Local Accounts (Windows 10) – Windows security | Microsoft Learn
Intune may support more settings than the settings listed in this article. To see the settings you can configure, create a device configuration profile, and select Settings Catalog.
For more information, see Windows 10 computer name restrictions free download catalog. This article describes some of the settings you can control on Windows 10 and newer devices. As part of your mobile device management MDM solution, use these settings to allow or disable features, set password rules, customize the lock screen, use Microsoft Defender, and more.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your Windows 10 devices. Some settings are only available on specific Windows editions, such windoss Enterprise. To see the supported editions, refer to the policy CSPs opens another Microsoft web site. In a Windows 10 device restrictions profile, most configurable settings are deployed at the device level using device groups.
Policies deployed to user groups apply to targeted users. The policies also apply to users who have an Intune license, and users that sign in to that device. Create a Windows 10 device restrictions profile. App store mobile only : Block prevents users from accessing the app store on mobile devices. When set to Not configured default restrictuons, Intune doesn’t change or update this setting.
By default, the OS might allow users access to the app store. Auto-update apps from store : Block prevents updates from being automatically installed from the Microsoft Store. By default, the OS might allow apps installed from the Microsoft Store to be automatically updated. Trusted app installation : Choose if non-Microsoft Store apps can be installed, also known as sideloading. Sideloading is installing, and then running or testing windows 10 computer name restrictions free download app that isn’t certified by the Microsoft Store.
For example, an app that is internal to your company only. Your options:. Developer unlock : Windows 10 computer name restrictions free download Windows developer settings, restrixtions as allowing sideloaded apps to be modified by users.
Com;uter your device for development has more information on this feature. Shared user app data : Restirctions Allow to share application data between different users on the same device and with other instances of that app. By default, the OS might prevent sharing data with other users and other instances of the same app.
Use private store only windows 10 computer name restrictions free download Allow only allows apps to be downloaded from a rree store, and not downloaded from the public store, including a retail catalog. By default, the OS might allow apps to be downloaded from a private store and a public store.
Store originated app launch : Block disables all apps that were pre-installed on the device, or downloaded from the Microsoft Store. By default, the OS might allow these apps to open. Install app data on system volume : Block stops apps from storing data on the system volume of the device.
By default, the OS might allow apps to store data on the system disk volume. Install apps on system drive : Block prevents apps from installing on the system drive computdr the device. By default, the OS might allow apps to install on the system drive.
By default, the OS might allow commputer and broadcasting of games. Apps from store only : This setting determines the user experience when users install apps from places other than the Microsoft Store. It doesn’t prevent installation of windows 10 computer name restrictions free download from USB devices, network shares, or other non-internet sources.
Use a trustworthy browser to help make sure these protections work as expected. User control over installations : Block cmoputer users from changing the installation options typically reserved for system administrators, such as entering the directory to install the files. By default, Windows Installer might prevent users from changing these installation options, and some of the Windows Installer security features are bypassed.
Install apps with elevated privileges : Block directs Downllad Installer to use elevated permissions when it installs windows 10 computer name restrictions free download program on the system. These privileges are extended to all programs.
By default, restrkctions system might apply the current user’s permissions when it installs programs that a system administrator doesn’t deploy or offer. Startup apps : Enter a list of apps to open after a user signs in to the device. For this policy to work, the manifest in the Windows apps must use a startup task. Cellular data channel : Choose if users can use data, like browsing the web, when download adobe illustrator cs5 trial version free download to a cellular network.
Data roaming : Block prevents cellular data roaming on the device. By default, when accessing data, roaming between windows 10 computer name restrictions free download might be allowed. VPN over the cellular network : Block prevents the device from accessing VPN connections when connected to a cellular network. VPN roaming over the cellular network : Block stops the device from accessing VPN connections when roaming on a cellular network.
By default, the OS might allow the connected devices service, which enables discovery and connection to other Bluetooth devices. Wi-Fi : Block prevents users from and enabling, configuring, and using Wi-Fi connections on the device. By default, the OS might allow Wi-Fi connections. Automatically connect to Wi-Fi hotspots : Block prevents devices from automatically connecting to Wi-Fi hotspots. By default, the OS might let devices automatically connect to free Wi-Fi hotspots, and automatically accept any terms and conditions for the connection.
Wi-Fi scan interval eindows Enter how often devices scan for Wi-Fi нажмите чтобы прочитать больше. Enter a value from 1 most frequent to least frequent. Default is 0 zero. Bluetooth : Block prevents users from enabling Bluetooth. Not configured default allows Bluetooth on the device. Bluetooth discoverability : Block prevents the device from being discoverable by other Bluetooth-enabled devices. By default, the OS might allow other Bluetooth-enabled devices, such as a headset, to discover the device.
Bluetooth pre-pairing : Block prevents specific Bluetooth devices to automatically pair with computdr host device. By default, the OS might allow automatic pairing with the host device. Bluetooth advertising : Block prevents the device from sending out Bluetooth advertisements. By default, the OS might allow the device to send out Bluetooth advertisements. Bluetooth proximal connections : Block prevents a device user from using Swift Pair and other proximity windows 10 computer name restrictions free download scenarios.
ServicesAllowedList usage guide has more information on the service list. These settings use the accounts policy CSPwhich also lists the supported Думала vray para sketchup pro 2017 crack free кажется editions.
Blocking or disabling these Microsoft account settings can impact enrollment scenarios that require users to sign in to Azure AD. For example, you’re using AutoPilot pre-provisioned previously called white glove. Typically, users are shown an Azure AD sign in window. Instead, users are asked to accept the EULA, and create a local account, which may not be what you want.
Not configured default : Intune doesn’t change or update this setting. Disabled : Sets the Microsoft Sign-in Assistant service wlidsvc to Disabled, and prevents users from manually starting it.
Disable may also affect some enrollment scenarios that rely on users to complete the enrollment. For example, you’re using AutoPilot pre-provisioned. When set to Disablethe Azure AD sign in option may not show. After you setup по этому сообщению Windows Server Hybrid Cloud Printyou can configure these settings, and then deploy to your Windows devices. System : Block prevents access to the System area of the Settings app. Devices : Block prevents access to the Devices area of the Settings app on the device.
Personalization : Block prevents access to the Personalization area resttrictions the Settings app on the device. Apps : Block prevents access to the Apps area of the Settings app on the device. Accounts : Block prevents access to the Accounts area of the Settings app on the device.
System Time modification : Block prevents users from changing the date and time settings on the device. Users can change these settings. Region settings modification desktop only : Block prevents users from changing the region settings on the device. Language settings modification desktop only : Block prevents users from changing the language settings on the device.
Settings policy CSP. Gaming : Block prevents windoes to the Gaming area of the Settings app on the device. Privacy : Block prevents access to the Privacy area of the Settings app on the device. These settings use the display policy CSPwhich also lists the supported Windows editions.
For example, enter filename. These settings use the experience policy CSPwhich also lists the supported Windows editions. Screen capture mobile only : Block prevents users from getting screenshots on the device. Copy and paste mobile only : Block prevents users from using copy-and-paste between apps on the device. Manual unenrollment : Block prevents users from deleting the workplace windows 10 computer name restrictions free download using the workplace control panel on the device.
This policy setting doesn’t apply if the computer is Azure AD joined and auto-enrollment is enabled. Manual root certificate installation mobile only : Block prevents users from manually installing root certificates, and intermediate CAP certificates. Camera : Block prevents users from using the camera on the device.
Windows 10 computer name restrictions free download
Transited services indicate which intermediate services have participated in this logon request. Package name indicates which sub-protocol was used among the NTLM protocols. Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Win An account was successfully logged on. Upcoming Webinars. Additional Resources. Follow randyfsmith. All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.
CachedInteractive logon with cached domain credentials such as when logging on to a laptop when away from the network.
Anonymous COM impersonation level that hides the identity of the caller. Delegate-level COM impersonation level that allows objects to permit other objects to use the credentials of the caller. Gaming : Block prevents access to the Gaming area of the Settings app on the device.
Privacy : Block prevents access to the Privacy area of the Settings app on the device. These settings use the display policy CSP , which also lists the supported Windows editions.
For example, enter filename. These settings use the experience policy CSP , which also lists the supported Windows editions. Screen capture mobile only : Block prevents users from getting screenshots on the device. Copy and paste mobile only : Block prevents users from using copy-and-paste between apps on the device. Manual unenrollment : Block prevents users from deleting the workplace account using the workplace control panel on the device. This policy setting doesn’t apply if the computer is Azure AD joined and auto-enrollment is enabled.
Manual root certificate installation mobile only : Block prevents users from manually installing root certificates, and intermediate CAP certificates. Camera : Block prevents users from using the camera on the device. By default, the OS might allow access to the device camera. Camera CSP. OneDrive file sync : Block prevents users from synchronizing files to OneDrive from the device. Removable storage : Block prevents users from using external storage devices, like USB drives or SD cards with the device.
Geolocation : Block prevents users from turning on location services on the device. Internet sharing : Block prevents Internet connection sharing on the device. Phone reset : Block prevents users from wiping or doing a factory reset on the device. Changing this policy doesn’t affect USB charging.
USB charging isn’t affected by this setting. AntiTheft mode mobile only : Block prevents users from selecting AntiTheft mode preference on the device. Cortana : Block disable the Cortana voice assistant on the device. When Cortana is off, users can still search to find items on the device. By default, the OS might allow Cortana. Voice recording mobile only : Block prevents users from using the device voice recorder on the device. By default, the OS might allow voice recording for apps. Device name modification mobile only : Block prevents users from changing the name of the device.
Add provisioning packages : Block prevents the run time configuration agent that installs provisioning packages on the device. Remove provisioning packages : Block prevents the run time configuration agent that removes provisioning packages from the device. Device discovery : Block prevents the device from being discovered by other devices. Task Switcher mobile only : Block prevents task switching on the device. By default, the OS might show the error messages.
The device is automatically reconfigured and re-enrolled into management. By default, the OS might prevent this feature. Require users to connect to network during device setup : Choose Require so the device connects to a network before going past the Network page during Windows setup.
By default, the OS might allow users to go past the Network page, even if it’s not connected to a network. The setting becomes effective the next time the device is wiped or reset. Like any other Intune configuration, the device must be enrolled and managed by Intune to receive configuration settings. But once it’s enrolled, and receiving policies, then resetting the device enforces the setting during the next Windows setup.
TenantLockdown CSP. Enabled default allows access to DMA, even when a user isn’t signed in. End processes from Task Manager : This setting determines whether non-administrators can use Task Manager to end tasks. Block prevents standard users non-administrators from using Task Manager to end a process or task on the device. By default, the OS might allow standard users to end a process or task using Task Manager.
Action center notifications mobile only : Block prevents Action Center notifications from showing on the device lock screen. By default, the OS might allow users to choose which apps show notifications on the lock screen.
This setting locks the image, and can’t be changed afterwards. User configurable screen timeout mobile only : Allow lets users configure the screen timeout. By default, the OS might not give users this option. Cortana on locked screen desktop only : Block prevents users from interacting with Cortana when the device is on the lock screen. By default, the OS might allow interaction with Cortana. Toast notifications on locked screen : Block prevents toast notifications from showing on the device lock screen.
By default, the OS might allow these notifications. Screen timeout mobile only : Set the duration in seconds from the screen locking to the screen turning off. Supported values are For example, enter to set this timeout to 5 minutes. These settings use the messaging policy CSP , which also lists the supported Windows editions. These settings use the browser policy CSP , which also lists the supported Windows editions. For more information on what these options do, see Microsoft Edge kiosk mode configuration types.
This device restrictions profile is directly related to the kiosk profile you create using the Windows kiosk settings. To summarize:. Create the Windows kiosk settings profile to run the device in kiosk mode.
Create the device restrictions profile described in this article, and configure specific features and settings allowed in Microsoft Edge. Be sure to choose the same Microsoft Edge kiosk mode type as selected in your kiosk profile Windows kiosk settings.
Supported kiosk mode settings is a great resource. Be sure to assign this Microsoft Edge profile to the same devices as your kiosk profile Windows kiosk settings.
Allow user to change start pages : Yes default lets users change the start pages. Administrators can use the EdgeHomepageUrls to enter the start pages that users see by default when open Microsoft Edge.
No blocks users from changing the start pages. Users can change it. When set to No , Microsoft Edge opens a new tab with a blank page. Users can’t change it. Home button : Choose what happens when the home button is selected. Allow users to change home button : Yes lets users change the home button. User changes override any administrator settings to the home button. No stops the introduction page from showing the first time you run Microsoft Edge.
This feature allows enterprises, such as organizations enrolled in zero emissions configurations, to block this page. Refresh browser after idle time : Enter the number of idle minutes until the browser is refreshed, from minutes. Default is 5 minutes. When set to 0 zero , the browser doesn’t refresh after being idle.
This setting is only available when running in InPrivate Public browsing single-app kiosk. Allow pop-ups desktop only : Yes default allows pop-ups in the web browser. No prevents pop-up windows in the browser. This setting is for backwards compatibility.
No default allows users to use Microsoft Edge. Users can’t change this list. Message when opening sites in Internet Explorer : Use this setting to configure Microsoft Edge to show a notification before a site opens in Internet Explorer This setting requires you to use the Enterprise mode site list location setting, the Send intranet traffic to Internet Explorer setting, or both settings.
Allow Microsoft compatibility list : Yes default allows using a Microsoft compatibility list. No prevents the Microsoft compatibility list in Microsoft Edge. This list from Microsoft helps Microsoft Edge properly display sites with known compatibility issues.
Preload start pages and New Tab page : Yes default uses the OS default behavior, which may be to preload these pages. Preloading minimizes the time to start Microsoft Edge, and load new tabs. No prevents Microsoft Edge from preloading start pages and the new tab page. Prelaunch Start pages and New Tab page : Yes default uses the OS default behavior, which may be to prelaunch these pages. Pre-launching helps the performance of Microsoft Edge, and minimizes the time required to start Microsoft Edge.
No prevents Microsoft Edge from pre-launching the start pages and new tab page. Show Favorites bar : Choose what happens to the favorites bar on any Microsoft Edge page. Allow changes to favorites : Yes default uses the OS default, which allows users to change the list. No prevents users from adding, importing, sorting, or editing the Favorites list.
Additions, deletions, modifications, and order changes to favorites are shared between browsers. No default uses the OS default, which may give users the choice to sync favorites between the browsers. Default search engine : Choose the default search engine on the device. Users can change this value at any time. Show search suggestions : Yes default lets your search engine suggest sites as you type search phrases in the address bar.
No prevents this feature. Allow changes to search engine : Yes default allows users to add new search engines, or change the default search engine in Microsoft Edge. Choose No to prevent users from customizing the search engine.
This setting is only available when running in Normal mode multi-app kiosk. After closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device.
No prevents users from opening InPrivate browsing sessions. Save browsing history : Yes default allow saving the browsing history in Microsoft Edge. No prevents saving the browsing history. Clear browsing data on exit desktop only : Yes clears the history, and browsing data when users exit Microsoft Edge.
No default uses the OS default, which may cache the browsing data. Sync browser settings between user’s devices : Choose how you want to sync browser settings between devices. Allow Password Manager : Yes default allows Microsoft Edge to automatically use Password Manager, which allows users to save and manage passwords on the device.
No prevents Microsoft Edge from using Password Manager. Allow Autofill in forms : Yes default allows users to change autocomplete settings in the browser, and populate form fields automatically.
No disables the Autofill feature in Microsoft Edge. Send do-not-track headers : Yes sends do-not-track headers to websites requesting tracking info recommended. No default doesn’t send headers that allow websites to track the user. Users can configure this setting. No prevents users’ localhost IP address from being shown.
Allow live tile data collection : Yes default allows Microsoft Edge to collect information from Live Tiles pinned to the start menu. No prevents collecting this information, which may provide users with a limited experience. Allow Microsoft Edge browser mobile only : Yes default allows using the Microsoft Edge web browser on the mobile device. No prevents using Microsoft Edge on devices.
If you choose No , the other individual settings only apply to desktop. Allow address bar dropdown : Yes default allows Microsoft Edge to show the address bar drop-down with a list of suggestions.
No stops Microsoft Edge from showing a list of suggestions in a drop-down list when you type. When set to No , you:. Allow full screen mode : Yes default allows Microsoft Edge to use fullscreen mode, which shows only the web content and hides the Microsoft Edge UI.
No prevents fullscreen mode in Microsoft Edge. Allow about flags page : Yes default uses the OS default, which may allow accessing the about:flags page. The about:flags page allows users to change developer settings and enable experimental features. No prevents users from accessing the about:flags page in Microsoft Edge. Allow developer tools : Yes default allows users to use the F12 developer tools to build and debug web pages by default.
No prevents users from using the F12 developer tools. No prevents Java scripts in the browser from running. User can install extensions : Yes default allows users to install Microsoft Edge extensions on devices. No prevents the installation. Allow sideloading of developer extensions : Yes default uses the OS default, which may allow sideloading.
Sideloading installs and runs unverified extensions. No prevents Microsoft Edge from sideloading using the Load extensions feature. It doesn’t prevent sideloading extensions using other ways, such as PowerShell. Required extensions : Choose which extensions can’t be turned off by users in Microsoft Edge. Enter the package family names, and select Add.
You can also Import a CSV file that includes the package family names. Or, Export the package family names you enter. Automatically detect proxy settings : Block disables devices from automatically detecting a proxy auto config PAC script. By default, the OS might not let you manually enter details of a proxy server.
Password : Require forces users to enter a password to access the device. By default, the OS might allow access to devices without a password. Applies to local accounts only.
Minimum password length : Enter the minimum number of characters required, from For example, enter 6 to require at least six characters in the password length. By default, the OS might set it to 4. When the password requirement is changed on a Windows desktop, users are impacted the next time they sign in, as that’s when devices goes from idle to active. Users with passwords that meet the requirement are still prompted to change their passwords.
Number of sign-in failures before wiping device : Enter the number of wrong passwords allowed before the device is wiped, up to A common use of loopback processing is on terminal servers: Users are logging into a server and you need specific user settings applied when they log into only those servers.
The gpresult command displays Group Policy information for a remote user and computer. In addition, it breaks down how long it takes to process the GPO. This command is available only in Windows 10 and Windows Server Configure daily or weekly backup of policies using Power Shell scripting or a third-party solution so that in case of configuration errors, you can always restore your settings. You can block all access to the Control Panel or allow limited access to specific users using the following policies:.
Removable media can be dangerous. If someone plugs an infected drive into your system, it unleash malware into the whole network. You can also disable DVDs, CDs and even floppy drives if you want, but the primary concern is removable drives. Driver updates can cause serious problems for Windows users: They can cause Windows errors, performance drop or even the dreaded blue screen of death BSOD. However, you must specify the hardware IDs of the devices you want to stop updates on.
You can find this information in Device Manager. The command prompt is very useful for system administrators, but in the wrong hands, it can turn into a nightmare because gives users the opportunity to run commands that could harm your network. If your Windows Update is turned on, you probably know that Windows pushes you to reboot the system after updating. You can use Group Policy settings to permanently disable these forced restarts.
There are many ways you can block users from installing new software on their system. Doing this reduces maintenance work and helps avoid the cleanup required when something bad is installed. NTLM is used for computers that are members of a workgroup and local authentication.
NTLM has a lot of known vulnerabilities and uses weaker cryptography, so it is very vulnerable to brute-force attacks. You should disable NTLM authentication in your network using Group Policy to allow only Kerberos authentication, but first ensure that both Microsoft and third-party applications in your network do not require NTLM authentication.
However, even for the policies listed above, it is better to use separate GPOs.