Now Loading
Logo Image

Proget Console

Home  /  Proget Console  /  Administrator guide  /  Policies  /  Windows

Windows

Password
Password required
  • Policy defines requirements for device password. Once done, the user must set the device password.
    • Password length
  • The policy defines the minimum length of the password used on the device.
    • Password expiration (in days)
  • Policy defines how long the password may be used and sets the time for the user to change the password on the device.
    • Max inactive time (in minutes)
  • Policy defines user inactive time duration, then blanks the screen and blocks the device with the current password.
    • Number of attempts to unlock
  • Policy defines the number of incorrect password attempts. After exceeding the allowable attempts, the device will reboot.
    • Apps
    Allow using Cortana
  • Policy defines the use of Cortana voice assistant with the device.
    • BitLocker
    Turn on device encryption
  • Enable BitLocker – a solution that enables cryptographic data protection on disks, built into Microsoft operating systems.
    • Configure encryption methods for disk drives
  • This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
    • Prompt for device encryption
  • Enable the option “Prompt for device encryption” to prompt users to encrypt the OS drive.
    • Allow standard user encryption
  • The policy allows enforcing device encryption policies in scenarios where the settings are pushed when the current logged in user is an Azure AD administrator account other than the administrator / standard user. This policy is only supported on Azure AD accounts.
    • Configure recovery options for fixed drives
  • This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
    • Fixed drives require encryption
  • If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
    • Configure encryption methods for fixed drives
  • For fixed and operating system drives, we recommend XTS-AES algorithm.
    • Save BitLocker info on fixed data drives to Azure AD DS.
    Use data recovery agents with BitLocker – fixed data drives
  • Data recovery agents are granted rights to decrypt data encrypted by other users as their PKI certificates have been used to create a BitLocker key protector. They can thus use their credentials to unlock BitLocker-protected drives.
    • Hide recovery options from BitLocker setup wizard
  • Prevent user from specifying recovery options when he turn on BitLocker on a drive.
    • Disable BitLocker until fixed data drive recovery information is stored on Azure AD DS
  • Prevent user from enabling BitLocker unless the computer in connected to the domain and the backup of Bitlocker recovery information to Azure AD DS succeeds.
    • Select recovery information to be stored on Azure AD DS
    Generate recovery key
  • The 256-bit recovery key is system-generated and is stored on an external USB drive.
    • Generate recovery password
  • The 48 digit recovery password is system generated and it has to be either printed or stored on an external USB drive.
    • Removable drives require encryption
  • If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
    • Configure encryption methods for removable drives
  • For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.
    • Configure encryption methods for operating system drives
  • For operating system drives, we recommend XTS-AES algorithm.
    • Minimum length for BitLocker startup PIN
  • This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. The startup PIN must have a minimum length of 6 to 20 digits.
    • Configure the pre-boot recovery message
    Custom recovery message and URL
    Configure recovery options for system drives
  • Choose how BitLocker-protected operating system drives can be recovered.
    • Save BitLocker info on OS drives to Azure AD DS.
    Use data recovery agents with BitLocker – OS drives
  • Bitlocker data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Bitlocker Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives.
    • Hide recovery options from BitLocker setup wizard
  • Prevent user from specifying recovery options when BitLocker is turned on on a drive.
    • Disable BitLocker until OS drive recovery information is stored on Azure AD DS
  • Prevent user from enabling BitLocker unless the computer is connected to the domain and the backup of Bitlocker recovery information to Azure AD DS succeeds.
    • Select recovery information to be stored on Azure AD DS
    Generate recovery key
  • The 256-bit recovery key is system-generated and is stored on an external USB drive.
    • Generate recovery password
  • The 48 digit recovery password is system generated and it has to be either printed or stored on an external USB drive.
    • Authenticate with TPM startup pin
  • Requires the entry of a 6 to 20 digit personal identification number (PIN), configured by the user during BitLocker setup.
    • Enable BitLocker without a Trusted Platform Module (TPM)
  • In this mode either a password or a USB key drive is required to unlock Bitlocker-Encrypted PC
    • Authentication with TPM
  • “Required” enables a TPM only mode, wherein encryption keys are stored in the TPM chip. User will have a SSO experience without requiring a PIN or startup key during boot.
    • Authentication with TPM and startup key
  • When using a startup key, the key information used to encrypt the drive is stored on the USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible.
    • Authentication with TPM and PIN
  • Requires the entry of a 6 to 20 digit personal identification number (PIN), configured by the user during BitLocker setup.
    • Authentication with TPM, startup key and PIN
  • Required by default if the system has no TPM.
    • Functionality
    Allow camera
  • The policy allows the use of the camera. If unchecked, the camera will not work in all apps, including the Proget app.
    • Location services
  • Policy specifies whether the device can use location services.
    • Cellular data
  • Policy specifies whether the device can use Cellular data.
    • Allow VPN via Cellular data
  • Policy determines whether VPN on the device can use Cellular data.
    • Cellular data roaming
  • Policy specifies whether the device can use Cellular data while roaming.
    • Allow VPN via Cellular data roaming
  • Policy specifies whether VPN on the device can use Cellular data while roaming.
    • Allow SD cards
  • Policy defines the use of the SD memory card with the device.
    • Allow display of notifications with the screen blocked.
  • Policy defines if the device may display notifications in Notification Panel with the device screen blocked.
    • Allow using Wi-Fi network
  • Policy defines the use of the Wi-Fi network module on the device.
    • Allow Wi-Fi sharing
  • Policy allows sharing of Wi-Fi networks.
    • Allow manual Wi-Fi network configuration
  • Policy defines whether users can enable their own wireless Wi-Fi networks on the device.
    • Allows the user to change date and time settings
  • Policy allows users to change date and time settings on the device.
    • Allow screen capture
  • Policy specifies whether users can capture screenshots or screen recordings on the device.
    • Allow USB debugging
  • Policy defines whether USB debugging is allowed on the device.
    • Allow external storage
  • Policy allows the use of external storage devices such as USB drives or external hard drives.
    • Allow app installation from unknown sources
  • Policy determines whether users can install apps from sources other than the official app store.
    • Allow app removal
  • Policy specifies whether users can uninstall apps from the device.
    • Allow app updates
  • Policy allows apps to be updated automatically or manually by users.
    • Security
    Allow device detection by other equipment using Bluetooth
  • Policy defines whether the device may be detected by other devices using Bluetooth.
    • Allow deletion of “Work” account
  • Policy defines if the work account may be deleted on the device (disconnecting the device from the MDM system).
    • Allow factory reset
  • Policy defines if the user may restore factory settings to the device.
    • Proget app password
  • The password should be entered when uninstalling the Proget application from the user’s device.