Common Education device restrictions

There are many device restriction settings and configuration options you have available. This article summarizes the configurations that are most commonly used for student and teacher devices.

Intune includes device restriction policies that help administrators control a wide range of settings and features on Android, iOS/iPadOS, macOS, and Windows devices to protect your organization's resources.

To learn more, see Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices.


When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.

Organization-specific settings catalog policies

Configure these settings to personalize user experience and simplify the Windows sign-in process. Values for these settings should be defined according to the environment.

Category Name Value Notes CSP
Authentication Preferred Aad Tenant Domain Name domain Simplifies the sign-in to Windows by automatically appending the domain to the username Authentication/PreferredAadTenantDomainName
Personalization Desktop Image Url url An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image. Personalization/DesktopImageUrl
Personalization Lock Screen Image Url url An http or https URL to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image. Personalization/LockScreenImageUrl
Time Language Settings Configure Time Zone timezone Use Timezone column from Default Time Zones TimeLanguageSettings/ConfigureTimeZone

General restrictions

Commonly applied device restrictions in education.

Category Name Value Notes CSP
Above Lock Allow Cortana Above Lock Block The system will need to be unlocked for the user to interact with Cortana using speech. AboveLock/AllowCortanaAboveLock
Above Lock Allow Toasts Block Block toast notifications above the device lock screen AboveLock/AllowToasts
Accounts Allow Adding Non Microsoft Accounts Manually Block Block users from adding non-MSA email account. Accounts/AllowAddingNonMicrosoftAccountsManually
Accounts Allow Microsoft Account Connection Block Block users from using an MSA account for non-email related connection authentication and services. Accounts/AllowMicrosoftAccountConnection
Administrative Templates > System > Power Management > Sleep Settings Specify the system hibernate timeout (on battery) Disabled Power/HibernateTimeoutOnBattery
Administrative Templates > System > Power Management > Sleep Settings Specify the system sleep timeout (on battery) Enabled Only enables the setting configuration. Power/StandbyTimeoutOnBattery
Administrative Templates > System > Power Management > Sleep Settings System Sleep Timeout (seconds): 3600 Power/StandbyTimeoutOnBattery
Administrative Templates > System > Power Management > Sleep Settings Specify the system sleep timeout (plugged in) Enabled Only enables the setting configuration. Power/StandbyTimeoutPluggedIn
Administrative Templates > System > Power Management > Sleep Settings System Sleep Timeout (seconds): 3600 Power/StandbyTimeoutPluggedIn
Administrative Templates > System > Power Management > Video and Display Settings Turn off the display (on battery) Enabled Power/DisplayOffTimeoutOnBattery
Administrative Templates > System > Power Management > Video and Display Settings On battery power, turn display off after (seconds) 300 Power/DisplayOffTimeoutOnBattery
Administrative Templates > System > Power Management > Video and Display Settings Turn off the display (plugged in) Enabled Power/DisplayOffTimeoutPluggedIn
Administrative Templates > System > Power Management > Video and Display Settings When plugged in, turn display off after (seconds) 300 Power/DisplayOffTimeoutPluggedIn
Administrative Templates > System > Removable Storage Access All Removable Storage classes: Deny all access Disabled Do not block access to removable storage ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2
Administrative Templates > Windows Components > Store Turn off the Store application Enabled Access to the Store application is denied. ADMX_WindowsStore/RemoveWindowsStore_2
Bluetooth Allow Advertising Block Blocks the device from sending out Bluetooth advertisements. Bluetooth/AllowAdvertising
Bluetooth Allow Discoverable Mode Allow Allow other Bluetooth-enabled devices discover the device. Bluetooth/AllowDiscoverableMode
Bluetooth Allow Prompted Proximal Connections Block Block users on these managed devices from using Swift Pair and other proximity based scenarios. Bluetooth/AllowPromptedProximalConnections
Camera Allow Camera Allowed Camera/AllowCamera
Connectivity Allow Bluetooth Allow Bluetooth. The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. Connectivity/AllowBluetooth
Connectivity Allow Cellular Data Roaming Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. Connectivity/AllowCellularDataRoaming
Credential Providers Disable Automatic Re Deployment Credentials Disabled Enables local Autopilot Reset CredentialProviders/DisableAutomaticReDeploymentCredentials
Experience Allow Cortana Block Experience/AllowCortana
Experience Allow Manual MDM Unenrollment Block Block the user from deleting the workplace account using the workplace control panel. Experience/AllowManualMDMUnenrollment
Experience Allow Windows Spotlight (User) Block Turn off Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features. Experience/AllowWindowsSpotlight
Experience Configure Chat Icon Disabled Configures the Teams Chat icon on the taskbar for Windows 11 Experience/ConfigureChatIcon
Microsoft App Store Allow All Trusted Apps Explicit allow unlock. Allow install of any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer) ApplicationManagement/AllowAllTrustedApps
Microsoft App Store Allow Developer Unlock Explicit deny. Block developing Microsoft Store apps or installing them directly from an IDE. ApplicationManagement/AllowDeveloperUnlock
Microsoft App Store Allow Shared User App Data Block Windows app can't share app data with other instances of that app. ApplicationManagement/AllowSharedUserAppData
Power Allow Hibernate Block Windows 11 only Power/AllowHibernate
Power Energy Saver Battery Threshold On Battery 50 Energy Saver will be automatically turned on at (and below) the specified level. Power/EnergySaverBatteryThresholdOnBattery
Power Energy Saver Battery Threshold Plugged In 40 Energy Saver will be automatically turned on at (and below) the specified level. Power/EnergySaverBatteryThresholdPluggedIn
Power Select Lid Close Action On Battery Sleep Power/SelectLidCloseActionOnBattery
Power Select Lid Close Action Plugged In Sleep Power/SelectLidCloseActionPluggedIn
Power Select Power Button Action On Battery Sleep Power/SelectPowerButtonActionOnBattery
Power Select Power Button Action Plugged In Sleep Power/SelectPowerButtonActionPluggedIn
Power Select Sleep Button Action On Battery Sleep Power/SelectSleepButtonActionOnBattery
Power Select Sleep Button Action Plugged In Sleep Power/SelectSleepButtonActionPluggedIn
Power Turn Off Hybrid Sleep On Battery hybrid sleep A hiberfile isn't generated when the system transitions to sleep (Stand By). Power/TurnOffHybridSleepOnBattery
Power Turn Off Hybrid Sleep Plugged In hybrid sleep A hiberfile isn't generated when the system transitions to sleep (Stand By). Power/TurnOffHybridSleepPluggedIn
Power Unattended Sleep Timeout On Battery 3600 How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. Power/UnattendedSleepTimeoutOnBattery
Power Unattended Sleep Timeout Plugged In 3600 How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. Power/UnattendedSleepTimeoutPluggedIn
Security Allow Add Provisioning Package Allow Allow the runtime configuration agent to install provisioning packages. Security/AllowAddProvisioningPackage
Security Allow Remove Provisioning Package Allow Allow the runtime configuration agent to remove provisioning packages. Security/AllowRemoveProvisioningPackage
Settings Allow Date Time Block Block the user from changing date and time settings. Settings/AllowDateTime
Settings Allow Language Block Block the user from changing the language settings. Settings/AllowLanguage
Settings Allow Power Sleep Block Block the user from changing power and sleep settings. Settings/AllowPowerSleep
Settings Allow Region Block Block the user from changing the region settings. Settings/AllowRegion
Shared PC Enable Shared PC Mode False SharedPC/EnableSharedPCMode
Shared PC Restrict Local Storage False SharedPC/RestrictLocalStorage
Shared PC Set Edu Policies true Windows 10 configuration recommendations for education customers SharedPC/SetEDUpolicies
Task Manager Allow End Task Block TaskManager/AllowEndTask
Widgets Allow Widgets Not allowed. This policy applies to the entire widgets experience, including content on the taskbar. AllowNewsAndInterests
Wi-Fi Settings Allow Auto Connect To Wi Fi Sense Hotspots Block Wifi/AllowAutoConnectToWiFiSenseHotspots
Wi-Fi Settings Allow Internet Sharing Block Wifi/AllowInternetSharing
Windows Logon Hide Fast User Switching Enabled WindowsLogon/HideFastUserSwitching