Policy CSP - Connectivity

Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


Connectivity policies

Connectivity/AllowBluetooth
Connectivity/AllowCellularData
Connectivity/AllowCellularDataRoaming
Connectivity/AllowConnectedDevices
Connectivity/AllowNFC
Connectivity/AllowPhonePCLinking
Connectivity/AllowUSBConnection
Connectivity/AllowVPNOverCellular
Connectivity/AllowVPNRoamingOverCellular
Connectivity/DiablePrintingOverHTTP
Connectivity/DisableDownloadingOfPrintDriversOverHTTP
Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
Connectivity/DisallowNetworkConnectivityActiveTests
Connectivity/HardenedUNCPaths
Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge

Connectivity/AllowBluetooth

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark

Scope:

  • Device

Allows the user to enable Bluetooth or restrict access.

Note

This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.

If this is not set or it is deleted, the default value of 2 (Allow) is used.

Most restricted value is 0.

The following list shows the supported values:

  • 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
  • 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
  • 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.

Connectivity/AllowCellularData

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark cross mark check mark check mark

Scope:

  • Device

Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.

The following list shows the supported values:

  • 0 – Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511.
  • 1 (default) – Allow the cellular data channel. The user can turn it off.
  • 2 - Allow the cellular data channel. The user cannot turn it off.

Connectivity/AllowCellularDataRoaming

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark

Scope:

  • Device

Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.

Most restricted value is 0.

ADMX Info:

  • GP English name: Prohibit connection to roaming Mobile Broadband networks
  • GP name: WCM_DisableRoaming
  • GP path: Network/Windows Connection Manager
  • GP ADMX file name: WCM.admx

The following list shows the supported values:

  • 0 – Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511.
  • 1 (default) – Allow cellular data roaming.
  • 2 - Allow cellular data roaming on. The user cannot turn it off.

To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.

To validate on mobile devices, do the following:

  1. Go to Cellular & SIM.
  2. Click on the SIM (next to the signal strength icon) and select Properties.
  3. On the Properties page, select Data roaming options.

Connectivity/AllowConnectedDevices

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark2 check mark2 check mark2 check mark2 check mark2 check mark2 check mark2

Scope:

  • Device

Note

This policy requires reboot to take effect.

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.

The following list shows the supported values:

  • 1 (default) - Allow (CDP service available).
  • 0 - Disable (CDP service not available).

Connectivity/AllowNFC

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark cross mark check mark check mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Allows or disallows near field communication (NFC) on the device.

Most restricted value is 0.

The following list shows the supported values:

  • 0 – Do not allow NFC capabilities.
  • 1 (default) – Allow NFC capabilities.

Connectivity/AllowPhonePCLinking

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark4 check mark4 check mark4 check mark4

Scope:

  • Device

Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC.

If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'. If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.

ADMX Info:

  • GP name: enableMMX
  • GP ADMX file name: grouppolicy.admx

This setting supports a range of values between 0 and 1.

  • 0 - Do not link
  • 1 (default) - Allow phone-PC linking

Validation:

If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be greyed out and clicking it will not launch the window for a user to enter their phone number.

Device that has previously opt-in to MMX will also stop showing on the device list.


Connectivity/AllowUSBConnection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark cross mark check mark check mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.

Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.

Most restricted value is 0.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Connectivity/AllowVPNOverCellular

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark

Scope:

  • Device

Specifies what type of underlying connections VPN is allowed to use.

Most restricted value is 0.

The following list shows the supported values:

  • 0 – VPN is not allowed over cellular.
  • 1 (default) – VPN can use any connection, including cellular.

Connectivity/AllowVPNRoamingOverCellular

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark

Scope:

  • Device

Prevents the device from connecting to VPN when the device roams over cellular networks.

Most restricted value is 0.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Connectivity/DiablePrintingOverHTTP

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

This policy setting specifies whether to allow printing over HTTP from this client.

Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.

Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.

If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.

If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP.

Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off printing over HTTP
  • GP name: DisableHTTPPrinting_2
  • GP path: Internet Communication settings
  • GP ADMX file name: ICM.admx

Connectivity/DisableDownloadingOfPrintDriversOverHTTP

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

This policy setting specifies whether to allow this client to download print driver packages over HTTP.

To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.

Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.

If you enable this policy setting, print drivers cannot be downloaded over HTTP.

If you disable or do not configure this policy setting, users can download print drivers over HTTP.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off downloading of print drivers over HTTP
  • GP name: DisableWebPnPDownload_2
  • GP path: Internet Communication settings
  • GP ADMX file name: ICM.admx

Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards.

These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.

If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.

If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.

See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off Internet download for Web publishing and online ordering wizards
  • GP name: ShellPreventWPWDownload_2
  • GP path: Internet Communication settings
  • GP ADMX file name: ICM.admx

Connectivity/DisallowNetworkConnectivityActiveTests

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark2 check mark2 check mark2 check mark2 cross mark cross mark

Scope:

  • Device

Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.

Value type is integer.

ADMX Info:

  • GP English name: Turn off Windows Network Connectivity Status Indicator active tests
  • GP name: NoActiveProbe
  • GP path: Internet Communication settings
  • GP ADMX file name: ICM.admx

Connectivity/HardenedUNCPaths

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

This policy setting configures secure access to UNC paths.

If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Hardened UNC Paths
  • GP name: Pol_HardenedPaths
  • GP path: Network/Network Provider
  • GP ADMX file name: networkprovider.admx

Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Determines whether a user can install and configure the Network Bridge.

Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.

The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.

If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prohibit installation and configuration of Network Bridge on your DNS domain network
  • GP name: NC_AllowNetBridge_NLA
  • GP path: Network/Network Connections
  • GP ADMX file name: NetworkConnections.admx

Footnote:

  • 1 - Added in Windows 10, version 1607.
  • 2 - Added in Windows 10, version 1703.
  • 3 - Added in Windows 10, version 1709.
  • 4 - Added in Windows 10, version 1803.

Connectivity policies that can be set using Exchange Active Sync (EAS)

Connectivity policies supported by Windows Holographic for Business

Connectivity policies supported by IoT Core

Connectivity policies supported by Microsoft Surface Hub