As an admin managing your organization's Microsoft Windows 10 devices with Google's Windows device management, you can add custom settings. These settings let you control device settings from the Admin console. This article provides the information you need to set up many common custom settings.
Note: The following information is provided for your convenience and reference, but Microsoft might change the behavior of these settings.
Before you apply these settings
- Review the Microsoft documentation. Links are provided in the following setting descriptions under Name.
- Test the behavior before you apply these settings in production.
Device management
Block users from unenrolling a deviceName: AllowManualMDMUnenrollment
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment
Data type: Integer
Value: 0 = Block unenrollment by users, 1 = Allow users to unenroll (default). Note: When set to 0, even user accounts with local admin access can't unenroll the device. To unenroll a device when set to 0, use the Admin console. Learn how
Security
Block users from changing VPN settingsName: AllowVPN
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/AllowVPN
Data type: Integer
Value: 0 = Block user changes to VPN settings, 1 = Allow users to change VPN settings (default)
Name: PageVisibilityList
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
Data type: String
Value: Specify the page to show or hide, by using the prefixes showonly:
or hide:
. For example, to hide VPN settings, use hide:network-vpn
. Default is an empty string, which shows all pages.
For a complete list of pages you can show or hide, go to the Microsoft reference. Enter only the second part of the page URI, not the ms-settings:
prefix.
Name: AllowAutoPlay
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/AllowAutoPlay
Data type: Integer
Value: 0 = Block user changes, 1 = Allow users to change Autoplay settings (default)
To set a timeout, you must also explicitly turn on device lock:
- Set the idle timeout:
Name: MaxInactivityTimeDeviceLock
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock
Data type: Integer
Value: 0–999, 0 = No timeout (default)
- Turn on device lock.
Name: AllowUsersToConnectRemotely
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely
Data type: String
Value: To block Remote Desktop access, enter <disabled />.
This setting is required in order to set password and device lock settings.
Note: When you explicitly turn on device lock, Microsoft applies some password requirements. We recommend you review the setting documentation.
Name: DevicePasswordEnabled
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled
Data type: Integer
Value: 0 = enabled (default), 1 = disabled
Hardware and network
Set Wi-Fi profilesName: WlanXml
OMA-URI: ./Vendor/MSFT/WiFi/Profile/<Enter SSID>/WlanXml
Replace <Enter SSID> with the name of the Wi-Fi network
Data type: String (XML)
Value: Upload an XML file with the following format. You can create the XML file from an existing Wi-Fi connection, or edit the following sample template. Update the network parameters as required, such as the following:
SSID
(in<name>
)—Enter the name of the Wi-Fi network.Password
(in<keyMaterial>
)—If you use a password for authentication, enter the Wi-Fi password. If you use a different type of authentication, learn how to format it in WLAN_profile Schema Elements.- In
<connectionMode>
, enterauto
to automatically connect the device to the Wi-Fi network, or entermanual
to require the user manually connect.
For more parameter details and options, review the Microsoft documentation on WLAN_profile Schema Elements.
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>SSID</name>
<SSIDConfig>
<SSID>
<name>SSID</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2PSK</authentication>
<encryption>AES</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>Password</keyMaterial>
</sharedKey>
</security>
</MSM>
</WLANProfile>
Name: AllowCamera
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera
Data type: Integer
Value: 0 = Disable camera, 1 = Enable camera (default)
Name: AllowStorageCard
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard
Data type: Integer
Value: 0 = Disable USB drives and block SD card use, 1 = Enable USB drives and allow SD cards (default)
Name: AllowAdvertising
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowAdvertising
Data type: Integer
Value: 0 = Disable advertising. The device can't be discovered by Bluetooth devices. 1 = Enable advertising. The device can be discovered by Bluetooth devices (default).
Name: AllowBluetooth
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth
Data type: Integer
Value: 0 = Disable Bluetooth, 2 = Enable Bluetooth (default)
Name: RemovableDiskDenyWriteAccess
OMA-URI: ./[Device|User]/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess
Data type: Integer
Value: 0 = Allow write access to removable disks (default), 1 = Block write access to removable disks
Name: PreventAddingNewPrinters
OMA-URI: ./User/Vendor/MSFT/Policy/Config/Education/PreventAddingNewPrinters
Data type: Integer
Value: 0 = Allow user to add printers (default), 1 = Disable adding printers and scanners
Software
Disable CortanaName: AllowCortana
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowCortana
Data type: Integer
Value: 0 = Disable Cortana, 1 = Enable Cortana (default)
Name: AllowWindowsSpotlight
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight
Data type: Integer
Value: 0 = Disable spotlight notifications, 1 = Enable spotlight notifications (default)
Name: AllowAllTrustedApps
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps
Data type: Integer
Value: 0 = Block non-Microsoft Store apps, 1 = Allow all apps, 65535 = Not configured (default)
Name: DisableOneDriveFileSync
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync
Data type: Integer
Value: 0 = Allow access to OneDrive file storage (default), 1 = Block access to OneDrive file storage
Advanced gaming services might send data to Microsoft or the publishers of the games.
Name: AllowAdvancedGamingServices
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices
Data type: Integer
Value: 0 = Block advanced gaming services, 1 = Allow advanced gaming services (default)
Name: Policy (part of the AppLocker CSP)
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/[EXE | StoreApps | MSI | Script | DLL]/Policy
Data type: String (XML)
Value: An XML file that specifies the application and the groups or users the policy applies to. For instructions, see Block applications with custom settings.
Personalization
Set the desktop imageName: DesktopImageUrl
OMA-URI: ./Vendor/MSFT/Personalization/DesktopImageUrl
Data type: String
Value: The URL of an image, such as https://www.mycompany.com/desktopimage.JPG or file:///c:/images/desktopimage.jpg.
Name: LockScreenImageUrl
OMA-URI: ./Vendor/MSFT/Personalization/LockScreenImageUrl
Data type: String
Value: The URL of an image, such as https://www.mycompany.com/desktopimage.JPG or file:///c:/images/desktopimage.jpg.
Privacy
Skip the privacy settings setup screen
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.