Policy Reference

Below you will find an overview of the various policies and their descriptions.

Windows

General

Policy	Description
`Allow password reset on lock screen`	Allows users to change their password directly on the lock screen.
`Enable settings for shared devices`	Activates SharedPC mode, optimized for frequent user changes. Essential for shared devices.
`Restrict login to specific groups`	Restricts login to specific Azure AD groups. Only users of the specified groups can log in to the devices.
`Automatic cleanup of user accounts`	Activates automatic cleanup of user accounts when the client has less than 25% free storage. The oldest profiles are deleted until 20% storage is available again.
`Hide shutdown button`	Hides the shutdown button on the login screen.
`Disable spell check`	Disables Windows spell check.
`Regional settings`	Sets Windows to the desired region (currency, character format, etc.)
`System language`	Sets Windows to the desired system language (only applies to new users)
`Force language for users`	Sets Windows to the desired system language (also applies to existing users)

Applications

Policy	Description
`Remove pre-installed Windows apps`	Removes consumer applications from the Windows device.
`Block Microsoft Store`	Blocks the Microsoft Store. No administrative permissions are required to install apps from the Store, so it should be blocked for students.
`Enable automatic Outlook configuration`	Outlook is automatically configured for the logged-in user.
`Block Cortana`	Blocks Cortana.
`Hide "New Outlook" switch`	Blocks the switch to change to the new Outlook.
`Remove "New Outlook"`	Completely removes the new Outlook app from the device.
`Teams autostart`	Controls the autostart of Microsoft Teams.
`Disable Windows Copilot`	Disables Windows Copilot.

User Interface

Policy	Description
`Block "Add new printer"`	Blocks the ability to manually add new printers.
`Disable news feed`	Blocks the Windows 10 news feed (weather widget in the Start menu).
`Start menu: hide frequently used apps`	Hides the "Frequently used apps" category in the Start menu.
`Desktop background`	Allows setting a desktop background (JPG, JPEG, PNG).
`Enable Windows 11 school mode`	Optimizes the Windows 11 taskbar for schools (Windows 11 school mode and disabling the Windows 11 Chat app).
`Disable Windows Spotlight`	Blocks Windows Spotlight (ads and web content on the start screen and in the Start menu).
`Lock screen background`	Allows setting a lock screen background (JPG, JPEG, PNG).
`Deploy Numiato Start Layout`	Distributes the Numiato Start menu layout with the most important applications.
`Start menu: hide recently added apps`	Hides the "Recently added apps" category in the Start menu.
`Block Windows AI`	Blocks Windows AI features (Recall, Cocreator, and other AI features).
`Block changing mouse pointers`	Blocks customization of the mouse pointer.
`Num Lock auto-enabled`	Enables Num Lock on the keyboard.

Browser

Policy	Description
`Browser homepage`	Allows setting a fixed start page or showing the last opened pages.
`Edge browser optimization`	Optimizes the Edge browser for school use (disabling consumer features).
`YouTube content filter`	Activates the content filter for YouTube. The level can be set. ²
`Block external browser extensions`	Disables the option to use external extensions in the Edge browser.
`Enable Safe Search`	Activates Safe Search in search engines. The level can be set. ¹
`Block Store browser extensions`	Disables the option to use Edge Store extensions in the Edge browser.
`Block Edge notifications`	Blocks Edge browser notifications. This is frequently used for phishing pop-ups.
`Enable browser sync (history, bookmarks, etc.)`	Synchronizes user data in the Edge browser. This allows switching clients without data loss.
`Default search engine`	Select the default search engine for the Edge browser.
`Enable Copilot in Edge`	Enables Copilot in the Edge browser.
`Allowed Edge extensions`	Specifies which extensions may be installed in the Edge browser.

Privacy

Policy	Description
`Send Office diagnostic data`	Sets the level of telemetry data transmission for Office.
`Send Windows diagnostic data`	Sets the level of telemetry data transmission for Windows.
`Allow device location`	Allows Intune to locate devices once every 24 hours. This can be useful for stolen or lost devices.

Power Settings

Policy	Description
`Turn off screen after (seconds)`	Sets after how many seconds the screen should turn off.
`Sleep after (seconds)`	Sets after how many seconds the device should go to sleep.
`Enable power saving mode at (percent)`	Sets at what battery percentage the device should switch to power saving mode.
`Action when closing notebook/tablet lid (battery)`	Sets what happens when the notebook lid is closed while on battery.
`Action when closing notebook/tablet lid (AC power)`	Sets what happens when the notebook lid is closed while on AC power.

Device Registration

Policy	Description
`Block removal of Intune enrollment`	Blocks the device from being removed from Intune in Windows Settings.
`Automatic device name`	Assigns an automatic Windows device name during first installation. The prefix is freely selectable, but must not exceed 10 characters. The name always ends with a "-" and a four-digit number that is automatically generated.
`Allow resetting devices from lock screen`	Allows resetting a device from the lock screen (the user must be an administrator on the device and enter their account credentials to confirm).

Accounts

Policy	Description
`Prohibit private Microsoft accounts (Hotmail, Outlook.com, etc.)`	Prohibits the use of private Microsoft accounts in Windows (e.g. Outlook or in Windows Settings).
`Hide last logged-in user`	Hides the last logged-in user. This can be useful for privacy reasons.
`Default login domain`	Makes logging in to devices easier as the full email address does not need to be entered. Logging in with the full username is still possible.
`Prohibit private third-party accounts (Gmail, Yahoo, GMX, etc.)`	Prohibits the use of private third-party accounts in Windows (e.g. Outlook or in Windows Settings).
`Local administrators (can install software)`	Grants users or a group administrative rights on the computer. This allows installing programs independently but also increases the security risk.

Network

Policy	Description
`Windows bandwidth optimization`	Enables Windows bandwidth optimization for updates and installations. This saves bandwidth.
`Block Wi-Fi`	Allows disabling Wi-Fi.

Wi-Fi

Policy	Description
`Wi-Fi`	Allows distributing Wi-Fi profiles via SSID and WPA2/3 key.

OneDrive

Policy	Description
`Save user folders to OneDrive (Pictures, Desktop, Documents)`	Allows automatically syncing the user folder to OneDrive. Useful for data backup and seamless user switching.
`Disable file offline mode after (days)`	OneDrive client offline cache files that have not been used are deleted after X days.
`Enable OneDrive`	Enables the OneDrive client.

Security

Policy	Description
`Enable firewall`	Enables the Windows Firewall.
`Block Bluetooth`	Blocks Bluetooth. This can improve device security.
`Enable antivirus`	Enables Windows Defender and applies the Microsoft-recommended settings for device security.
`Enable FIDO2 login`	Enables login to Windows with FIDO2 USB keys.
`Lock system tools (CMD, PowerShell, PowerShell ISE, Regedit)`	Locks system tools (CMD, PowerShell, PowerShell ISE, Regedit, etc.).
`Allow login with fingerprint/face recognition`	Controls whether authentication with fingerprint on the device should be enabled.
`Do not force biometric setup`	Prevents Windows from prompting users to set up fingerprint or face recognition.
`Encrypt devices`	Enables device encryption.
`Enable SmartScreen`	Enables Windows SmartScreen. This provides additional protection for downloads and when running installation files.
`Block USB drives`	Allows disabling USB drives. This can improve device security.
`Block SmartScreen bypass`	Disables the option to bypass the SmartScreen filter.

Windows Activation and Edition Upgrades

Policy	Description
`Windows S Mode`	Disables Windows S Mode (restricted Windows mode that only allows Windows Store applications).
`Windows activation key`	Activates Windows with the entered product key.

Windows Updates

Policy	Description
`Windows Update Optimization`	Enables Windows Update optimization for educational institutions.
`Upgrade Windows 10 to Windows 11`	Enables automatic upgrade from Windows 10 to Windows 11 for supported models.

Time Settings

Policy	Description
`Enable time settings`	Enables automatic Windows time settings.
`Block changing date/time`	Disables the option to change the date or time in Windows.
`Set time zone`	Allows setting the time zone.

iPads

General

Policy	Description
`Privacy`	Enables the Apple privacy mechanism that only allows apps to access personal data with explicit user consent.
`Disable spell check`	Disables automatic spell check on the device.
`Force Bluetooth`	Prevents Bluetooth from being disabled by the user.

Applications

Policy	Description
`Block AirDrop`	Blocks the function for wirelessly transferring files between Apple devices.
`Block Apple Books`	Blocks the Apple Books app.
`Block Apple Health`	Blocks the Health app.
`Block Apple Calendar`	Blocks the built-in Calendar app.
`Block Apple Mail`	Blocks Apple's built-in Mail app.
`Block Apple Maps`	Blocks the Apple Maps app.
`Block Apple TV`	Blocks the Apple TV app.
`Block Apple Weather`	Blocks the Weather app.
`Block App Store`	Blocks the App Store. Prevents users from independently installing apps.
`Prevent apps from syncing data`	Prevents apps from syncing data with external services.
`Block Files app`	Blocks the Files app.
`Block Reminders`	Blocks the Reminders app.
`Block FaceTime`	Blocks FaceTime video calls.
`Block Photos app`	Blocks the Photos app.
`Block Freeform`	Blocks the Freeform app.
`Block iMessage`	Blocks iMessage and the Messages app.
`Block iTunes Store`	Blocks the iTunes Store.
`Block Camera`	Blocks the Camera app and disables all camera functions of the device.
`Block Contacts`	Blocks the Contacts app.
`Block Shortcuts`	Blocks the Shortcuts app.
`Block Magnifier`	Blocks the Magnifier app.
`Block Measure`	Blocks the Measure app.
`Block Find My Friends`	Blocks location sharing via "Find My iPhone".
`Block Music app`	Blocks the Apple Music app.
`Block News app`	Blocks the Apple News app.
`Block Notes`	Blocks the Notes app.
`Block Photo Booth`	Blocks the Photo Booth app.
`Block Podcasts`	Blocks the Podcasts app.
`Block Safari`	Blocks the built-in Safari browser.
`Block Siri`	Disables the Siri voice assistant.
`Block Stocks app`	Blocks the Stocks app.
`Block Voice Memos`	Blocks the Voice Memos app.
`Block Spotlight internet search`	Prevents Spotlight from displaying results from the internet.
`Block Translate`	Blocks the Translate app.
`Block Clock app`	Blocks the Clock app (Timer, Stopwatch, Alarm).

User Interface

Policy	Description
`Block Apple Intelligence`	Blocks Apple Intelligence (AI features such as Writing Tools and image generation).
`Block changing wallpaper`	Prevents users from changing the wallpaper themselves.
`Optimize notification center`	Configures the notification center for school use.
`Lock screen wallpaper`	Sets a uniform wallpaper for the lock screen.
`Lock screen message`	Displays a custom message on the lock screen (e.g. school name or contact information if found).
`Home screen wallpaper`	Sets a uniform wallpaper for the home screen.

Browser

Policy	Description
`Block fraudulent websites`	Enables the built-in protection against phishing and fraudulent websites in Safari.

Accounts

Policy	Description
`Block guest access`	Blocks the ability to use the device in guest mode.
`Prevent account changes`	Prevents users from adding or removing accounts in device settings.
`Enable Single Sign-On (SSO)`	Enables login with a single Microsoft account for all apps and services.

Network

Policy	Description
`Wi-Fi`	Allows distributing Wi-Fi profiles via SSID and WPA2/3 key.
`Force Wi-Fi`	Prevents Wi-Fi from being disabled by the user.

Security

Policy	Description
`Automatic screen lock (in minutes)`	Sets after how many minutes of inactivity the device is automatically locked.
`Block simple passcode`	Prevents the use of simple four-digit PINs. A more complex password must be set.
`Enable content filter`	Enables the Apple content filter for content and websites.
`Minimum PIN length`	Sets the minimum length of the device passcode.
`Force PIN`	Forces the setup of a passcode to secure the device.

Time Settings

Policy	Description
`Set time zone`	Sets the time zone of the device.

iOS Updates

Policy	Description
`iPad Update Optimization`	Optimizes update settings for school use.

macOS

General

Policy	Description
`Enable guest access`	Enables the macOS guest user, which can be used without login and is automatically deleted after the session.

Applications

Policy	Description
`Block AirDrop`	Blocks the function for wirelessly transferring files between Apple devices.
`Block Apple Music`	Blocks the Apple Music app.
`Block App Store`	Blocks the App Store. Prevents users from independently installing apps.
`Block Dictation`	Disables the dictation function on the device.
`Block Game Center`	Blocks Game Center.
`Block Camera`	Blocks the camera and all applications that access the camera.
`Disable New Outlook`	Hides the switch to change to the new Outlook.
`Block Siri`	Disables the Siri voice assistant.
`Block Spotlight`	Blocks Spotlight search.
`Block Dictionary`	Blocks the macOS dictionary.

User Interface

Policy	Description
`Block Apple Intelligence`	Blocks Apple Intelligence (AI features such as Writing Tools and image generation).
`Optimize notification center`	Configures the notification center for school use.
`Optimize Dock`	Customizes the Dock for school use.
`Lock screen message`	Displays a custom message on the lock screen (e.g. school name or contact information if found).
`Block VoiceOver`	Disables the VoiceOver screen reader function.

Browser

Policy	Description
`Enable browser sync`	Synchronizes history, bookmarks, and other browser data. Enables device switching without data loss.
`Browser homepage`	Sets a fixed start page for the browser.
`Edge browser optimization`	Optimizes the Edge browser for school use (disables consumer features).
`Block external browser extensions`	Prevents the installation of browser extensions from external sources.
`Enable Safe Search`	Enables Safe Search in search engines. The level can be set. ¹
`Default search engine`	Sets the default search engine for the Edge browser.
`YouTube content filter`	Activates the content filter for YouTube. The level can be set. ²

Accounts

Policy	Description
`Enable Single Sign-On (SSO)`	Enables login with a single Microsoft account for all apps and services.

Network

Policy	Description
`Wi-Fi`	Allows distributing Wi-Fi profiles via SSID and WPA2/3 key.

OneDrive

Policy	Description
`Save user folders to OneDrive (Pictures, Desktop, Documents)`	Automatically syncs user folders to OneDrive. Recommended for data backup and seamless device switching.
`Enable OneDrive`	Enables the OneDrive client on the device.

Power Settings

Policy	Description
`Sleep after (minutes)`	Sets after how many minutes of inactivity the device goes to sleep.

Security

Policy	Description
`Optimize privacy settings`	Applies recommended macOS privacy settings for school use.
`Enable firewall`	Enables the macOS firewall.
`Enable GateKeeper`	Enables GateKeeper, which prevents the installation of software from untrusted sources.
`Encrypt devices`	Enables FileVault to encrypt device storage.
`Enable content filter`	Enables the macOS content filter for content and websites.

Time Settings

Policy	Description
`Set time zone`	Sets the time zone of the device.

macOS Updates

Policy	Description
`macOS Update Optimization`	Optimizes update settings for school use.

Which pages are blocked, how, and why depends on the classification of the search engine provider. ↩↩
Which videos are blocked, how, and why depends on the classification by YouTube. ↩↩