps
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/AllowInputPersonalization
Data type: Integer
Value: 0 = Block speech recognition for dictation, Cortana, and other apps that use Microsoft's speech recognition. 1 = Let users turn online speech recognition on or off (default).
Disable advertising ID
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/DisableAdvertisingId
Data type: Integer
Value: 0 = Disable advertising ID, 1 = Enable advertising ID and block users from disabling, 65535 = Not configured and user has control (default)
Block updates to the activity feed
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/EnableActivityFeed
Data type: Integer
Value: 0 = Block apps from publishing device activity to the activity feed and sending it to Microsoft, 1 = Allow apps to update the activity feed (default)
Block access to location for Windows apps
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/LetAppsAccessLocation
Data type: Integer
Value: 0 = Let users control (default), 1 = Force allow location access for Windows apps, 2 = Force block location access for Windows apps
Note: AllowLocation takes precedence over LetAppsAccessLocation.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.


Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu