Common Education device restrictions
There are many device restriction settings and configuration options you have available. This article summarizes the configurations that are most commonly used for student and teacher devices.
Intune includes device restriction policies that help administrators control a wide range of settings and features on Android, iOS/iPadOS, macOS, and Windows devices to protect your organization's resources.
To learn more, see Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices.
Tip
When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
Organization-specific settings catalog policies
Configure these settings to personalize user experience and simplify the Windows sign-in process. Values for these settings should be defined according to the environment.
| Name | Value | Notes | CSP |
|---|---|---|---|
| Preferred Aad Tenant Domain Name | domain | Simplifies the sign-in to Windows by automatically appending the domain to the username | Authentication/PreferredAadTenantDomainName |
| Desktop Image Url | url | An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image. | Personalization/DesktopImageUrl |
| Lock Screen Image Url | url | An http or https URL to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image. | Personalization/LockScreenImageUrl |
| Configure Time Zone | timezone | Use Timezone column from Default Time Zones | TimeLanguageSettings/ConfigureTimeZone |
General restrictions
Commonly applied device restrictions in education.
| Name | Value | Notes | CSP |
|---|---|---|---|
| Allow Cortana Above Lock | Block | The system will need to be unlocked for the user to interact with Cortana using speech. | AboveLock/AllowCortanaAboveLock |
| Allow Toasts | Block | Block toast notifications above the device lock screen | AboveLock/AllowToasts |
| Allow Adding Non Microsoft Accounts Manually | Block | Block users from adding non-MSA email account. | Accounts/AllowAddingNonMicrosoftAccountsManually |
| Allow Microsoft Account Connection | Block | Block users from using an MSA account for non-email related connection authentication and services. | Accounts/AllowMicrosoftAccountConnection |
| Specify the system hibernate timeout (on battery) | Disabled | Power/HibernateTimeoutOnBattery | |
| Specify the system sleep timeout (on battery) | Enabled | Only enables the setting configuration. | Power/StandbyTimeoutOnBattery |
| System Sleep Timeout (seconds): | 3600 | Power/StandbyTimeoutOnBattery | |
| Specify the system sleep timeout (plugged in) | Enabled | Only enables the setting configuration. | Power/StandbyTimeoutPluggedIn |
| System Sleep Timeout (seconds): | 3600 | Power/StandbyTimeoutPluggedIn | |
| Turn off the display (on battery) | Enabled | Power/DisplayOffTimeoutOnBattery | |
| On battery power, turn display off after (seconds) | 300 | Power/DisplayOffTimeoutOnBattery | |
| Turn off the display (plugged in) | Enabled | Power/DisplayOffTimeoutPluggedIn | |
| When plugged in, turn display off after (seconds) | 300 | Power/DisplayOffTimeoutPluggedIn | |
| All Removable Storage classes: Deny all access | Disabled | Do not block access to removable storage | ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 |
| Allow Advertising | Block | Blocks the device from sending out Bluetooth advertisements. | Bluetooth/AllowAdvertising |
| Allow Discoverable Mode | Allow | Allow other Bluetooth-enabled devices discover the device. | Bluetooth/AllowDiscoverableMode |
| Allow Prompted Proximal Connections | Block | Block users on these managed devices from using Swift Pair and other proximity based scenarios. | Bluetooth/AllowPromptedProximalConnections |
| Allow Camera | Allowed | Camera/AllowCamera | |
| Allow Bluetooth | Allow Bluetooth. The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | Connectivity/AllowBluetooth | |
| Allow Cellular Data Roaming | Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. | Connectivity/AllowCellularDataRoaming | |
| Allow Cortana | Block | Experience/AllowCortana | |
| Allow Manual MDM Unenrollment | Block | Block the user from deleting the workplace account using the workplace control panel. | Experience/AllowManualMDMUnenrollment |
| Allow Widgets | Not allowed. | This policy applies to the entire widgets experience, including content on the taskbar. | AllowNewsAndInterests |
| Allow Windows Spotlight (User) | Block | Turn off Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features. | Experience/AllowWindowsSpotlight |
| Allow All Trusted Apps | Explicit allow unlock. | Allow install of any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer) | ApplicationManagement/AllowAllTrustedApps |
| Allow Developer Unlock | Explicit deny. | Block developing Microsoft Store apps or installing them directly from an IDE. | ApplicationManagement/AllowDeveloperUnlock |
| Allow Shared User App Data | Block | Windows app can't share app data with other instances of that app. | ApplicationManagement/AllowSharedUserAppData |
| Turn off the Store application | Enabled | Access to the Store application is denied. | ADMX_WindowsStore/RemoveWindowsStore_2 |
| Allow Hibernate | Block | Windows 11 only | Power/AllowHibernate |
| Energy Saver Battery Threshold On Battery | 50 | Energy Saver will be automatically turned on at (and below) the specified level. | Power/EnergySaverBatteryThresholdOnBattery |
| Energy Saver Battery Threshold Plugged In | 40 | Energy Saver will be automatically turned on at (and below) the specified level. | Power/EnergySaverBatteryThresholdPluggedIn |
| Select Lid Close Action On Battery | Sleep | Power/SelectLidCloseActionOnBattery | |
| Select Lid Close Action Plugged In | Sleep | Power/SelectLidCloseActionPluggedIn | |
| Select Power Button Action On Battery | Sleep | Power/SelectPowerButtonActionOnBattery | |
| Select Power Button Action Plugged In | Sleep | Power/SelectPowerButtonActionPluggedIn | |
| Select Sleep Button Action On Battery | Sleep | Power/SelectSleepButtonActionOnBattery | |
| Select Sleep Button Action Plugged In | Sleep | Power/SelectSleepButtonActionPluggedIn | |
| Turn Off Hybrid Sleep On Battery | hybrid sleep | A hiberfile isn't generated when the system transitions to sleep (Stand By). | Power/TurnOffHybridSleepOnBattery |
| Turn Off Hybrid Sleep Plugged In | hybrid sleep | A hiberfile isn't generated when the system transitions to sleep (Stand By). | Power/TurnOffHybridSleepPluggedIn |
| Unattended Sleep Timeout On Battery | 3600 | How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. | Power/UnattendedSleepTimeoutOnBattery |
| Unattended Sleep Timeout Plugged In | 3600 | How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. | Power/UnattendedSleepTimeoutPluggedIn |
| Allow Add Provisioning Package | Allow | Allow the runtime configuration agent to install provisioning packages. | Security/AllowAddProvisioningPackage |
| Allow Remove Provisioning Package | Allow | Allow the runtime configuration agent to remove provisioning packages. | Security/AllowRemoveProvisioningPackage |
| Allow Date Time | Block | Block the user from changing date and time settings. | Settings/AllowDateTime |
| Allow Language | Block | Block the user from changing the language settings. | Settings/AllowLanguage |
| Allow Power Sleep | Block | Block the user from changing power and sleep settings. | Settings/AllowPowerSleep |
| Allow Region | Block | Block the user from changing the region settings. | Settings/AllowRegion |
| Enable Shared PC Mode | False | SharedPC/EnableSharedPCMode | |
| Restrict Local Storage | False | SharedPC/RestrictLocalStorage | |
| Set Edu Policies | true | Windows 10 configuration recommendations for education customers | SharedPC/SetEDUpolicies |
| Allow End Task | Block | TaskManager/AllowEndTask | |
| Allow Auto Connect To Wi Fi Sense Hotspots | Block | Wifi/AllowAutoConnectToWiFiSenseHotspots | |
| Allow Internet Sharing | Block | Wifi/AllowInternetSharing | |
| Hide Fast User Switching | Enabled | WindowsLogon/HideFastUserSwitching | |
| Disable Automatic Re Deployment Credentials | Disabled | Enables local Autopilot Reset | CredentialProviders/DisableAutomaticReDeploymentCredentials |
| Configure Chat Icon | Disabled | Configures the Teams Chat icon on the taskbar for Windows 11 | Experience/ConfigureChatIcon |