As an admin managing your organization's Microsoft Windows 10 or 11 devices with Google's Windows device management, you can add custom settings in the Google Admin console. Use this article as a reference for many common settings. To learn how to add the settings in the Admin console, go to Add, edit, or delete custom settings for Windows 10 or 11 devices.
Note: The following information is provided for your convenience and reference, but Microsoft might change the behavior of these settings.
Before you apply these settings
- Google does not provide technical support for or accept responsibility for third-party products or settings. Consult the product's website for the latest configuration and support information.
- Confirm the scope, editions, and applicable OS.
- Review the Microsoft documentation. Links are provided in the following setting descriptions under Name.
- Test the behavior before you apply these settings in production.
Device management
Block users from unenrolling a device
Name: AllowManualMDMUnenrollment
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment
Data type: Integer
Value: 0 = Block unenrollment by users, 1 = Allow users to unenroll (default).
Note When set to 0, even user accounts with local admin access can't unenroll the device. To unenroll a device when set to 0, use the Admin console. Learn how
Security
Block users from changing VPN settings
Name: AllowVPN
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/AllowVPN
Data type: Integer
Value: 0 = Block user changes to VPN settings, 1 = Allow users to change VPN settings (default)
Control user access to Settings
Name: PageVisibilityList
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
Data type: String
Value: Specify the page to show or hide, by using the prefixes showonly: or hide:. For example, to hide VPN settings, use hide:network-vpn. Default is an empty string, which shows all pages.
For a complete list of pages you can show or hide, go to the Microsoft reference. Enter only the second part of the page URI, not the ms-settings: prefix.
Block users from changing Autoplay settings
Name: AllowAutoPlay
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/AllowAutoPlay
Data type: Integer
Value: 0 = Block user changes, 1 = Allow users to change Autoplay settings (default)
Automatically lock a device after it's idle for a set time (in minutes)
To set a timeout, you must also explicitly turn on device lock:
- Set the idle timeout:
Name: MaxInactivityTimeDeviceLock
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock
Data type: Integer
Value: 0–999, 0 = No timeout (default)
- Turn on device lock.
Block users from connecting remotely with Remote Desktop
Name: AllowUsersToConnectRemotely
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely
Data type: String
Value: To block Remote Desktop access, enter <disabled />.
Set Attack Surface Reduction rules
Name: AttackSurfaceReductionRules
OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Data type: String
Value: A list of rule GUIDs and their values, with the format {GUID-1}=value|{GUID-2}=value|...{GUID-N}=value. The value can be 0 = Disable, 1 = Block, or 2 = Audit.
For example, to enforce the following rules:
- Block executable content from email client and webmail
- Block Office applications from injecting code into other processes
enter {BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1|{75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=1
For a complete list of rules and their GUIDs, see the Microsoft documentation.
To confirm the policy is working as intended on the a device, you can use Microsoft's Attack Surface Reduction demo scenarios on a device and track the device response in the Event Viewer app. Learn more
Require a device password & turn on device lock
Not supported on devices that use Google Credential Provider for Windows (GCPW). Instead, set password requirements in the Admin console. Learn more
Name: DevicePasswordEnabled
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled
Data type: Integer
Value: 0 = enabled (default), 1 = disabled
When you turn on device lock, Microsoft applies some password requirements. We recommend that you review the setting documentation.
Prevent slideshows from playing on the lock screen
Name: PreventLockScreenSlideShow
OMA-URI: ./Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow
Data type: String
Value: To prevent a slideshow from playing on the lock screen, enter <enabled /> (case sensitive).
Hardware and network
Set Wi-Fi profiles
Name: WlanXml
OMA-URI: ./Vendor/MSFT/WiFi/Profile/<Enter SSID>/WlanXml
Replace <Enter SSID> with the name of the Wi-Fi network
Data type: String (XML)
Value: Upload an XML file with the following format. You can create the XML file from an existing Wi-Fi connection, or edit the following sample template. Update the network parameters as required, such as the following:
SSID(in<name>)—Enter the name of the Wi-Fi network.Password(in<keyMaterial>)—If you use a password for authentication, enter the Wi-Fi password. If you use a different type of authentication, learn how to format it in WLAN_profile Schema Elements.- In
<connectionMode>, enterautoto automatically connect the device to the Wi-Fi network, or entermanualto require the user manually connect.
For more parameter details and options, review the Microsoft documentation on WLAN_profile Schema Elements.
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>SSID</name>
<SSIDConfig>
<SSID>
<name>SSID</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2PSK</authentication>
<encryption>AES</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>Password</keyMaterial>
</sharedKey>
</security>
</MSM>
</WLANProfile>
Disable the camera
Name: AllowCamera
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera
Data type: Integer
Value: 0 = Disable camera, 1 = Enable camera (default)
Disable USB drives & SD cards
Name: AllowStorageCard
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard
Data type: Integer
Value: 0 = Disable USB drives and block SD card use, 1 = Enable USB drives and allow SD cards (default)
Disable Bluetooth advertisements
Name: AllowAdvertising
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowAdvertising
Data type: Integer
Value: 0 = Disable advertising. The device can't be discovered by Bluetooth devices. 1 = Enable advertising. The device can be discovered by Bluetooth devices (default).
Disable Bluetooth
Name: AllowBluetooth
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth
Data type: Integer
Value: 0 = Disable Bluetooth, 2 = Enable Bluetooth (default)
Block write access to removable disks
Name: RemovableDiskDenyWriteAccess
OMA-URI: ./[Device|User]/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess
Data type: Integer
Value: 0 = Allow write access to removable disks (default), 1 = Block write access to removable disks
Block users from adding printers
Name: PreventAddingNewPrinters
OMA-URI: ./User/Vendor/MSFT/Policy/Config/Education/PreventAddingNewPrinters
Data type: Integer
Value: 0 = Allow user to add printers (default), 1 = Disable adding printers and scanners
Software
Disable Cortana
Name: AllowCortana
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowCortana
Data type: Integer
Value: 0 = Disable Cortana, 1 = Enable Cortana (default)
Block Windows spotlight notifications in the Action Center
Name: AllowWindowsSpotlight
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight
Data type: Integer
Value: 0 = Disable spotlight notifications, 1 = Enable spotlight notifications (default)
Automatically put a device to sleep after it's idle for a set time
Policy name: StandbyTimeoutOnBattery
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutOnBattery
Data type: SyncML XML file
Value: If disabled or unconfigured, users control the setting.
Block non-Microsoft Store apps
Name: AllowAllTrustedApps
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps
Data type: Integer
Value: 0 = Block non-Microsoft Store apps, 1 = Allow all apps, 65535 = Not configured (default)
Disable OneDrive
Name: DisableOneDriveFileSync
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync
Data type: Integer
Value: 0 = Allow access to OneDrive file storage (default), 1 = Block access to OneDrive file storage
Block advanced gaming services
Advanced gaming services might send data to Microsoft or the publishers of the games.
Name:AllowAdvancedGamingServices
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices
Data type: Integer
Value: 0 = Block advanced gaming services, 1 = Allow advanced gaming services (default)
Block all unsigned applications or specific applications
Name: Policy (part of the AppLocker CSP)
OMA-URI:./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/[EXE | StoreApps | MSI | Script | DLL]/Policy
Data type: String (XML)
Value: An XML file that specifies the application and the groups or users the policy applies to. For instructions, see Block applications with custom settings.
Block Microsoft Store apps
Name: DisableStoreOriginatedApps
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/DisableStoreOriginatedApps
Data type: Integer
Value: 0 = Allow all apps from the Microsoft Store (pre-installed or downloaded) to run (default), 1 = Block running apps from the Microsoft Store
Allow only apps from your organization's private store in Microsoft Store
Name: RequirePrivateStoreOnly
OMA-URI: ./Device/Vendor/MSFT/Policy/ApplicationManagement/RequirePrivateStoreOnly
Data type: Integer
Value: 0 = Allow access to apps in both the public and private store (default), 1 = Block access to the public store and allow access only to the private store
Force the location service on or off
Name: AllowLocation
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
Data type: Integer
Value: 0 = Force location off. No apps can access the Location service and users can't change the setting. 1 = Let users set Location Privacy settings for each app (default). 2 = Force location on. All apps can access the Location service and users can't change the setting or grant consent.
Block screen capture, recording & broadcast through Game DVR
Name: AllowGameDVR
OMA-URI: ./Device/Vendor/MSFT/Policy/ApplicationManagement/AllowGameDVR
Data type: Integer
Value: 0 = Block Game Bar, 1 = Allow Game Bar (default)
Personalization
Set the desktop image
Name: DesktopImageUrl
OMA-URI: ./Vendor/MSFT/Personalization/DesktopImageUrl
Data type: String
Value: The URL of an image, such as https://www.mycompany.com/desktopimage.JPG or file:///c:/images/desktopimage.jpg.
Set the lock screen image
Name: LockScreenImageUrl
OMA-URI: ./Vendor/MSFT/Personalization/LockScreenImageUrl
Data type: String
Value: The URL of an image, such as https://www.mycompany.com/desktopimage.JPG or file:///c:/images/desktopimage.jpg.
Privacy
Skip the privacy settings setup screen
Name: DisablePrivacyExperience
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/DisablePrivacyExperience
Data type: Integer
Value: 0 = Show the privacy settings setup screen when users sign in for the first time or after an upgrade (default), 1 = Don't show privacy settings setup. If you set privacy settings for devices in your organization by policies, you might want to skip this screen, which prompts users to change the settings.
Block online speech recognition for all apps
Name: AllowInputPersonalization
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/AllowInputPersonalization
Data type: Integer
Value: 0 = Block speech recognition for dictation, Cortana, and other apps that use Microsoft's speech recognition. 1 = Let users turn online speech recognition on or off (default).
Disable advertising ID
Name: DisableAdvertisingId
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/DisableAdvertisingId
Data type: Integer
Value: 0 = Disable advertising ID, 1 = Enable advertising ID and block users from disabling, 65535 = Not configured and user has control (default)
Block updates to the activity feed
Name: EnableActivityFeed
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/EnableActivityFeed
Data type: Integer
Value: 0 = Block apps from publishing device activity to the activity feed and sending it to Microsoft, 1 = Allow apps to update the activity feed (default)
Block access to location for Windows apps
Name: LetAppsAccessLocation
OMA-URI: ./Device/Vendor/MSFT/Policy/Privacy/LetAppsAccessLocation
Data type: Integer
Value: 0 = Let users control (default), 1 = Force allow location access for Windows apps, 2 = Force block location access for Windows apps
Note: AllowLocation takes precedence over LetAppsAccessLocation.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.